blob: cfc162c873050c4aa4a4bc67e24ca635c5a6ed39 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Case 1: basic firewall, no DMZ, no NAT
wlan0: internet uplink (10.0.0.x/24)
eth1: internal network (192.168.111.x/24)
Policy:
- drop all incoming requests (except below), allow all outgoing ones.
- Log the dropped packets via syslog
- Take care of FTP
- Anti-Spoofing Rules
- Incoming connections to internal network allowed (stateful)
- ICMP echo request
- SSH to all internal hosts
- Incoming connections to firewall:
- SSH to firewall
- Incoming connections to server1 (192.168.111.4):
- One host "server1" accepts FTP, SMTP and HTTP
Case 2: Add DMZ, NAT for internal net
eth0: like above
eth1: internal net (192.168.111.0/24)
eth2: DMZ (10.2.2.1/24)
Policy (like above, but):
- server1 now lives in DMZ
- internal network now SNAT'ed (to 10.1.1.2/24)
|