Firewall Rules
These are the rules used to govern the two firewalls used in this study.
- Incoming traffic
- Forwarding
- Outgoing traffic
The strategy was to deny most everything at first, and then allow some dedicated connections. The iptables rules were set up to allow ping and SSH commands. In a production environment, ping (ICMP) and SSH (TCP port 22) would probably be denied.
Firewall 1
- Incoming traffic
- Stop all incoming traffic.
- Allow all related and established traffic for Firewall 1.
- Forwarding traffic
- Stop all forwarding traffic.
- Allow forwarding of TCP traffic from 192.168.40.60 (proxy server) to the internal servers.
- Allow forwarding of all related and established traffic.
- Outgoing traffic
- Allow output traffic for ICMP.Note: This rule is for maintenance only and would probably not be implemented in a production environment.
All servers on the internal zone have Firewall 1 as their default route.
Firewall 2
- Incoming traffic
- Stop all incoming traffic.
- Allow all related and established traffic for Firewall 2.
- Forwarding traffic
- Stop all forwarding traffic.
- Allow forwarding of all related and established traffic.
- Allow forwarding of TCP traffic on IP interface 10.10.60.0 (OSA card) to go to 192.168.40.21 (Firewall 1) and 192.168.40.60 (proxy server), and when Apache is moved into the DMZ, to 192.168.40.100.
- Outgoing traffic
Allow output traffic for ICMP.
Note: This rule is for maintenance only and would probably not be implemented in a production environment.
The client needs to be able to route request through the Firewall 2 to the proxy server. The client routing is shown below.
[root@client ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.80.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
9.12.22.0 * 255.255.255.0 U 0 0 0 eth2
10.10.60.0 * 255.255.255.0 U 0 0 0 eth0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0
192.168.40.0 10.10.60.22 255.255.255.0 UG 1 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth2
default pdlrouter-if7.p 0.0.0.0 UG 0 0 0 eth2
[root@client ~]#
IP address 10.10.10.60.22 (in bold in the above example) is the address assigned to an OSA adapter configured on the Firewall 2 z/VM® guest.
To enable the Firewall 2 to route IP traffic on this OSA adapter, the adapter must be configured as a primary router. The address of the OSA adapter on Firewall 2 is 0716 through 0718.
To enable route4 primary routing, the configuration file for the OSA adapter needed to be changed to include a QETH_OPTIONS='route4=primary_router' clause (shown in bold in the following example).
firewall2:/etc/sysconfig/network # cat /etc/sysconfig/hardware/hwcfg-qeth-bus-ccw-0.0.0716
CCW_CHAN_IDS='0.0.0716 0.0.0717 0.0.0718'
CCW_CHAN_MODE=''
CCW_CHAN_NUM='3'
LCS_LANCMD_TIMEOUT=''
MODULE='qeth'
MODULE_OPTIONS=''
QETH_IPA_TAKEOVER='0'
QETH_LAYER2_SUPPORT='0'
QETH_OPTIONS='route4=primary_router'
SCRIPTDOWN='hwdown-ccw'
SCRIPTUP='hwup-ccw'
SCRIPTUP_ccw='hwup-ccw'
SCRIPTUP_ccwgroup='hwup-qeth'
STARTMODE='auto'
firewall2:~ #