blob: 33f70cea4d4f3aa6ad3a2c9c658e74b5db8f5ddf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
Internal Network: 10.0.0.1/24 (eth1)
DMZ: 10.23.23.1/24 (eth2)
Server10: 10.23.23.10/24
Server11: 10.23.23.11/24
Public IP: 192.168.100.215/24 (eth0)
Layout:
DMZ
I
Internal Net --- Firewall --- Public Net
Security policy:
- Stateful Packet Filter for ~256k Connections
- All packets that are not explicitly allowed, have to be dropped
- All packets that are dropped have to be logged
- No access from the public network to the Firewall itself
- No handling of multicast and/or broadcast packets
- Antispoofing rules for each interface
- All traffic from Internal / DMZ to public must be NAT'ed
- All machines in DMZ
- Allowed to initiate any kind of connection to Public network
- Server10:
- Administrative access via SSH from Public and Internal Network
- HTTP access from Public and Internal Network
- DNS access from Public and Internal Network
- Server11:
- Administrative access via SSH from Public (Port 2222) and Internal Network
- SMTP access from Public and Internal Network
- All machines in Internal Network:
- Allowed to do FTP, SSH, POP3S, IMAP4S to Public Network
- HTTP via transparent proxy on Server11:3128
|
