Linux Firewall Part 2: Determine Your Network Setup


Many firewalls make certain assumptions and use several standard conventions.  Understand the standard terminologies and you’ll have an easier time when setting up your firewall.

Nearly every firewall’s first level of protection is NAT, or Network Address Translation.  This means that an external address is “translated” from external to internal addresses, so the public never has direct access to your internal network or computers.  Say if you have an external address of  You really don’t want your internal machines to use the same network as the Internet, to you?  So you set up your internal computers with an address range of 192.168.20.x.  Any time someone on the Internet wants to get a file from your internal server, the address is translated by the firewall.

You can also think of each network as secret departments in a covert government organization.  Each department only has security clearance to talk with one another.  Say the Bioweapons department needs resources from Engineering… but they don’t have security clearance.  The only person who has clearance for each department is the 4-star general, and each department must go through him.  It’s not exactly like that, but it’s a decent analogy of how different segmented networks are seperated from each other.

Firewalls use standard conventions when referencing areas of the network.  There are four basic network types, all of which can be managed by the firewall at the same time.  These networks are called:

  • Red (external Internet)
  • Orange (DMZ or DeMilitarized Zone)
  • Green (internal network)
  • Blue (wireless network)

You can have a wireless access point on your green (internal) network in a home situation.  A seperate Blue network is helpful if you have a public access point, but only want those people to access the Internet, and that’s it.  Internet cafés and other public access points would use a Blue network to allow customers access to the outside world, but not let you snoop their internal network.

The Orange Network (DMZ) is where you put your web servers, VOIP router, and other appliances that the outside world should be able to see.  There are several assumptions made about the computers on this network, referred to as the Orange Mantra:

  • Orange must be on a separate physical wire from Green (not on same hub/switch)
  • Orange must be on a separate logical subnet.
  • Orange cannot send nor respond to ICMP. (ie., PING).
  • Orange must always use ISP DNS for name resolution.
  • Orange must always point to the IPCop Orange interface as its gateway.
  • Orange can be accessed from Green ONLY by it’s internal IP address unless /etc/hosts on IPCop is editted.
  • Orange cannot access Green unless pinholes are opened.
  • Orange can be port-forwarded to in exactly the same manner as Green.

Segmenting your network like this adds more security.  If someone comes into your house and uses one of your local computers (on the green network), then they don’t automatically have full control of your web servers.  Your Orange servers will be on a completely seperate network, with a completely different IP range, and completely different set of network cables.  If you have only one server in the DMZ, then you can get away with a cross-over network cable between the firewall and the Orange Server.  If you have more than one server in the DMZ, then you must use a seperate network switch (not the same one your green network is on).

Now that you know the caveats of each network, you can determine which type of firewall setup you need.  If all you need is a firewall that is more configurable than the cheap Netgear box you have, then all you need is a Red + Green setup.  Here is a table with the different network setups and their intended purposes:

firewall setup intended purpose number of network cards needed
red + green
Basic firewall.  Same as a Router appliance, but with greater flexibility.  One internet connection and one internal network.  You can have wireless access if you connect a Wireless Access Point to the switch on the Green network.  Any wireless access point attached to green network has the same access as wired computers. 2
red + green + orange
Use if you have a web server, game server, VoIP, or some other public computer.  Two seperate networks: internal and DMZ 3
red + green + blue
Use if you want public wireless access.  Two seperate networks: internal and wireless.  Wireless cannot access green unless you set up more rules (pinholes) 3
(one with Wireless Access Point)
red + green + orange + blue
Three seperate networks with different network addresses.  Internal network, web servers, and public wireless access.  None of the internal networks can access each other directly without going through pinholes (or back out through the Internet). 4
(one with Wireless Access Point)

Remember, you don’t HAVE to have a blue network to have wireless access.  You can put a wireless access point on the green network, and it will have the same subnet as your wired computers on the green network.  Having a blue network just keeps wireless users on a seperate address range.

Next we’ll discuss hardware considerations based on the type of network you want to set up.

Alan is a web architect, stand-up comedian, and your friendly neighborhood Grammar Nazi. You can stalk him on the Interwebs via Google+, Facebook and follow his ass on Twitter @ocmodshop.