Case 1: basic firewall, no DMZ, no NAT wlan0: internet uplink (10.0.0.x/24) eth1: internal network (192.168.111.x/24) Policy: - drop all incoming requests (except below), allow all outgoing ones. - Log the dropped packets via syslog - Take care of FTP - Anti-Spoofing Rules - Incoming connections to internal network allowed (stateful) - ICMP echo request - SSH to all internal hosts - Incoming connections to firewall: - SSH to firewall - Incoming connections to server1 (192.168.111.4): - One host "server1" accepts FTP, SMTP and HTTP Case 2: Add DMZ, NAT for internal net eth0: like above eth1: internal net (192.168.111.0/24) eth2: DMZ (10.2.2.1/24) Policy (like above, but): - server1 now lives in DMZ - internal network now SNAT'ed (to 10.1.1.2/24)