Now it’s time to dust off the precise specification that describes how your setup should work.
The physical layout of our sample network is centered around a gateway connected to the Internet via $ext_if. Attached to the gateway via $int_if is a local network with workstations and possibly one or more servers for local use. Finally, we have a DMZ connected to $dmz_if, populated with servers offering services to the local network and the Internet. Figure 9-2 shows the logical layout of the network.
The corresponding rule set specification looks something like this:
Machines outside our network should have access to the services offered by our servers in the DMZ, and no access to the local network.
The machines in our local network, attached to
$int_if, should have access to the services offered by the servers in the DMZ and access to a defined list of services outside our network.The machines in the DMZ should have access to some network services in the outside world.
The task at hand is to make sure the rule set we have in place actually implements the specification. We need to test the setup. A useful test would be to try the sequence in Table 9-1.
Your configuration may call for other tests or could differ in some particulars. Your real-life test scenario should specify how packets and connections should be logged. The main point is that you should decide what the expected and desired result for each of your test cases should be before you start testing.
In general, you should test using the applications you expect the typical user to have, such as web browsers or mail clients on various operating systems. The connections should simply succeed or fail, according to specifications. If one or more of your basic tests gives an unexpected result, move on to debugging your rule set.
Table 9-1. Sample Rule Set Test Case Sequence
Expected Result | |
|---|---|
Try a connection from the local network to each allowed port on the servers in the DMZ. | The connection should pass. |
Try a connection from the local network to each allowed port on servers outside our network. | The connection should pass. |
Try a connection on any port from the DMZ to the local network. | The connection should be blocked. |
Try a connection from the DMZ to each allowed port on servers outside our network. | The connection should pass. |
Try a connection from outside our network to | The connection should pass. |
Try a connection from outside our network to | The connection should be blocked. |
Try a connection from outside our network to | The connection should be blocked. |
Try a connection from outside our network to | The connection should pass. |
Try a connection from outside our network to one or more machines in the local network. | The connection should be blocked. |