Bill Wohler <wohler @
# after absorbing the information in "practical unix security" and
# this list, i'll be creating a firewall of my own (yes, bryan, it
# appears we're finally going to get an internet connection).
# chances are we'll use a cisco router as the choke and an hp 710 as
# the gate. however, i'd be interested to hear what people like as
# chokes and gates--and--what they don't like.
# just occurred to me that i might not be able to get two network
# interfaces in the hp 710. if this is the case, what is the danger
# in setting up the router so that it only passes traffic from both
# the external and internal networks only to the gate? is it better
# to get a gate that has two network interfaces?
I've built a number of firewalls using a variety of different schemes,
all variations on a theme of packet filtering.
My current favorite scheme involves two Cisco routers (yeah, I know,
mucho $$$$) and a UNIX box. You arrange things so that the two
routers and the UNIX box are on a dedicated Ethernet (we usually call
this the "exposed net" or "DMZ"), with nothing else on that net. One
of the routers is also connected to the outside world. The other
router is also connected to your internal net.
The exterior router guards the internal net and the DMZ from the
The interior router guards the internal net from the DMZ and the
The host on the DMZ is what the outside world talks to when they want
a SMTP, FTP, DNS, or other server for your site.
You arrange the packet filters on the interior and exterior gateways
so that clients on internal machines can connect to certain servers
(TELNET and FTP satisfy 90-95% of user desires) in the outside world.
You arrange for non-interactive services (such as SMTP, DNS, etc.) to
go out via the host on the DMZ.
You do not allow UDP (except for to/from port 53, for DNS) through the
You do not let any of the internal machines trust the DMZ host in any
way (mounting filesystems, .rhosts files, hosts.equiv files, etc.).
You do everything you possibly can to secure the DMZ host.
You don't let users on the DMZ host routinely; this makes it easier to
monitor for illicit use.
Depending on how paranoid you are and what's at stake, you might
impose further restrictions between the DMZ host and the internal
hosts on the interior router.
That, in a nutshell, is how I build firewalls today. The technology
is constantly changing, though, so I may be doing something different
next week. Also, I often end up modifying the plan to accomodate a
site's particular constraints (i.e., they can't afford 2 Ciscos, or
they already have another brand of router, or ...).
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041