Table of Contents
Simply writing this document without some sort of consistent example would be quite difficult, so for the sake of easy discussion, the following is what we want to accomplish:
Internal Network clients, hosts, internal servers 172.16.0.0 | | NetBSD Firewall fxp0 172.16.14.1 Server with SSH Open ------------------ ep0 18.104.22.168 | | Internet Connection gateway switch/ Provider Network router 22.214.171.124 | | Big Bad Internet insert cloud here
This is a pretty common setup for many organizations. to be connected via a service providers network out onto the internet.
The purpose of this firewall is to allow the clients on the 172.16.0.0 network to interact with the internet.
In a nutshell we want the firewall to be able to pass certain traffic in and out, however, we only want one available service at the firewall itself, that service is Secure Shell. Following is a matrix of how this particular installation is to look:
Service Connect to Firewall Pass In Pass Out ---------------------------------------------- DNS NO YES YES SMTP NO YES YES HTTPD NO YES YES FTPD NO YES YES SSH YES YES YES
It is important to note here that we need to be able to pass DNS, SMTP, FTP and HTTP traffic, however, we only really want the SSH service to be able to establish a connection to the firewall. The reason noting this now is important is because the rules in IPFILTER for making a connection and passing traffic are nearly identical.
The setup used throughout this document is an example, there is definitely more than one way to do this, for example:
private network firewall DMZ with public firewall uplink web, ftp, etc. servers
The DMZ would have publicly accessible web servers, ftpd servers etc. In our example, we do not require the DMZ since we are not hosting any web servers or running a DNS server that will participate with the rest of the internet.