userdoc:tt_firewall_overview

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
userdoc:tt_firewall_overview [2020/05/13 15:43]
abelbeck [Default Allowed Traffic] 		userdoc:tt_firewall_overview [2020/05/23 08:52]
abelbeck [Firewall External Block List]
Line 3: Line 3:
 AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[https://github.com/arno-iptables-firewall/aif/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort. AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[https://github.com/arno-iptables-firewall/aif/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.
  
-==== Default Allowed Traffic Flow ====+===== Default Allowed Traffic Flow =====
  
 By default, with the firewall enabled and no added firewall rules, the allowed traffic flow is as follows: By default, with the firewall enabled and no added firewall rules, the allowed traffic flow is as follows:
  
-{{:userdoc:firewall-default-traffic-flow.jpg?nolink|Default Allow Traffic}}+{{:userdoc:firewall-default-traffic-flow2.png?nolink|Default Allow Traffic}}
  
 !!Note ->!! By default any LAN to LAN traffic is not allowed. !!Note ->!! By default any LAN to LAN traffic is not allowed.
Line 13: Line 13:
 !!Note ->!! WireGuard and OpenVPN virtual networks are treated as LANs. !!Note ->!! WireGuard and OpenVPN virtual networks are treated as LANs.
  
-==== DMZ Traffic Flow ====+===== DMZ Traffic Flow =====
  
 In networking the DMZ (DeMilitarized Zone) can have various meaning.  In AstLinux, the default DMZ firewall rules are as follows: In networking the DMZ (DeMilitarized Zone) can have various meaning.  In AstLinux, the default DMZ firewall rules are as follows:
Line 21: Line 21:
   - Allow DMZ->EXT (internet)   - Allow DMZ->EXT (internet)
   - Allow LAN->DMZ (includes WireGuard and OpenVPN virtual LANs)   - Allow LAN->DMZ (includes WireGuard and OpenVPN virtual LANs)
 +  - Allow Local->DMZ
  
 The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself. The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself.
Line 31: Line 32:
   Pass DMZ->Local TCP 0/0 53   Pass DMZ->Local TCP 0/0 53
  
-You may also want mDNS (UDP 5353)+You may also want mDNS (''UDP 5353'')
  
-To drop DMZ->Local logging, uncheck the following:+To disable DMZ->Local logging, uncheck the following:
  
 Firewall sub-tab: Firewall sub-tab:
Line 42: Line 43:
  
 For the Pi-Hole case, the DMZ is perfect.  The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS. For the Pi-Hole case, the DMZ is perfect.  The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS.
 +
 +
 +===== Firewall Plugins =====
 +
 +!!Related Info ->!! **[[userdoc:tt_firewall_plugins|Firewall Plugins]]**
 +\\
 +===== Firewall External Block List =====
 +
 +!!Related Info ->!! **[[userdoc:tt_firewall_external_block_list|Firewall External Block List]]**
 +\\
  
  • userdoc/tt_firewall_overview.txt
  • Last modified: 2020/05/24 16:04
  • by abelbeck