Home » Mac OS X und Linux Sicherheit » Firewall Regeln! » Themenansicht

Firewall Regeln!
#0
20.12.2005, 19:28
sub_zero
...neu hier

Beiträge: 2
#1 Hallo allerseits!

Kennt sich hier jemand mit den Firewall Regeln unter Linux gut aus?

Ich soll nämlich eine Regel für ein DMZ (geschütztes Computernetz) schreiben! Kenn mich aber leider nicht so gut aus!

Example rules (they don’t make much sense):
allow tcp on B from 10.0.0.120 to 192.168.1.0/24 ports 10-20
deny udp on B from any to 192.168.1.5 ports 7


Falls sich jemand meldet, werde ich das Bild hier posten!


LG
Sub_zero
Seitenanfang Seitenende
20.12.2005, 22:01
hevtig
Moderator
Avatar hevtig

Beiträge: 2312
#2 jede firewall fängt wohl damit an:

deny all from (internet)
allow all from (LAN)

somit ist jeder verkehr nach außen erlaubt, nach innen aber nicht.
dann kannst du ausgewählte Ports für z.B. Webserver etc freigeben.
__________
Woher soll ich wissen was ich denke, bevor ich höre was ich sage??
Sag NEIN zu HD+/CI+ - boykottiert die Etablierung von HD+/CI+!
Seitenanfang Seitenende
20.12.2005, 22:07
sub_zero
...neu hier

Themenstarter

Beiträge: 2
#3

Zitat

sub_zero postete
Hallo allerseits!

Kennt sich hier jemand mit den Firewall Regeln unter Linux gut aus?

Ich soll nämlich eine Regel für ein DMZ (geschütztes Computernetz) schreiben! Kenn mich aber leider nicht so gut aus!

Example rules (they don’t make much sense):
allow tcp on B from 10.0.0.120 to 192.168.1.0/24 ports 10-20
deny udp on B from any to 192.168.1.5 ports 7


Falls sich jemand meldet, werde ich das Bild hier posten!


LG
Sub_zero
ich hab foldende Aufgabe bekommen:

Die Angabe:
The figure below shows a network diagram of a company’s network. The external IP address
range of the company is 128.131.95.0/28. Your task is to write the rules for the two firewalls.
The exact syntax isn’t important but it has to be clear what you mean. Use first-match rules
which include:
• the action (deny; or ;allow)
• the interface(s) the packet is coming in (A, B or C)
• the packet type (tcp, udp, tcp/udp)
• the source IP address or range or any
• for tcp+udp: the source port(s) (if missing implying all ports)
• the destination IP address or range or any
• for tcp+udp: the destination port(s) (if missing implying all ports)

Notes:
• Use first-match rules.
• Only write rules for incoming packets; outgoing rules are not needed.
(“Incoming packets” are seen from the perspective of the firewalls. There won’t be
any packets originating from the firewalls, so all packets going out of the firewall will
have to go in on some interface first.)
• The default rule (if none matches) is “deny all”.
• You don’t have to care about ICMP.
• You don’t have to care about TCP flags.
• You don’t have to care about the firewall being stateful; just write rules for the initial
packets of a communication (the TCP-SYN packets or the first packet of a UDP communication)
• Firewall 2 is a NAT device, firewall 1 is a “normal” firewall
• The NAT device masquerades all IPs from to internal network to the IP address
128.131.95.4
• The servers between the two firewalls are in a DMZ
• If you want to specify a single IP address you can leave out the “/32”.
• Clearly separate the rules for firewall 1 and 2.
• The interface (A, B or C) is required for each rule.
• Don’t write unnecessary rules. (The default action is deny all)
• “128.131.195.1” is just the gateway. There will be no direct traffic from/to it’s IP address.


Requirements:
• All ports on the DMZ servers that are reachable from the Internet should also be
reachable from the internal hosts
• The SSH ports on the DMZ servers should only be reachable from the internal network
• The SMTP, SMTPS, “submission” and IMAPS ports should be reachable from the Internet
• The IMAP port should only be reachable from the internal network
• The DNS servers should be reachable by UDP from the Internet; TCP will only be
used for DNS updates between the two servers and should therefore not be reachable
from the internal network nor the Internet
• The FTP server should be reachable from the internal network (you don’t have to care
about the additional ports required; just write rules for port 21)
• The HTTP and HTTPS ports should be reachable from the Internet
• The Postgresql server should not be reachable from the internal network nor the Internet
(it is only used by the web server)
• All IP addresses and ports on the Internet should be reachable by all PCs on the internal
network
• The HTTP server on IP address 128.131.167.5 has to be reachable by the web server.
• The internal network should be easily expandable (a new host shouldn’t require a firewall
rule change)
• Ports on the DMZ servers that are not needed shouldn’t be reachable from the Internet
nor the internal network
• The wireless network (192.168.1.0/24) should be able to access the Internet and all the
ports on the DMZ servers the other internal network is able to access; it should not be
able to access the internal network.
• The internal network shouldn’t be able to access the wireless network and vice versa.


Das Bild:
siehe Anhang


Was meisnt du? Wie ist sie zu lösen?

Anhang: DMZ.jpg
Dieser Beitrag wurde am 20.12.2005 um 22:13 Uhr von sub_zero editiert.
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1