Internal Network: 10.0.0.1/24 (eth1) DMZ: 10.23.23.1/24 (eth2) Server10: 10.23.23.10/24 Server11: 10.23.23.11/24 Public IP: 192.168.100.215/24 (eth0) Layout: DMZ I Internal Net --- Firewall --- Public Net Security policy: - Stateful Packet Filter for ~256k Connections - All packets that are not explicitly allowed, have to be dropped - All packets that are dropped have to be logged - No access from the public network to the Firewall itself - No handling of multicast and/or broadcast packets - Antispoofing rules for each interface - All traffic from Internal / DMZ to public must be NAT'ed - All machines in DMZ - Allowed to initiate any kind of connection to Public network - Server10: - Administrative access via SSH from Public and Internal Network - HTTP access from Public and Internal Network - DNS access from Public and Internal Network - Server11: - Administrative access via SSH from Public (Port 2222) and Internal Network - SMTP access from Public and Internal Network - All machines in Internal Network: - Allowed to do FTP, SSH, POP3S, IMAP4S to Public Network - HTTP via transparent proxy on Server11:3128