Case 1: basic firewall, no DMZ, no NAT


wlan0: internet uplink (10.0.0.x/24)
eth1: internal network (192.168.111.x/24)

Policy:
- drop all incoming requests (except below), allow all outgoing ones.
- Log the dropped packets via syslog
- Take care of FTP 
- Anti-Spoofing Rules
- Incoming connections to internal network allowed (stateful)
	- ICMP echo request
	- SSH to all internal hosts
- Incoming connections to firewall:
	- SSH to firewall
- Incoming connections to server1 (192.168.111.4):
	- One host "server1" accepts FTP, SMTP and HTTP


Case 2: Add DMZ, NAT for internal net

eth0: like above
eth1: internal net (192.168.111.0/24)
eth2: DMZ (10.2.2.1/24)

Policy (like above, but):
- server1 now lives in DMZ
- internal network now SNAT'ed (to 10.1.1.2/24)