This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuration Considerations - Rules- Masquerading

Hi, I am also new at Firewall setups. Is there anything in particular that I should be aware of when setting up my firewall for the following:

We are a company with 7 Branch offices. At the time our ISP provides us the VPN Service.
Location 1  10.0.0.0
Location 2  10.0.2.0
Location 3  10.0.3.0 etc...
Location 7 192.168.0.0

All of these locations will be passing through the ASL 4.0 at location 1. We have no internal Mail servers, webservers. But each location has to be able to send and receive to eachother and Access the internet. Our old firewall has Masquerading and  an http proxy and I need to configure the new like the old one. Is the anyone that can give me tips as to which rules I need to have and other considerations? Especially for Location 7: They need to be able to access our VPN. How do I set it up so that their packets will be accepted.

Thanks a bunch!
Janet

This thread was automatically locked due to age.

Parents

0 SecApp over 22 years ago

Janet-

How soon do you have to do this? I could suggest some reading, but maybe you want to consider working with what Astaro calls a "Solution Partner". You can do it using information gleaned here, but what if you forget to mention something and one of your branch offices gets infiltrated because of the answers given with the information we had to go on?

If you have time, I and others will suggest to you some initial recommended reading; when you're done with it, I doubt you will have many questions (but you will still have a few, I'm sure). If you don't have time, then we would have to start with a knowledge of the inventory of the applications being used in each of the branch offices.

[I would prefer that you would work with one of the resellers who are knowledgeable and would be willing to share that knowledge with you, if you can; it's not like you are just putting your home machine at risk with your possible lack of knowledge of some of the issues...]
Cancel
Vote Up 0 Vote Down

Cancel
0 nu2this over 22 years ago in reply to SecApp

thanks for your response. The applications are very simple. Office, mail and most will be accessing a terminal server to access our business system. Other than that nothing exotic. I would, however, be very grateful for some recommended reading. Here are some of what I need to configure in the new ASL:
EgressFilter()
{
    # Dont't let private addresses in.
    ${IPTABLES} -N in_private
    ${IPTABLES} -F in_private
    ${IPTABLES} -A in_private  -j destroy   -s 127.0.0.0/8
    ${IPTABLES} -A in_private  -j destroy   -s 10.0.0.0/8
    ${IPTABLES} -A in_private  -j destroy   -s 172.16.0.0/12
    ${IPTABLES} -A in_private  -j destroy   -s 192.168.0.0/16
    ${IPTABLES} -A in_private  -j destroy   -s 224.0.0.0/4
    ${IPTABLES} -A in_private  -j destroy   -s 240.0.0.0/4

    # Additionally we could destroy everything that doesn't have
    # the IP of our interface as destination address. But this IP
    # is dynamic...

    # Dont't let private addresses escape.
    ${IPTABLES} -N out_private
    ${IPTABLES} -F out_private
    ${IPTABLES} -A out_private -j destroy   -d 127.0.0.0/8
    # Diesen IP-Range nutzen wir
    #${IPTABLES} -A out_private -j destroy   -d 10.0.0.0/8
    ${IPTABLES} -A out_private -j destroy   -d 172.16.0.0/12
    ${IPTABLES} -A out_private -j destroy   -d 192.168.0.0/16
    ${IPTABLES} -A out_private -j destroy   -d 224.0.0.0/4
    ${IPTABLES} -A out_private -j destroy   -d 240.0.0.0/4

    ${IPTABLES} -A INPUT       -j in_private  -i ${INTERFACE}
    ${IPTABLES} -A FORWARD     -j in_private  -i ${INTERFACE}
    ${IPTABLES} -A OUTPUT      -j out_private -o ${INTERFACE}
    ${IPTABLES} -A FORWARD     -j out_private -o ${INTERFACE}
}
I have no idea what this is supposed to mean. Our old SysAdmin was a Linux crack but now we need to be able to administrate our FW without him. That is why we made a new purchase.

Janet
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 nu2this over 22 years ago in reply to SecApp

thanks for your response. The applications are very simple. Office, mail and most will be accessing a terminal server to access our business system. Other than that nothing exotic. I would, however, be very grateful for some recommended reading. Here are some of what I need to configure in the new ASL:
EgressFilter()
{
    # Dont't let private addresses in.
    ${IPTABLES} -N in_private
    ${IPTABLES} -F in_private
    ${IPTABLES} -A in_private  -j destroy   -s 127.0.0.0/8
    ${IPTABLES} -A in_private  -j destroy   -s 10.0.0.0/8
    ${IPTABLES} -A in_private  -j destroy   -s 172.16.0.0/12
    ${IPTABLES} -A in_private  -j destroy   -s 192.168.0.0/16
    ${IPTABLES} -A in_private  -j destroy   -s 224.0.0.0/4
    ${IPTABLES} -A in_private  -j destroy   -s 240.0.0.0/4

    # Additionally we could destroy everything that doesn't have
    # the IP of our interface as destination address. But this IP
    # is dynamic...

    # Dont't let private addresses escape.
    ${IPTABLES} -N out_private
    ${IPTABLES} -F out_private
    ${IPTABLES} -A out_private -j destroy   -d 127.0.0.0/8
    # Diesen IP-Range nutzen wir
    #${IPTABLES} -A out_private -j destroy   -d 10.0.0.0/8
    ${IPTABLES} -A out_private -j destroy   -d 172.16.0.0/12
    ${IPTABLES} -A out_private -j destroy   -d 192.168.0.0/16
    ${IPTABLES} -A out_private -j destroy   -d 224.0.0.0/4
    ${IPTABLES} -A out_private -j destroy   -d 240.0.0.0/4

    ${IPTABLES} -A INPUT       -j in_private  -i ${INTERFACE}
    ${IPTABLES} -A FORWARD     -j in_private  -i ${INTERFACE}
    ${IPTABLES} -A OUTPUT      -j out_private -o ${INTERFACE}
    ${IPTABLES} -A FORWARD     -j out_private -o ${INTERFACE}
}
I have no idea what this is supposed to mean. Our old SysAdmin was a Linux crack but now we need to be able to administrate our FW without him. That is why we made a new purchase.

Janet
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data