File: README.examples

package info (click to toggle)
fwbuilder 1.0.0-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 4,508 kB
  • ctags: 2,655
  • sloc: cpp: 15,549; sh: 7,494; ansic: 3,538; xml: 3,418; makefile: 906; perl: 397
file content (75 lines) | stat: -rw-r--r-- 2,497 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
  $Id: README.examples,v 1.4 2001/08/05 09:02:24 lord Exp $

          Firewall Builder

          Examples




Example network #1:


                            |
                            |   External interface
                            |   222.222.222.222
                    +-------+-------+
                    |               |
                    |  Firewall     |
                    |               |
                    +-------+-------+
                            |   Internal interface
                            |   192.168.1.1
                            |
                            |
                            |   Internal net  192.168.1.0/255.255.255.0
  I--------------+----------+-----------+--------------I
                 |                      |
                 | 192.168.1.10         | 192.168.1.20
         +---------------+      +---------------+
         |               |      |               |
         |   Host A      |      |   Host B      |
         |               |      |               |
         +---------------+      +---------------+



Internal net uses private IP addresses on the net
192.168.1.0/255.255.255.0. There are two hosts on the internal net:
host A and hostB.


Requirements for the firewall rules:


Host A serves as a mail server and therefore should be allowed to
accept SMTP (TCP port 25) connections from the Internet. Firewall must
provide reverse address translation and allow such connections. 

Host A is also DNS server hosting one of registered Internet
domains. Firewall must allow incoming DNS requests to host A (UDP port 53)
and DNS zone transfers from two secondary name servers (TCP port 53, hosts
secondary1.com 211.11.11.11 and secondary2.com 211.22.22.22)

Firewall should let some types of ICMP packets through (See group
"Useful_ICMP"). These includes all sorts of "unreachables", so
traceroute would work and for faster detection of servers which are
down. This should also include ICMP echo reply, so ping would work.

All other sorts of incoming connections should be blocked and logged.

There must be anti-spoofing rules on the firewall to block and log IP
packets coming from the Internet if their source IP is that of
internal network or firewall.

All sorts of fragmented packets coming from the Internet should be
dropped and logged.

Internal hosts should be able to initiate outgoing connections to
hosts on the Internet and should be translated to firewall's external
IP address 222.222.222.222