Examples of Complete Firewall Policy

Simple but complete firewall setup

This example demonstrates complete configuration of the firewall with two interfaces. All interfaces have static IP addresses; firewall permits unrestricted outgoing access from the local net and blocks all incoming connections. Access to the firewall is only permitted from internal net and only on protocol SSH. This is simple but functional configuration; screenshots and generated firewall configurations are provided for iptables, ipfilter, pf and PIX firewalls.

Configuration of the interfaces of the firewall object is visible in the tree. Firewall object has three interfaces: eth1 (external interface with address 192.0.2.1), eth0 (internal interface with address 10.1.1.1) and a loopback interface lo.

Here are screenshots of the Firewall tab of the firewall object dialog for different firewall platforms (firewall platform is defined in the General tab of the dialog):

• for iptables firewall
• for ipfilter firewall
• for pf firewall
• for PIX firewall

All paremeters are pretty much left at their default vaules.

Here are screenshots of the Network tab of the firewall object dialog for different firewall host OS (defined in the General tab of the dialog):

• for Linux
• for FreeBSD
• for OpenBSD
• for Cisco PIX

We just turn ip forwarding on, all other options are also left at their default setting.

Once firewall object has been configured as shown above, we can use an interactive Druid to build initial policy. The druid can be activated using “Rules/Help me build policy” main menu item.

Druid offers a choice of the few typical network configurations, such as for firewalls with one, two and three interfaces. Configuration with one interface is essentially a firewall running on the server. For the case described in this example we choose firewall with two interfaces in the druid. You will also need to pick external interface of the firewall and choose an object that corresponds to the network behind the firewall when asked. This screen of the druid offers choices of the standard rules it can build. For this example I chose to add an anti-spoofing rule, a rule that permits all protocols on a loopback interface, a masquerading rule to permit outgoing connections from the internal network using NAT, a “catch all” rule to drop and log all unwated packets. A separate rule will be added to permit access to the firewall from internal net using SSH; the firewall will use DNS server on internal net to resolve host names. The following screenshots illustrate rules created by the druid:

• Policy of the external interface eth1
• Policy on the loopback interface lo
• global policy rules
• NAT rules

Listings:

• Iptables script generated by policy compiler fwb_ipt for this firewall
• Ipfilter configuration files generated by policy compiler fwb_ipf for this firewall
• PF configuration generated by policy compiler fwb_pf for this firewall
• PIX configuration files generated by policy compiler fwb_pix for this firewall
  (I had to delete loopback interface lo in order to compile it for PIX).

Note that the policy shown in this example is a bare minimum, a starting point, intended to get you online quickly and safely. You may need to expand it later by adding rules to permit inbound services if you have any, as well as rules for VPN and other things you need.