m0n0wall (firewalls on a stick) - particularly for DMZ and internal only.
Without meaning to start a war, it's my understanding that m0n0wall is regarded as the best firewall on a stick. If memory serves, it's also argued that IPcop is, but it may be that my memory is faulty and the 'top' two are something else. Regardless, the presentation can affirm or correct this.
Preferably within/under VMware ...
- baseline: m0n0wall as firewall between internal and external machines.
- demonstrate DMZ, i.e. rules between external and DMZ, and DMZ and internal.
- demonstrate internal-only control.
i.e. Assume firewall with 5 network cards.
2. Internal ws 2 with Internet access
3. DMZ server (e.g. web server)
4. Internal ws 1, no internet access.
5. Internal server, no internet access.
A. 1. can talk to 3. in certain specified ways. e.g. http.
B. 2. can talk to 1. and 5., e.g. browse internet, and 3. in certain specified ways, e.g. http (intranet)
C: 3. can talk to 1.
D: 4. can talk to nobody but 5.
E: 5. can talk to nobody but 4.
I. - A. is typical server, e.g. web
II. - B. is typical internal workstation
III - C. is A. but from the server side
IV - D., E is typical internal service. e.g. Intranet
- and all with a single point of maintenance, rather than having to maintain iptables, or some such, on each machine.
Conceptually this is not hard to understand. Actually doing the inter-interface configuration is, well ...
I. = outside world.
II. = inside world.
III. = insider server serving outside world, personal web site.
IV. = child with computer playing kiddie games who shouldn't be allowed to browse the Internet (yet).