Some Examples of how the LuciGate Firewall may be used
As an illustration of how the LuciGate Firewall might be used in practice a hypothetical scenario is shown in the diagram below. This example is also described in the Appendix of the LuciGate User Guide.
Download these examples in pdf format
It depicts an organisation that has a local network which includes a registered subnet 184.108.40.206 to 220.127.116.11 named LocalNet.
It has an access router (router 1), to the Internet and the LuciGate Firewall (LuciGate 1) has been placed in the usual position to protect the network. There is no significance in the way the IP addresses have been allocated in the example and there is no need for the LuciGate itself to have an IP address. One “specially” privileged remote host has been identified as lucidata for the purposes of this example.
Within the subnet the users have different requirements to access the Internet and therefore their access is tailored to their requirements, not so much to limit their capability, but to minimise their visibility in the global IP/Protocol/Port address space.
The users are pure Clients but the network also hosts its own Web Server called server1. Server1 also acts as a proxy mail server.
Diplomat jrN is a special piece of hardware performing some esoteric control and monitor function on local equipment and is monitored and configured from lucidata remotely.
We will use this same scenario to illustrate several common type of configuration. Before we start however we must make sure all the things we are going to talk about have been given mnemonic names in the appropriate mnemonic files. The five mnemonic files relevant to this tutorial are listed below for ease of reference.
'Mnemonic,Packet Type Value in hex,Comment
Ucast,1,All Ethernet Packets with Unicast Addresses
Mcast,2,All Ethernet Packets with Multicast Addresses
Bcast,3,All Ethernet Packets with Broadcast Addresses
IP,800,The IP family of protocols
ARP,806,Address Resolution Protocol
BPDU,42,Bridge Protocol Data Units
XNS,E0,All Xerox derived protocols
SNAP,AA,SNAP Frames like Appletalk
router1,18.104.22.168,,Access router to the Internet
user1,22.214.171.124,,First local client user
user2,126.96.36.199,,Second local client user
user3,188.8.131.52,,Third local client user
jrN,184.108.40.206,,Diplomat jrN Async/TCP convertor
server1,220.127.116.11,,Our local web server
lucidata,18.104.22.168,,Remote friendly site
'Mnemonic,Net Address/Mask,Optional Translation,Comment
localnet,22.214.171.124/255.255.255.248,,Local subnet of 8 addresses
'Mnemonic,Protocol Value in decimal,Comment
ICMP,1,Internet Control Management Protocol
TCP,6,Transport Control Protocol
UDP,17,User Datagram Protocol
ARPS,255,Pseudo IP Protocol for ARP
IP47,47,Point to Point Tunneling Protocol
'Mnemonic,Lower or only value in decimal,Upper bound if it exists,Comment
FTP1,20,,File Transfer Protocol Interactive
FTP2,21,,File Transfer Protocol Data
Telnet,23,,Terminal Service Port
SMTP,25,,Simple Mail Transport Protocol
DNS,53,,Domain Name Service
HTTP,80,,Hyper text Transfer Protocol
POP3,110,,Post Office Protocol Service
SUNRPC,111,,Sun Remote Procedure Call
jrNServer,1058,,A JRN Service
jrNRemote,12345,,Remote JRN configuration
These pages were last updated January 2008