Changes between Version 4 and Version 5 of Concepts


Ignore:
Timestamp:
09/20/07 20:21:00 (14 years ago)
Author:
Adi Kriegisch
Comment:

changed zone names: ext -> inet (and inet.ext -> world.inet)

Legend:

Unmodified
Added
Removed
Modified
  • Concepts

    v4 v5  
    1515[[Image(Simple_Network_with_Server.png)]]
    1616
    17 You can think of zone as a possibility to group networks and hosts of equal security level together. For example you may define two zones: 'int' and 'ext' to distinguish the internal part of you network from the external one. It becomes inherently clear that those two zones mean different levels of access.
     17You can think of zone as a possibility to group networks and hosts of equal security level together. For example you may define two zones: 'int' and 'inet' to distinguish the internal part of you network from the external one. It becomes inherently clear that those two zones mean different levels of access.
    1818
    1919Define at least one network within each zone. You may, of course, define several networks within a zone.
    2020
    21 For the sake of simplicity we will refer to zones with red colour and to networks with orange. Vuurmuur shows your network in the following way: network.zone: In our example we have lan.int and inet.ext. For the definition of a network in Vuurmuur you have to add network address, netmask and at least one interface via which the network can be reached. Then there are hosts: Imagine — as in our example — there is a special host in the internal network that should be reachable from the internet.
     21For the sake of simplicity we will refer to zones with red colour and to networks with orange. Vuurmuur shows your network in the following way: network.zone: In our example we have lan.int and world.inet. For the definition of a network in Vuurmuur you have to add network address, netmask and at least one interface via which the network can be reached. Then there are hosts: Imagine — as in our example — there is a special host in the internal network that should be reachable from the internet.
    2222
    2323[[Image(Simple_Network_with_Server_and_zones_and_networks_and_host.png)]]
     
    2626
    2727=== A word on naming conventions ===
    28 How you name the elements in your network is entirely up to you. There are just some hints for clever naming: like use rather short names as they will be used for things like live log view and so on. For zones you should use names representing the status relative to your network like 'int', 'ext' or 'dmz' and so on. It should be quite obvious to anyone viewing and creating rules what security level a zone has. The more intuitive the names are the less errors you can/will make on firewall rules! The same applies for network and host names as well.
     28How you name the elements in your network is entirely up to you. There are just some hints for clever naming: like use rather short names as they will be used for things like live log view and so on. For zones you should use names representing the status relative to your network like 'int', 'inet' or 'dmz' and so on. It should be quite obvious to anyone viewing and creating rules what security level a zone has. The more intuitive the names are the less errors you can/will make on firewall rules! The same applies for network and host names as well.
    2929
    3030! Never ever try to reuse names that are already known in a different context in your network. This will bring you in great trouble — just because you then have two completely different objects with probably completely different level of security and you (or someone less educated who will try to administer the firewall when you are on holidays) will certainly get confused and probably make wrong (and dangerous) decisions!
     
    3434
    3535== Interfaces ==
    36 The same as above applies to interfaces as well: You may give them whatever names you like. You may choose name of the NIC vendor or names like 'int' and 'ext' or whatever you prefer.[[BR]]
     36The same as above applies to interfaces as well: You may give them whatever names you like. You may choose name of the NIC vendor or names like 'int' and 'inet' or whatever you prefer.[[BR]]
    3737
    3838Interfaces will be — as zones, networks, hosts and groups — be used for creating rules. When creating networks you need to specify an interface that this network is attached to. Vuurmuur uses this interface for its rules: To avoid accepting packages from this network on a wrong interface. An interface in the Vuurmuur sense consists of a name you may freely choose, an IP address and a (real) device name like 'eth0'. You may specify if your interface is dynamic (Vuurmuur will care to monitor changes in the IP address then) and in advanced mode you may specify that your interface is virtual.[[BR]]
    3939
    40 So again: choose names wise, be careful not to confuse yourself with strange names. Always keep an eye on having a rather intuitive naming scheme so that it is not so easy to rip security holes in your firewall by accident. Depending on your setup you may choose a simple naming scheme like 'int' and 'ext' or a more complex one with either virtual interfaces or multiple interfaces. Anyways: You need to keep an overview!
     40So again: choose names wise, be careful not to confuse yourself with strange names. Always keep an eye on having a rather intuitive naming scheme so that it is not so easy to rip security holes in your firewall by accident. Depending on your setup you may choose a simple naming scheme like 'int' and 'inet' or a more complex one with either virtual interfaces or multiple interfaces. Anyways: You need to keep an overview!