Firewall Rules

These are the rules used to govern the two firewalls used in this study.

The firewall rules were structured in the following three areas:
  • Incoming traffic
  • Forwarding
  • Outgoing traffic

The strategy was to deny most everything at first, and then allow some dedicated connections. The iptables rules were set up to allow ping and SSH commands. In a production environment, ping (ICMP) and SSH (TCP port 22) would probably be denied.

Firewall 1

These rules were used for Firewall 1:
Incoming traffic
  1. Stop all incoming traffic.
  2. Allow all related and established traffic for Firewall 1.
Forwarding traffic
  1. Stop all forwarding traffic.
  2. Allow forwarding of TCP traffic from 192.168.40.60 (proxy server) to the internal servers.
  3. Allow forwarding of all related and established traffic.
Outgoing traffic
Allow output traffic for ICMP.
Note: This rule is for maintenance only and would probably not be implemented in a production environment.

All servers on the internal zone have Firewall 1 as their default route.

Firewall 2

These rules were used for Firewall 2:
Incoming traffic
  1. Stop all incoming traffic.
  2. Allow all related and established traffic for Firewall 2.
Forwarding traffic
  1. Stop all forwarding traffic.
  2. Allow forwarding of all related and established traffic.
  3. Allow forwarding of TCP traffic on IP interface 10.10.60.0 (OSA card) to go to 192.168.40.21 (Firewall 1) and 192.168.40.60 (proxy server), and when Apache is moved into the DMZ, to 192.168.40.100.
Outgoing traffic

Allow output traffic for ICMP.

Note: This rule is for maintenance only and would probably not be implemented in a production environment.

The client needs to be able to route request through the Firewall 2 to the proxy server. The client routing is shown below.

[root@client ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.80.0      *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
9.12.22.0       *               255.255.255.0   U     0      0        0 eth2
10.10.60.0      *               255.255.255.0   U     0      0        0 eth0
10.10.10.0      *               255.255.255.0   U     0      0        0 eth0
192.168.40.0    10.10.60.22     255.255.255.0   UG    1      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth2
default         pdlrouter-if7.p 0.0.0.0         UG    0      0        0 eth2
[root@client ~]#

IP address 10.10.10.60.22 (in bold in the above example) is the address assigned to an OSA adapter configured on the Firewall 2 z/VM® guest.

To enable the Firewall 2 to route IP traffic on this OSA adapter, the adapter must be configured as a primary router. The address of the OSA adapter on Firewall 2 is 0716 through 0718.

To enable route4 primary routing, the configuration file for the OSA adapter needed to be changed to include a QETH_OPTIONS='route4=primary_router' clause (shown in bold in the following example).

firewall2:/etc/sysconfig/network # cat /etc/sysconfig/hardware/hwcfg-qeth-bus-ccw-0.0.0716
CCW_CHAN_IDS='0.0.0716 0.0.0717 0.0.0718'
CCW_CHAN_MODE=''
CCW_CHAN_NUM='3'
LCS_LANCMD_TIMEOUT=''
MODULE='qeth'
MODULE_OPTIONS=''
QETH_IPA_TAKEOVER='0'
QETH_LAYER2_SUPPORT='0'
QETH_OPTIONS='route4=primary_router'
SCRIPTDOWN='hwdown-ccw'
SCRIPTUP='hwup-ccw'
SCRIPTUP_ccw='hwup-ccw'
SCRIPTUP_ccwgroup='hwup-qeth'
STARTMODE='auto'
firewall2:~ #