Re: [IPCop-devel] [2.0] firewall

[Olaf W. <wei...@ip...>]

Robert Kerr wrote:

> In general the basics seem sound, but it doesn't seem to cover the
> restrictions between zones/interfaces? Also though it says orange will
> be separate I'm not clear what the restrictions will be there either. At
> the minute orange allows all to the internet but nothing to ipcops
> services which doesn't seem to fit neatly into the open/half-open/closed
> definition?


--> Orange will not have the half-open policy, the DMZ is completely
seperated from IPCop and green, blue.

Yes it makes it somewhat different from green and blue and yes I know 
this is a trade off, but is the best approach for a DMZ if you ask me.


Currently in 1.4 we have no restrictions for green -> blue+orange and 
for blue -> orange.

We can either follow the same principle or (my personal favorite) have 
these restrictions between interfaces configurable on the same page 
where the policy is defined.


> I guess there's also the question of how much a basic user has to think
> about? are there sane defaults similar to an existing IPCop install or
> are we forcing the user to choose a value for all these settings.

IMHO the defaults should be as close as possible to IPCop 1.4 behavior.

Which would be this:
  - green selected as maintenance network (https and ssh)
  - green is open (full access to internet, access to IPCop services)
  - green can access blue and orange
  - blue is open with "Blue access" activated (full access to internet, 
access to IPCop services)
  - blue can access orange
  - orange is open (full access to internet)



Olaf

-- 

A weizen a day helps keep the doctor away.