userdoc:tt_firewall_overview

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
userdoc:tt_firewall_overview [2020/05/13 15:48]
mkeuter 		userdoc:tt_firewall_overview [2020/05/24 16:04] (current)
abelbeck [Default Allowed Traffic Flow]
Line 3: Line 3:
 AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[https://github.com/arno-iptables-firewall/aif/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort. AstLinux provides an IPv4 / IPv6 Stateful Filtering Firewall, based on the excellent [[https://github.com/arno-iptables-firewall/aif/|Arno's IPTABLES Firewall]] (**AIF**) script, developed by Arno van Amersfoort.
  
-==== Default Allowed Traffic Flow ====+===== Default Allowed Traffic Flow =====
  
 By default, with the firewall enabled and no added firewall rules, the allowed traffic flow is as follows: By default, with the firewall enabled and no added firewall rules, the allowed traffic flow is as follows:
Line 13: Line 13:
 !!Note ->!! WireGuard and OpenVPN virtual networks are treated as LANs. !!Note ->!! WireGuard and OpenVPN virtual networks are treated as LANs.
  
-==== DMZ Traffic Flow ====+!!Note ->!! Using the DMZ requires at least one LAN defined. 
 + 
 +===== DMZ Traffic Flow =====
  
 In networking the DMZ (DeMilitarized Zone) can have various meaning.  In AstLinux, the default DMZ firewall rules are as follows: In networking the DMZ (DeMilitarized Zone) can have various meaning.  In AstLinux, the default DMZ firewall rules are as follows:
Line 21: Line 23:
   - Allow DMZ->EXT (internet)   - Allow DMZ->EXT (internet)
   - Allow LAN->DMZ (includes WireGuard and OpenVPN virtual LANs)   - Allow LAN->DMZ (includes WireGuard and OpenVPN virtual LANs)
 +  - Allow Local->DMZ
  
 The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself. The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself.
Line 31: Line 34:
   Pass DMZ->Local TCP 0/0 53   Pass DMZ->Local TCP 0/0 53
  
-You may also want mDNS (UDP 5353)+You may also want mDNS (''UDP 5353'')
  
-To drop DMZ->Local logging, uncheck the following:+To disable DMZ->Local logging, uncheck the following:
  
 Firewall sub-tab: Firewall sub-tab:
Line 42: Line 45:
  
 For the Pi-Hole case, the DMZ is perfect.  The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS. For the Pi-Hole case, the DMZ is perfect.  The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS.
 +
 +
 +===== Firewall Plugins =====
 +
 +!!Related Info ->!! **[[userdoc:tt_firewall_plugins|Firewall Plugins]]**
 +\\
 +===== Firewall External Block List =====
 +
 +!!Related Info ->!! **[[userdoc:tt_firewall_external_block_list|Firewall External Block List]]**
 +\\
  
  • userdoc/tt_firewall_overview.1589402902.txt.gz
  • Last modified: 2020/05/13 15:48
  • by mkeuter