I'm starting to lose my mind............... :-)
I'm trying to develop a simple firewall tool which at its core relies
on shell functions rather than shell variables and specially-
formatted configuration files. Trouble is, my head is starting to
HURT with all these different possibilities. Here is some rambling
problems and "hurts" and "what do I do NOW???" things:
* DMZ - what connectivity do you give to it? What do you allow to
the protected net? What do you allow to the unprotected net? Would
it be easier to proxy-arp the DMZ to the outside world?
* Protected net: what about limiting internal users access to outside?
* Internal firewall: what if the "external" unprotected net is
actually an internal network behind a firewall? Now you have private
IPs on BOTH sides of the firewall....
* Masquerading... what about masquerading in BOTH directions? Or
just one?
* Servers on the firewall: this isn't as odd as it sounds. The first
is ssh.
* Servers in the unprotected net....!
The BIG question: how do you ACCOUNT for all these?
In particular, I'm implementing Oxygen as a firewall for an internal
private network, so this really IS relevant. I also want to set it
up at home, sooner or later, if I can get the modem and then PPP to
work. I don't trust serial communications - it almost certainly
never works the first time.
Regarding firewalls, consider these problems/examples:
* Internal firewall inside: now you can't reject all private IPs from
the unprotected net.... since it also uses private IPs.
* Masquerading: on a standard Internet firewall, you would masquerade
the internal network - but what about a firewall INSIDE a
firewall....?
Another thing - which HURTS:
* When I define a TCP transmission path, the two directions are
defined in separate chains/rules whatever; you can't define a rule
which says: "allow an outbound TCP connection on this port" - this is
actually TWO steps - outgoing, and incoming.
All this is starting to make my head explode - does anyone have any
ideas? I know this is vague - I'm keep banging my head into things
and I'm getting lost in the forest :-)
I have the Building Internet Firewalls book - and I found it
interesting that they don't seem to have a description of firewall
rules for a DMZ. I also found that there isn't very much description
of a DMZ out there - even those places that talk about it probably
refer to a perimeter network instead.
Anybody got an aspirin?
--
David Douthitt
UNIX Systems Administrator
HP-UX, Linux, Unixware
[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
