I'd like to switch from private-IPv4-subnet-behind-NAT to IPv6, but of course I have no intention of exposing my users' workstations "unprotected" to the net.
Some obvious points up-front:
- Allow access to provided services
- Deny access to workstations
Is there a recommended firewall setup guideline that talks about the details and experiences with such setups?
Best Answer
The advice is largely unchanged from public-IPv4-subnet-behind-Firewall setups that we've had in the .EDU space since the beginning of the commercial Internet. Since early .EDU subnet allocations were rather generous (my old work has an IPv4 /16 allocation, and I know of another institution our size that has a /16 and another /18 for good measure) these institutions have deep experience protecting publicly routeable IP addresses behind firewalls. Heck, that setup was what the original IP creators had in mind.
The principles (from memory):
A short list, I know. But the basic firewall principle going back 20 years is the same: allow access only to those IP:port combinations you want to permit, deny everything else.