Firewall builder allow web server series#
Tiers 2 and 3 can send mail to tier 1 so tier 1 could be configured as a smart relay host, which isn't shown in this series of articles. Tiers 2 and 3 have no reverse DNS and many mailer daemons complain anyway. Rule 11 allows mail to anywhere but Main Network and Tiers 2 and 3. Rule 9 makes ident functions reject quickly so no delays exist when an application tries to do an ident call to one of the servers. The block all rule (Rule 8) is next denying all other access to the firewall for whatever wasn't defined as being allowed. Rules 5, 6, and 7 allow each to reach the services it needs on the tier's gateway interface in this case network time protocol (NTP), http proxy, and domain name service (DNS). Some people like to SSH into the router, but I find I rarely do once I have a router setup just right. The router doesn't run SSH so this is not needed as I make changes on the router via the console.
Rule 4 is redundant but it is a holdover from the template allowing SSH from the main network to the router. Without it, there would be no access to the Internet for the router itself. This helps the squid proxy and DNS queries reach the Internet. Next, Rule 3 lets the router's external interface connect to the outside world so the router's services can reach the Internet as needed. Next, Rule 1 allows loopback rules and Rule 2 allows the firewall to accept IPv6 multicasts on its external interface. The first few rules in the diagram are anti-spoof rules (Rule 0) which prevent the internal networks from being spoofed outside the firewall where they could not originate as source addresses. The firewall design allows all hosts on the main network to reach all tiers in the DMZ.
0 kommentar(er)
