Trust Relationships between the Interfaces
The four types of network interface — Green, Red, Blue, and Orange — supported by IPCop have differing levels of trust associated with them. Here is a simple table outlining what traffic is allowed to go to and from which interfaces. This table, and the knowledge contained within it, should form the basis of our planning when considering how many interfaces to use and what to use them for. This is basically the Traffic Flow diagram from the IPCop administrative guide (www.ipcop.org/1.4.0/en/admin/html/section-firewall.html).
Traffic Flow Diagram
|
Red Red Red Red |
Firewall Orange Blue Green |
CLOSED CLOSED CLOSED CLOSED |
External Access Port Forwarding Port Forwarding / VPN Port Forwarding / VPN |
|
Orange Orange Orange Orange |
Firewall Red Blue Green |
CLOSED OPEN CLOSED CLOSED |
DMZ Pinholes DMZ Pinholes |
|
Blue Blue Blue Blue |
Firewall Red Orange Green |
CLOSED CLOSED CLOSED CLOSED |
Blue Access Blue Access Blue Access DMZ Pinholes / VPN |
|
Green Green Green Green |
Firewall Red Orange Blue |
OPEN OPEN OPEN OPEN |
|
In visualizing the way in which traffic goes through the IPCop firewall, we can see it as a sort of giant junction with a traffic cop (literally, an IP Cop — hence the name!) in the middle of it. When a car (in network parlance, a packet of data) reaches the crossroads, the cop decides in which direction the packet should go (based on the routing tables IPCop uses), and pushes it in the appropriate direction.
In the case of a Green client accessing the Internet, we can see from the previous table that this access is OPEN, so the cop allows the traffic through. In other instances, however, this might not be the case. If a Blue client tries to access a client on the Green segment, for instance, the cop might allow the traffic through if it comes over a VPN or through DMZ pinholes — but if a client on the Blue segment has neither of these things explicitly allowing the traffic, it is stopped. The car is pulled over, the occupants victims of some virtual time in the cells!
Note that (generally) when we illustrate IPCop Configurations, the Red interface is uppermost (North), the Orange interface is to the left (West), the Blue interface is to the right (East), and the Green interface is to the bottom (South).
As with many aspects of the behavior of the IPCop firewall, it is possible to alter the behavior of the firewalling rules in order to customize IPCop to meet a topology un-catered for by the default rules. Within the context of the firewall rules, IPCop has had a file since the 1.4-series release that allows users to specifically add their own firewall rules (/etc/rc.d/rc.firewall.local). Since version 1.3, there have been iptables chains, CUSTOMINPUT, CUSTOMFORWARD, etc., allowing iptables rules to be added manually.
Specifically using iptables is out of our scope here, but we recommend that interested readers read:
The Linux iptables HOWTO at www.linuxguruz.com/iptables/howto/