<< Back to man.ChinaUnix.net

Introduction

This is the most important part of Endian Firewall and most probably the cause why you want to use a firewall. Endian firewall uses a standard netfilter firewall and creates it's firewall rules using iptables. Basically Endian Firewall is configured in a manner that the firewall itself is the only point of contact seen from the outside, or the internet. The public ip addresses can be assigned only to the RED interface, thus a connection attempt from the internet to one of your public ip addressess will reach only the RED interface of the firewall and cannot pass beyond. This has been made technically impossible by the use of NAT. Routing of public ip addresses within a zone behind the firewall will be prevented since otherwise it would circumvent the firewall rules.

Figure 6.2. Diagram of flow control and its configuration possibilities

Diagram of flow control and its configuration possibilities

If not configured otherwise, the firewall will as default block all traffic coming from the outside. As default behaviour, traffic from the GREEN zone will be allowed passing to each other zones (BLUE and ORANGE), since GREEN is the trusted network, but for each pass from one zone to another NAT will be performed, in order to obscure the real source and not give away any information about a network configuration within another zone. Contrarily, access from the other zones will not be allowed to nowhere as default. Exception is the access to RED, to the internet, where only some standard services (HTTP,FTP,SMTP,DNS) are allowed as default from GREEN and only DNS from BLUE and ORANGE.

Certainly Endian Firewall gives the possibility to lighten these strong restrictions and let you define access rules from among each zone. In order to allow access to RED, the internet, the outgoing firewall is resposible. If you need to give access to the firewall itself, you need to create rules within the External Access menu. Access from BLUE to GREEN and from ORANGE to GREEN or BLUE will be arranged by Zone pinholes.

If you have servers in the DMZ behind ORANGE and need to allow access from the internet, you can create a port forwarding rule. You may flexibly forward different ports from the same ip address to different servers within the DMZ or different ports from different ip addresses to the same servers, as you wish.