
-> NOTE: All options *not* mentioned in a scenario should be left as they
->       are in the default sysconfig/SuSEfirewall2 config file!
->       Backup default config:
->           /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf


###########
Scenario 1:

A User with his nice SuSE Linux PC wants to be protected when connected to
the internet via the ISDN dialup of his ISP.
He wants to offer NO services to the internet.
He is NOT connected to any other network, nor are any other network cards
active.

FW_DEV_EXT="ippp0"	# this is the isdn interface, an analog 
			# modem would be ppp0 !
FW_STOP_KEEP_ROUTING_STATE="yes"        # isdn probably needs this



###########
Scenario 2:

A company uses it's SuSE Linux PC to access the internet via an ISDN dialup
of it's ISP.
It has got a web server running on the PC plus it's the mail-/pop3-server for
the company. Squid is running to cache www traffic. No internal PC should
have direct access to the internet.
The network address of the internal LAN is 192.168.1.0 netmask 255.255.255.0

TODO: users have to configure their mail server, pop3server and DNS to the IP
of the firewall, and their web client software to use the firewall on port
3128.
TODO: The services mail, squid and pop3 have to be set up (securely).

FW_DEV_EXT="ippp0"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_SERVICES_EXT_TCP="25 80"
FW_SERVICES_INT_TCP="25 53 80 110 3128"
FW_SERVICES_INT_UDP="53"
FW_SERVICE_DNS="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"



###########
Scenario 3:
A small university unit wants to use masquerading to access the internet
directly but wants the client PCs not directly reachable from the outside
(and hence provide limited protection through this). The Firewall provides
no services whatsoever.
external fw interface=eth1
internal fw interface=eth0
internal LAN: 192.168.10.0/24

FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.10.0/24"



###########
Scenario 4:
A small company wants access to the internet for it's client PCs and
additionally IPSEC with another office on another continent.
Note: ipsec interface must be on the same FW_DEV_* as the real interface
accepting the ipsec traffic. in this examples it's eth0, so ipsec must be in
FW_DEV_EXT. Same for the udp port 500 and ip protocol 50 and 51, which must
be allowed on the firewall.

external fw interface=eth0
internal fw interface=eth1
frees/wan ipsec device=ipsec0
internal LAN: 192.168.0.0/16
remote LAN: 10.0.0.0/16
the incoming frees/wan traffic is accepted on eth0, the external interface

FW_DEV_EXT="eth0 ipsec0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.0.0/16"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_FORWARD="192.168.0.0/16,10.0.0.0/16 10.0.0.0/16,192.168.0.0/16"



###########
Scenario 5:
This company has got a more complex setup:

   Internet
      |
      |           Web server
      |               |
   SuSE-Firewall-------
      |
      |---Mail server
      |
      |---Database
      |
   Internal LAN

All Mail is delivered to the firewall. It also provides DNS service to
internal and external.
There's a DMZ where a Web server resides (port 80 and port 443) which needs
to connect to the Firewall to deliver mail to internal, send syslog
messages and do domain lookups. It needs also direct access to the internal
database (bad idea!).
All mail which is delivered to the firewall, is sent to the internal
mail server. The mail server sends all mail to the internet to the firewall.
Internal PCs which access the internet should be masqueraded.
external fw interface: eth2
dmz fw interface: eth1
internal fw interface: eth0
ip of database: 192.168.1.3, tcp port for database is 4545
ip of web server: 200.200.200.200 (this is an official, assigned address!)
internal LAN: 192.168.1.0 netmask 255.255.255.0

TODO: the name server on the firewall needs to be setup "split-brained". See
the DNS How-to. The mail server on the firewall needs to be setup as a
forwarder/relayer. The mail server on the internal network gets the firewall
as forwarder/relay configured.

FW_DEV_EXT="eth2"
FW_DEV_INT="eth0"
FW_DEV_DMZ="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.1.0/24"
FW_SERVICES_EXT_TCP="25 53"
FW_SERVICES_EXT_UDP="53"
FW_SERVICES_DMZ_TCP="25 53"
FW_SERVICES_DMZ_UDP="53 514"
FW_SERVICES_INT_TCP="25 53"
FW_SERVICES_INT_UDP="53"
FW_SERVICE_DNS="yes"
FW_FORWARD="0/0,200.200.200.200,tcp,80 0/0,200.200.200.200,tcp,443 \
 200.200.200.200,192.168.1.3,tcp,4545" # access to the web server and allow
				   # access from the web server to the database
FW_REDIRECT="192.168.1.0/24,0/0,tcp,53,53 192.168.1.0/24,0/0,tcp,25,25" # all
					# DNS and mail is done by the firewall
FW_REDIRECT="192.168.1.0/24,0/0,udp,53,53" # all DNS is done by the firewall
FW_ALLOW_PING_DMZ="yes"
# the redirect statements here are gimmicks to show how to use it. in this
# example they send *any* traffic from the internal network, which go via
# the firewall and a are destined to a target port of 53 (DNS) or 25 (Mail)
# to the local servers on the firewall.



###########
Scenario 6:
Most complex scenario!

Network map:

 Internet Trusted_Company
     |       |
     |       |
     |       |
   SuSE-Firewall-------Web server
      |      |
      |      |
      |      |
      |      |--- Admin Network
      |
   Internal LAN---Server (for the trusted_company)
      |
    Mail server

The company has a connection to the internet but also to an additional
line to a trusted third party company, who needs SSH Access to an internal
server ("Server" on the map).
There is also a DMZ with a web server (www, https) which sends DNS, mail and
syslog to the firewall. The web server has got a private IP Address, hence it
must be reverse masqueraded. It gets being administrated with SSH from the
Admin LAN.
The Admin Network should be masqueraded to the internet and get full access.
The Internal LAN should also be masqueraded to the internet but only be allowed
to access www, https and ftp.
Only TCP connections from the Admin network to the internal LAN should be
allowed, not from the internal LAN to the Admin network.
No traffic between the internet and the trusted company should be allowed.
The firewall receives all mails and sends them to an internal mail server or
to the internet. It also provides DNS service to it's internal/dmz networks.

external fw interface: eth4
trusted_company interface: eth3
dmz fw interface: eth2
internal fw interface: eth1
admin fw interface: eth0
ip of web server : 10.0.10.2
ip of mail server: 10.0.2.2
ip of Server (for trusted_company): 10.0.2.3
Internal LAN: 10.0.2.0 netmask 255.255.255.0
Admin LAN: 10.0.1.0 netmask 255.255.255.0
Trusted_company LAN: 192.168.1.0 netmask 255.255.255.0

The mail server on the firewall needs to be setup as a forwarder/relayer.
The mail server on the internal network gets the firewall as forwarder/relay
configured.

FW_DEV_EXT="eth3 eth4"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="10.0.1.0/24 10.0.2.0/24,tcp,21 10.0.2.0/24,tcp,80 \
   10.0.2.0/24,tcp,443" # full access for Admin LAN, www/https/ftp for internal
FW_SERVICES_EXT_TCP="25"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_DMZ_TCP="25 53"
FW_SERVICES_DMZ_UDP="53 514"
FW_SERVICES_INT_TCP="25 53"
FW_SERVICES_INT_UDP="53"
FW_SERVICE_DNS="yes"
FW_FORWARD="10.0.1.0/24,10.0.2.0/24,tcp,1:65535 10.0.1.0/24,10.0.10.2,tcp,22"
FW_FORWARD_MASQ="0/0,10.0.10.2,tcp,80 0/0,10.0.10.2,tcp,443 \
   192.168.1.0/24,10.0.2.3,tcp,22" # i-net access to web server and trusted
			           # company access to internal Server
