CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" >

10.2. The topology

All servers should be configured to block at least the unused ports, even if there are not a firewall server. This is required for more security. Imagine someone gains access to your firewall gateway server: if your neighborhoods servers are not configured to block unused ports, this is a serious network risk. The same is true for local connections; unauthorized employees can gain access from the inside to your other servers in this manner.

In our configuration we will give you three different examples that can help you to configure your firewall rules depending on the type of the server you want to protect and the placement of these servers on your network architecture.

The first example firewall rules file will be for a Web Server.
The second for a Mail Server.
The last for a Gateway Server that acts as proxy for the inside Wins, Workstations and Servers machines.

See the graph below to get an idea:

Firewall schematic representaion

The graph above shows you the ports that I enable on the different servers by default in my firewall scripts file in this book

www.openna.com Caching Only DNS 208.164.186.3 .

  1. Unlimited traffic on the loopback interface allowed

  2. ICMP traffic allowed

  3. DNS Caching and Client Server on port 53 allowed

  4. SSH Server on port 22 allowed

  5. HTTP Server on port 80 allowed

  6. HTTPS Server on port 443 allowed

  7. SMTP Client on port 25 allowed

  8. FTP Server on ports 20, 21 allowed

  9. Outgoing traceroute request allowed

deep.openna.com Master DNS Server 208.164.186.1 .

  1. Unlimited traffic on the loopback interface allowed

  2. ICMP traffic allowed

  3. DNS Server and Client on port 53 allowed

  4. SSH Server and Client on port 22 allowed

  5. HTTP Server and Client on port 80 allowed

  6. HTTPS Server and Client on port 443 allowed

  7. WWW-CACHE Client on port 8080 allowed

  8. External POP Client on port 110 allowed

  9. External NNTP NEWS Client on port 119 allowed

  10. SMTP Server and Client on port 25 allowed

  11. IMAP Server on port 143 allowed

  12. IRC Client on port 6667 allowed

  13. ICQ Client on port 4000 allowed

  14. FTP Client on port 20, 21 allowed

  15. RealAudio / QuickTime Client allowed

  16. Outgoing traceroute request allowed

mail.openna.com Slave DNS Server 208.164.186.2 .

  1. Unlimited traffic on the loopback interface allowed

  2. ICMP traffic allowed

  3. DNS Server and Client on port 53 allowed

  4. SSH Server on port 22 allowed

  5. SMTP Server and Client on port 25 allowed

  6. IMAP Server on port 143 allowed

  7. Outgoing traceroute request allowed

The list above shows you the ports that I enable on the different servers by default in my firewall scripts file in this book. Depending on what services must be available in the server for the outside, you must configure your firewall script file to allow the traffic on the specified ports.

for all the examples explained later in this chapter.