Chapter 1. Overview

Table of Contents

1.1. Setup Example
1.2. The Desired Setup of the Firewall
1.3. More than one way to . . .

1.1. Setup Example

Simply writing this document without some sort of consistent example would be quite difficult, so for the sake of easy discussion, the following is what we want to accomplish:

Internal Network                 clients, hosts, internal servers
                                          172.16.0.0

                                              |
                                              |

NetBSD Firewall                        fxp0 172.16.14.1
Server with SSH Open                  ------------------
                                       ep0 216.68.250.60
                                              
                                              |
                                              |

Internet Connection                     gateway switch/
Provider Network                          router
                                        216.68.250.65

                                              |
                                              |

Big Bad Internet                         insert cloud here

This is a pretty common setup for many organizations. to be connected via a service providers network out onto the internet.

The purpose of this firewall is to allow the clients on the 172.16.0.0 network to interact with the internet.

1.2. The Desired Setup of the Firewall

In a nutshell we want the firewall to be able to pass certain traffic in and out, however, we only want one available service at the firewall itself, that service is Secure Shell. Following is a matrix of how this particular installation is to look:

Service   Connect to Firewall Pass In Pass Out
----------------------------------------------
DNS             NO             YES      YES
SMTP            NO             YES      YES
HTTPD           NO             YES      YES
FTPD            NO             YES      YES
SSH            YES             YES      YES

It is important to note here that we need to be able to pass DNS, SMTP, FTP and HTTP traffic, however, we only really want the SSH service to be able to establish a connection to the firewall. The reason noting this now is important is because the rules in IPFILTER for making a connection and passing traffic are nearly identical.

1.3. More than one way to . . .

The setup used throughout this document is an example, there is definitely more than one way to do this, for example:

private network    firewall    DMZ with public    firewall  uplink
                               web, ftp, etc.      
                               servers

The DMZ would have publicly accessible web servers, ftpd servers etc. In our example, we do not require the DMZ since we are not hosting any web servers or running a DNS server that will participate with the rest of the internet.