firewall.txt wip

diff --git a/firewall.txt b/firewall.txt
new file mode 100644 (file)
index 0000000..8da2b44
--- /dev/null
+++ b/firewall.txt
@@ -0,0 +1,39 @@
+internal vlans to outside world
+-------------------------------
+
+* All internal machines to be able to initiate, to external sites
+   - http, https, git
+  with NAT.
+
+* Incoming HTTP to be redirected (static port/addr NAT, probably)
+  to the webserver VM
+
+
+internal firewall between infra and test vlans
+----------------------------------------------
+
+* No restriction on packets from infra vlan to test vlan.
+
+* Each infra VM to have the services it provides exposed to test
+  boxes, by port number (ie, packets from test to infra vlan with
+  proper destination address and port to be passed).
+
+  See VM list for list of services.  Not evident from VM list is that:
+    * infra VM will be supplying a dhcp leases file service on
+      5556/tcp
+    * serial VM will be offering ssh internally.
+
+* ICMP should be deny-default but the following subtypes need to
+  be passed:
+       echo-reply destination-unreachable source-quench \
+       echo-request time-exceeded parameter-problem \
+       timestamp-request timestamp-reply address-mask-request
+
+* No connection tracking:
+
+  UDP packets from test vlan to infra vlan filtered based only only
+  destination port number.
+
+  TCP packets from test vlan to infra vlan permitted if not a
+  connection initiation packet ("! --syn" as iptables puts it)
+  or if destination port number is permitted.