35. Firewall
ROX™ v2.2 User Guide 372 RuggedBackbone™ RX5000
5. If your network interface IP is dynamically assigned, configure masquerading.
6. If your network interface IP is statically assigned, configure Source Network address Translation
(SNAT). If a sufficient number of IP addresses are provided by the ISP, static NAT can be employed
instead.
7. If your hosts must accept sessions from the Internet, configure the rules file to support Destination
Network address Translation (DNAT). Which hosts need to accept connections, from whom and
on which ports?
8. Configure the rules file to override the default policies. Have external connections been limited to
approved IP address ranges. Have all but the required protocols been blocked?
9. If you are supporting a VPN, add additional rules.
10. Validate the configuration using the method outlined in Section 35.5.2, “Working with Firewall
Configurations”.
11. Activate the firewall. It is recommended to run a port scan of the firewall after activation and verify
that any defined logging is functioning as expected.
35.3. Firewall Terminology And Concepts
This section provides background on various firewall terms and concepts. References are made to the
section where configuration applies.
35.3.1. Zones
A network zone is a collection of interfaces, for which forwarding decisions are made, for example:
Name Description
net The Internet
loc Your Local Network
dmz Demilitarized Zone
fw The firewall itself
vpn1 IPSec connections on w1ppp
vpn2 IPSec connections on w2ppp
Table 35.2. Network Zones
New zones may be defined at any time. For example, if all of your Ethernet interfaces are part of the
local network zone, disallowing traffic from the Internet zone to the local zone will disallow it to all
Ethernet interfaces. If you wanted some interfaces (but not others) to access the Internet, you could
create another zone.
35.3.2. Interfaces
ROX™ Firewall interfaces are simply the LAN and WAN interfaces available to the router. You must
place each interface into a network zone.
If an interface supports more than one subnet, place the interface in zone ‘Any’ and use the zone hosts
setup (see below) to define a zone for each subnet on the interface.
An example follows:
Interface Zone
switch.0001 loc
switch.0002 loc
switch.0003 Any
switch.0004 dmz
To Next Page
Loading...
Need help?
General
