This feature is one of the most important parts of Endian Firewall and most probably the reason for you to use a firewall. Endian Firewall uses a standard netfilter firewall and creates it's firewall rules using iptables. Basically Endian Firewall is configured in a way that the firewall itself is the only point of contact seen from the outside or the internet. The public IP addresses can be assigned only to the RED interface, thus a connection attempt from the internet to one of your public IP addressess will reach only the RED interface of the firewall and cannot pass beyond as this has been made technically impossible by the use of NAT. Routing of public IP addresses to a zone behind the firewall will be prevented since this would circumvent the firewall rules.

Figure 6.2. Diagram of flow control and its configuration possibilities

Diagram of flow control and its configuration possibilities

If not configured otherwise, the firewall's default settings will block all traffic coming from the outside. As default behaviour, traffic from the GREEN zone will be allowed to pass to each of the other zones (BLUE and ORANGE), since GREEN is the trusted network, but for each pass from one zone to another NAT will be performed to obscure the real source-address and - by doing this - hide all information about the network configuration of the GREEN zone. On the other side no access from any of the other zones will be granted to anywhere by default. The only exception is the access to the RED interface, the internet - but still only some standard services (HTTP,FTP,SMTP,DNS) are allowed by default when accessing from the GREEN zone and only DNS when trying to access from the BLUE and ORANGE zones.

Certainly Endian Firewall gives you the possibility to lighten these strong restrictions and let you define access rules from among each zone. In order to allow access to RED - the internet - you will have to configure this in the outgoing firewall submenu. If you need to give access from the outside to the firewall itself, you need to create rules in the External Access menu. Access from BLUE to GREEN and from ORANGE to GREEN or BLUE will be arranged by Zone pinholes.

If you have servers in the DMZ in ORANGE and need to allow access from the internet, you can create a port forwarding rule. You may flexibly forward different ports from the same ip address to different servers within the DMZ or different ports from different ip addresses to the same servers, just as you wish.