blob: 3760b5dd6f1d144496e2a5f62173400b6d60bd2c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
Internal Network: 10.0.x.1/24
Host10: 10.0.x.10/24
Host11: 10.0.x.11/24
Public IP: 10.0.0.z/24
Layout:
Internal Net --- Firewall --- Public Net
Security policy:
- Stateful Packet Filter for ~64k Connections
- All packets that are not explicitly allowed, have to be dropped
- All packets that are dropped have to be logged
- SSH access from public segment (192.168.100.y/24) to the Firewall itself
- No handling of multicast and/or broadcast packets
- Antispoofing rules for each interface
- All traffic from/to Internal must not be NAT'ed (i.e. public addresses)
- Correct handling of all ICMP Errors
- ICMP echo request / reply allowed stateful
- Host10:
- Administrative access via SSH from any Public Address
- HTTP access from Public Network
- Host11:
- No access from Public Network
- All machines in Internal Network:
- Allowed to initiate any kind of connections to Public Network
|
