Example 2. Ingate Firewall with four interfaces and DMZ
For this example, the sample company "Company" will be used. Company has two servers that it wants to make available from the Internet. Company also has an internal network with workstations and internal servers, and a local network for the service department. The service department's network is accessible via a router from Company's internal network. This router has the IP address 172.22.1.2. Company has an Internet connection through a router with the IP address 119.15.17.1.
This example will illustrate how to set up Company's firewall. A firewall with four interfaces is used, though only three of the interfaces are activated.
The servers that are to be accessible both from the Internet and the two internal networks are placed on a separate network. This makes it easy to set up different rules for the computers on the Internet and for the computers on the internal networks to access these servers. This separate network is a DMZ (Demilitarized Zone).
Company currently has a public network with 16 IP addresses. These will be divided evenly; half for the network between the firewall and the gateway to the Internet; other half as a DMZ, making the network masks 255.255.255.248. The network supplier gave the gateway the IP address 119.15.17.1 and Company gives the firewall the IP address 119.15.17.2 on the network interface connected to this gateway.
Assign the IP address 119.15.17.9 to the firewall's network interface that is linked to the DMZ (119.15.17.8 is the network address of the half used as the DMZ).
Make sure that the network supplier knows that the IP addresses 119.15.17.8 - 15 are located behind the firewall 119.15.17.2, or the routing won't work for these addresses.
Company's internal network, to which most of the workstations and internal servers are connected, has the network address 172.22.1.0. The firewall receives the IP address 172.22.1.1 on the network interface that is connected to this network. There is also a service network with network address 172.22.2.0. Since Company uses IP addresses reserved for private use, the internal networks are NAT:ed.
The diagram shows this network.
Run the installation program.
The firewall receives the IP address 172.22.1.1 and network interface eth0 is connected to the internal network. The other network interfaces should not be active yet.
The firewall can be configured from all computers on the service department's network, 172.22.2.0. The mask for allowing all computers on this network to configure is 255.255.255.0. This network is accessed via a router with the IP address 172.22.1.2.
For the firewall to contact the service network, and to enable configuration from the service network, set up a static route. Also set a temporary password and choose not to remove other configuration.
The installation program now shows where the configuration was changed. If it looks good, answer yes.
After the installation program has been run, go to a workstation on the service network to finish configuration. Eth0 is connected to the inside, so start with checking the configuration for Eth0. Most configuration has already been made by the installation program. The firewall can be configured via this interface.
A static route to the service network should be found under Static Routing.
Network interface Eth1 is connected to the outside. The firewall has the IP address 119.15.17.2 on this interface. Divide the network between 119.15.17.0 and 119.15.17.15 into two parts, one of which will be used as the DMZ network. This makes the network mask 255.255.255.248.
Give Eth2 the name DMZ, IP address 119.15.17.9 and mask 255.255.255.248. The firewall should have an additiona IP address, an Alias, to NAT traffic from the internal mail server to a specific IP address.
NAT should be used for traffic from eth0 to the other active network interfaces. Traffic from the internal to the external SMTP (email) server should use a specified IP address.
Create one row where traffic come from the internal mail server and is destined to the external mail server. Select to NAT this traffic as the alias created on the Eth2 page.
Below this row, create two rows where all other traffic from eth0 destined to eth1 or eth2 is NATed. This is all NATing the firewall should perform.
To establish different rules for the computers on the DMZ, these computers should be defined on separate lines on the Networks and Computers page. The same applies to the internal DNS server and the internal mail server. Define the three networks; DMZ, Internal network and Internet.
Go to the Access Control page under Basic Configuration and make settings for accessing the firewall web interface.
The configuration IP address (the IP address you direct your web browser to) was set by the installation program. You have also already entered which computers should be allowed to configure the firewall.
The administrator should be able to use a local password or RADIUS as authentication methods.
Access traffic to the firewall web interface should only be allowed via Eth0 - no one on the Internet should be allowed to browse or change the settings.
To enable authentication of the administrator via RADIUS, a RADIUS server must be defined on the RADIUS page under Basic Configuration. Remember to add the firewall and the administrator to the RADIUS server database.
When all network interfaces and the RADIUS server are set up, there is still some Basic Configuration left. Give the firewall the name Ingate Firewall and set it to use the IP policy Reject IP packets. The default gateway out to the Internet is 119.15.17.1; a name server or a standard domain is not necessary and the firewall is already configured so that administration can only be done from computers on the internal network. The firewall should only reply to ping from the same interface.
The log classes used by the firewall are defined on the Log Classes page. Some log classes are predefined; Company defines some new ones.
Syslog is used; the IP address of a syslog server must be given.
For logging via email, give the DNS name or IP address of the mail server.
A number of Services are needed: dns and dns-reply for name server queries, ftp for FTP transfers, icmp for network analysis, nfs-udp for NFS mounting, smtp to send e-mail, ssh to ensure encrypted connections to other computers over the network, and www to view WWW pages. All of these are predefined in Ingate Firewall. Services for all UDP, all TCP and all ICMP, UDP and TCP are defined here.
Time classes are also needed. There is a predefined class "24/7" (always). Here, classes for office hours and off-duty hours (evenings, nights and weekends) are defined.
Once computers, networks, time classes, and services are defined, Rules can be set up. Computers on the Internet should not have access to anything other than the services on the DMZ network's servers: WWW, FTP, email and DNS.
Set up rules to grant everyone on the Internet access to the DMZ services FTP and WWW (rules 9 and 10).
On the DMZ network, the name server must be able to query other name servers on the Internet (rules 1-2), and receive and reply on queries from other name servers (rules 4-5).
Enable queries from the internal name server to the external name server (rule 3). The reply traffic for those queries will automatically be let through as the internal networks are NAT:ed. The computers on the internal networks use the internal name server for name queries. The internal name server queries external names and IP addresses via the external name server.
The external mail server is set up to receive email from the Internet (rule 13) and forward it to the internal mail server (via a TCP relay). The internal mail server forwards external emails to the external mail server (rule 11), which in turn forwards the emails to other mail servers on the Internet (rule 12).
Enable the internal viewing of WWW pages on own web server and external (Internet) web servers, but the latter only during off-duty hours (rules 6-7). Retrieve files with FTP from Company's FTP server and FTP servers on the Internet (rule 8).
No one on the Internet should be allowed to connect to Company's servers with ssh. Reject this traffic and alert the administrator via syslog (rule 14).
Since the internal networks are NAT:ed to the Internet and to the DMZ network, set-up of blocking rules for services like NFS and X-Window System is not necessary. Last, set up a rule to warn if any unexpected traffic is sent from the DMZ to the Internet (rule 15). This would probably mean that a cracker attack to a DMZ computer was successful, and the cracker now uses the computer to reach other computers on the Internet. To alert Company, the firewall will send an email at any attempt and warn via syslog. Also reject the packets.
The external mail server will not be able to forward mails to the internal mail server via rules, as the internal networks are NAT:ed. Therefore, go to the Relays page and define a TCP relay for the e-mail traffic from the external mail server to the internal mail server. The relay listens for traffic on port 25 (SMTP traffic) to the DMZ network interface. Only the external mail server can use this relay.
Now all configuration is done. Store all this on a file for safekeeping, then click on Apply configuration.
The firewall is now up and running. Remember to change the password.