summaryrefslogtreecommitdiff
path: root/2005/iptables-firewall-heinlein2005/example2.txt
blob: 3760b5dd6f1d144496e2a5f62173400b6d60bd2c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Internal Network: 10.0.x.1/24
Host10: 10.0.x.10/24
Host11: 10.0.x.11/24
Public IP: 10.0.0.z/24

Layout:

Internal Net --- Firewall --- Public Net

Security policy:
- Stateful Packet Filter for ~64k Connections
- All packets that are not explicitly allowed, have to be dropped
- All packets that are dropped have to be logged
- SSH access from public segment (192.168.100.y/24) to the Firewall itself
- No handling of multicast and/or broadcast packets
- Antispoofing rules for each interface
- All traffic from/to Internal must not be NAT'ed (i.e. public addresses)
- Correct handling of all ICMP Errors
- ICMP echo request / reply allowed stateful
- Host10:
	- Administrative access via SSH from any Public Address
	- HTTP access from Public Network
- Host11:
	- No access from Public Network
- All machines in Internal Network:
	- Allowed to initiate any kind of connections to Public Network
personal git repositories of Harald Welte. Your mileage may vary