Firewall rules are not something to be made up arbitrarily, but are instead the result of a set of policies. These are the policies that we shall be implementing in this lab:
DNS, HTTP and SMTP services are offered by Polycarp in the DMZ, and should be accessable to everyone by default.
Normally it would be desirable to have these services on different machines to limit the effect of a breakin, but here we are more concerned with lab resources.
To prevent intruders from breaking out of the DMZ into the LAN, nothing is permitted to be addressed to F1 from the DMZ.
Similarly, nothing in the DMZ may initiate communications with hosts in the LAN.
In general, you don't want the LAN hosts trusting the DMZ hosts.
SSH connections, on the standard port, from the Internet are to be forwarded through the NAT to one particular host (Client1) in the LAN. In this case, Client1 is acting as a server.
Normal hosts in the LAN will not be able to connect to the outside network. They may only make connections to other hosts in the LAN and also into the DMZ, but only for those services offered in the DMZ.
This sort of policy is common to force users to go through some sort of proxy. It is becoming less common in a lot of networks.
In order to begin implementing these policies, you need to
at least know how to match each type of traffic. As a reminder,
here is how you match each type of application’s traffic. I
suggest you look through
find out what the service name is for each
DNS uses UDP port 53 and also TCP port 53.
HTTP uses TCP port 80.
SMTP uses TCP port 25.
SSH uses TCP port 22.
You should begin by annotating the network diagram with each service’s location and where it should be allowed from. Make sure you understand how each type of traffic will cross the router (ie. does it go through the router, from one interface to another, or is it addressed to the router, or is the traffic coming originating from the router.
For each flow of traffic, decide whether each direction of the firewall should have an allow-by-default or drop-by-default policy.