In our example we will configure a firewall located between two networks, external (untrusted - 192.168.1.0) and one internal (trusted - 10.0.99.0). Here is a table of the servers and their IP addresses.
Table 3-1. Server Addresses
|Firewall (external interface)||192.168.1.81|
|Firewall (internal interface)||10.0.99.1|
As just one example, in your environment the 192.168.1.0 network used here could represent your external network or the Internet and the 10.0.99.0 network could be your internal network. In this type of scenario the firewall is made to look like a group of servers (for example DNS, SMTP, FTP, HTTP, etc.) to the external network. The Internet facing interface (represented here by 192.168.1.81) receives the packets for all of these services and then forwards them to the appropriate servers on the internal network (represented here by 10.0.99.0/24) in the private IP network space. This is different from having a group of servers in a publicly addressable DMZ. I chose this example as it involves firewall configuration that exercises more functionality and provides the reader with a broader information base. This is also useful if the user has very small group of public IP addresses. In fact this could be used when there is only one public IP address to represent a group of servers and services. In addition to this our example will accomplish the following:
Define two networks and several hosts.
Allow incoming Guardian Digital WebTool (port 1023) packets only from the administrator's host to the firewall and internal network.
Allow incoming SSH packets from the administrator's host to the internal network.
Allow outgoing HTTP(S), FTP, SSH and NTP packets from the internal network.
Allow outgoing SMTP packets only from the internal mail server.
Allow outgoing DNS packets only from the internal name server.
Blacklist all incoming packets from a malicious external host.
Block all incoming packets from the external network that contain invalid TCP flags.
Port forward incoming SMTP requests to the mail server.
Port forward incoming DNS requests to the name server.
Port forward incoming SIMAP and SPOP3 requests to the mail server.
Port forward incoming HTTP and HTTPS requests to the web server.
Masquerade the internal network.
A general note about defining networks. Networks in the Guardian Digital WebTool are defined in CIDR notation so for example the network 192.168.1.0 with a netmask of 255.255.255.0 would be defined as 192.168.1.0/24. You will need a general grasp of how CIDR notation works or you may improperly configure the firewall in certain instances. If CIDR is new to you, you should research how it works before continuing the firewall configuration.
In the networking world there is the public and private address space. The public address space is made up of typical IP addresses that can be routed through the Internet. The private address space is made up of a group of IP addresses reserved specifically for use in private networks that are not directly connected to the Internet. Understanding these concepts is absolutely necessary before continuing the firewall configuration. If you are not totally familiar with the distinction between public and private IP addresses you need to stop here and research these concepts.