I have DSL server and get my External IP address via DHCP. My DSL "modem" is connected through a 10MB hub to eth0 (I can get up to 3 dynamic IP addresses and I also have an LRP-based firewall connected to this hub). I have a local network connected to eth1 (subnet 192.168.1.0/24) and a DMZ connected to eth2 (192.168.2.0/24).
My personal system is 192.168.1.3 and all external ssh and icq connection requests are forwarded to that system.
There is a single system (192.168.2.2) in the DMZ and that system runs sendmail, pop3, DNS, a Web server and an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our email from our ISP.
The firewall system itself runs a DHCP server that serves the local network.
Auth (ident) servers run everywhere and all administration is done using ssh.
#ZONE DISPLAY COMMENTS
net Internet Internet
loc Local Local networks
dmz DMZ Demilitarized zone
tun Tunnel Peer network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.191.149.223 dhcp,noping,norfc1918
tun ipsec0 -
loc eth1 192.168.1.255 routestopped
dmz eth2 192.168.2.255 routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#CLIENT SERVER POLICY LOG LEVEL
loc net ACCEPT
loc loc REJECT
fw loc ACCEPT
tun loc ACCEPT
loc tun ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
# TYPE ZONE GATEWAY
ipsec net 130.252.100.21
#LAST LINE -- DO NOT REMOVE
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S)CLIENT PORT(S) ADDRESS
#
# Local Network to Firewall - Allow SSH and DHCP
#
ACCEPT loc fw tcp ssh
ACCEPT loc fw udp 67:68
#
# Local Network to DMZ - Allow SMTP, POP3, DNS, SSH, AUTH, PING, FTP, WWW
#
ACCEPT loc dmz:192.168.2.2 tcp 25
ACCEPT loc dmz:192.168.2.2 tcp 110
ACCEPT loc dmz:192.168.2.2 udp 53
ACCEPT loc dmz:192.168.2.2 tcp 53
ACCEPT loc dmz tcp ssh
ACCEPT loc dmz:192.168.2.2 tcp auth
ACCEPT loc dmz icmp 8
ACCEPT loc dmz:192.168.2.2 tcp 21 - 206.191.149.199
ACCEPT loc dmz:192.168.2.2 tcp www - 206.191.149.199
#
# Internet to LOCAL - Forward SSH and ICQ connections to Wookie
#
ACCEPT net loc:192.168.1.3 tcp ssh - all
ACCEPT net loc:192.168.1.3 udp 4000 - all
ACCEPT net loc:192.168.1.3 tcp 4000:4100 - all
#
# Internet to DMZ - Allow SMTP, WWW, FTP, DNS, ICMP
#
ACCEPT net dmz:192.168.2.2 tcp smtp - all
ACCEPT net dmz:192.168.2.2 tcp 80 - all
ACCEPT net dmz:192.168.2.2 tcp 21 - all
ACCEPT net dmz:192.168.2.2 udp 53 - all
#
# DMZ to Internet - Allow PING, DNS, SMTP, NTP, AUTH, POP3
#
ACCEPT dmz net icmp 8
ACCEPT dmz:192.168.2.2 net udp 53
ACCEPT dmz:192.168.2.2 net tcp 53
ACCEPT dmz:192.168.2.2 net tcp 25
ACCEPT dmz:192.168.2.2 net:206.191.149.193 udp ntp
ACCEPT dmz:192.168.2.2 net tcp auth
ACCEPT dmz:192.168.2.2 net:206.191.151.2 tcp 110
#
# DMZ to Local Network - Allow SMTP, AUTH, PING
#
ACCEPT dmz:192.168.2.2 loc tcp 25
ACCEPT dmz:192.168.2.2 loc tcp auth
ACCEPT dmz loc icmp 8
#
# Internet to Firewall - Allow Auth
#
ACCEPT net fw tcp auth
#
# Firewall to Internet - Allow NTP, DNS
#
ACCEPT fw net udp ntp
ACCEPT fw net:206.191.151.10 udp 53
ACCEPT fw net:206.191.151.11 udp 53
#
# Firewall to DMZ - Allow DNS
#
ACCEPT fw dmz:192.168.2.2 udp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Last updated 3/20/2001 - Tom Eastep