The first few rules in the diagram are anti-spoof rules (Rule 0) which prevent the internal networks from being spoofed outside the firewall where they could not originate as source addresses. Next, Rule 1 allows loopback rules and Rule 2 allows the firewall to accept IPv6 multicasts on its external interface.
Next, Rule 3 lets the router's external interface connect to the outside world so the router's services can reach the Internet as needed. This helps the squid proxy and DNS queries reach the Internet. Without it, there would be no access to the Internet for the router itself.
Rule 4 is redundant but it is a holdover from the template allowing SSH from the main network to the router. The router doesn't run SSH so this is not needed as I make changes on the router via the console. Some people like to SSH into the router, but I find I rarely do once I have a router setup just right.
Rules 5, 6, and 7 allow each to reach the services it needs on the tier's gateway interface in this case network time protocol (NTP), http proxy, and domain name service (DNS).
The block all rule (Rule 8) is next denying all other access to the firewall for whatever wasn't defined as being allowed.
Rule 9 makes ident functions reject quickly so no delays exist when an application tries to do an ident call to one of the servers.
Rule 11 allows mail to anywhere but Main Network and Tiers 2 and 3. Tiers 2 and 3 have no reverse DNS and many mailer daemons complain anyway. Tiers 2 and 3 can send mail to tier 1 so tier 1 could be configured as a smart relay host, which isn't shown in this series of articles.
Rule 12 allows tier 1 to reach tier 2 via HTTP. You can add Apache Tomcat HTTP/AJP (8080/8009) or similar ports you need for tier 2 access here.
Rule 13 allows the tier two server to reach tier three's MySQL port for database access.
Note that multiple servers within each tier would have full access to all ports on all servers within the same tier using the configuration as servers on the same tier don't pass through the firewall interface for analysis.
Rule 14 denies any other access to the home IPv6 network but is already covered by Rule 17. I like to see this one explicitly defined but it isn't really necessary.
Rule 15 allows the main network to do whatever it wants to any host in the DMZ. You might want to restrict this to trusted hosts or a jump server in your network.
Rule 16 allows any host to reach the HTTP and HTTPS ports and savvy readers will note that also enables tiers 2 and 3 to reach tier 1 HTTP services.
Rule 17 denies all other connections that aren't allowed.
Fire wall rules don't have to stop here. I could have told the DD-WRT router to deny all incoming connections from the networks 2001:470:f379:31://64 and fd01:/16 and I could tell the host based firewalls on hosts in the main network to drop those networks as well.
Oct 3 14:27:53 router kernel: [1187757.100207] RULE 17 -- DENY IN=eth1 OUT=eth3 MAC=08:00:27:88:a2:52:08:00:27:b6:01:80:86:dd SRC=2001:0470:f379:0031:0000:0000:0000:0010 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=40715 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:28:09 router kernel: [1187773.131684] RULE 17 -- DENY IN=eth1 OUT=eth3 MAC=08:00:27:88:a2:52:08:00:27:b6:01:80:86:dd SRC=2001:0470:f379:0031:0000:0000:0000:0010 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=40715 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:29:31 router kernel: [1187855.193762] RULE 17 -- DENY IN=eth2 OUT=eth3 MAC=08:00:27:7d:3e:91:08:00:27:b8:81:ef:86:dd SRC=fd01:0470:f379:0032:0000:0000:0000:0020 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=36823 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:29:32 router kernel: [1187856.174386] RULE 17 -- DENY IN=eth2 OUT=eth3 MAC=08:00:27:7d:3e:91:08:00:27:b8:81:ef:86:dd SRC=fd01:0470:f379:0032:0000:0000:0000:0020 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=36823 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:29:34 router kernel: [1187858.145339] RULE 17 -- DENY IN=eth2 OUT=eth3 MAC=08:00:27:7d:3e:91:08:00:27:b8:81:ef:86:dd SRC=fd01:0470:f379:0032:0000:0000:0000:0020 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=36823 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Previous: Router | Next: Tier 1 Reverse Proxy |