Configuration of Gibraltar as gateway to the Internet and definition of a DMZ (demilitarized zone). A webserver and a mailserver are located in a demilitarized zone (DMZ).
The firewall needs three network interfaces with the following names:
• | int0 for the internal network |

System Requirements
Computer with three compatible network interface cards or a Gibraltar Security Gateway. Broadband Internet connection.
Note: All stated values are only examples. You have to adapt these values to your individual needs.
Installation of Gibraltar
Please install Gibraltar as described in chapter Installation.
System configuration
System configuration as described in Scenario 1.
Network settings - Network interface cards
1. | Choose Network in the main menu. |
2. | Choose the tab of the interface eth0. |
3. | Interface: Enter in this text field the desired name of the network interface card (e.g. "ext0" for the network interface card to the Internet). |
4. | Start automatically: Mark this checkbox to start the network interface automatically when Gibraltar boots. |
5. | IP address: Choose the option field static to allocate the IP address for this network interface statically. |
6. | Static IPs: Change the IP address in the text field IP address/netmask to the IP address you intend for Gibraltar (CIDR-notation e.g. 80.50.30.50/24). |
7. | Save: Confirm your changes with clicking the button Save. |
8. | Choose the tab of the interface eth1. |
9. | Interface: Enter the name you want for this network interface in this text field (e.g. "int0" for the network interface to the internal network) |
10. | Start automatically: Mark this checkbox to start the network interface card automatically when Gibraltar boots. |
11. | IP address: Choose the option field static to allocate the IP address for this network interface card statically. |
12. | Static IPs: Change the IP address in the text field IP address/netmask to the IP address you intend for Gibraltar (CIDR-notation e.g. 192.168.1.1/24). |
13. | Save: Confirm your changes with clicking the button Save. |
14. | Choose the tab of the interface eth2. |
15. | Interface: Enter the name you want for this network interface in this text field (e.g. "dmz0" for the network interface that involves the DMZ). |
16. | Start automatically: Mark this checkbox to start the network interface card automatically when Gibraltar boots. |
17. | IP address: Choose the option field static to allocate the IP address for this network interface card statically. |
18. | Static IPs: Change the IP address in the text field IP address/netmask to the IP address you intend for Gibraltar (CIDR-notation e.g. 192.168.0.1/24). |
19. | Save: Confirm your changes with clicking the button Save. |
Now the internal network covers the network address area 192.168.1.0/24 and the DMZ covers the network address area 192.168.0.0/24. Therefore you have to configure the routing so that you can reach the Internet and the DMZ via the firewall.
ATTENTION: By changing the IP address on the network card which you use for access to Gibraltar, the connection is interrupted. Please adapt the IP address on your work station computer as well.
Network settings - Routing
1. | Choose Network in the main menu. |
2. | Choose the tab Routing. |
3. | Default route: Enter the standard route you get from your provider in this textfield. All packets that are not determined for other networks will be forwarded to this IP address. |
4. | Save: Confirm your changes with clicking the button Save. |
Now we have to set the filter rules to allow the packets the way to the Internet or to the server. The default policy is that no traffic can pass the firewall. Only packets that you allow explicitly can pass the firewall. We want to allow the traffic from the internal network to the Internet. Our employees should also be able to get the e-mails from the mailserver in the DMZ via POP3. Furthermore they are allowed to use the webserver.
Firewall rules
1. | Choose Firewall in the main menu. |
2. | Choose the tab Firewall rules. |
3. | Incoming: Choose the value "int0" from this select box. |
4. | Outgoing: Choose the value "ext0" from this select box. |
5. | Go!: Click this button to show the rules for packets that are determined to go the way "int0 -> ext0". |
6. | Add rule: Click this button to add a new rule that allows packets from the internal network to the Internet. The browser will redirect you to a detail form. |
7. | Service: Choose ANY from the select box. |
8. | Source: Choose ANY from the selection box to allow all source addresses. |
6. | Destination: Choose ANY from the selection box to allow all destination addresses. |
9. | Save: Keep the default settings of the rule to allow all packets from the internal network to the Internet. Click the button Save. |
10. | Incoming: Leave the value of the incoming interface at "int0". |
11. | Outgoing: Choose the value "dmz0" from this select box. |
12. | Go!: Click this button to show the rules for packets that go the way "int0" -> "dmz0". |
13. | Add Rule: Click this button to add a new rule that allows packets from "int0" to "dmz0". |
14. | Service: Choose the value "pop3". |
16. | Source: Choose ANY from the selection box to allow all source addresses. |
17. | Destination: Choose ANY from the selection box to allow all destination addresses. |
18. | Save: Leave all fields in the default settings in the following detail form. |
19. | Add another rule: Click this button to add a further rule. |
20. | Service: Choose the value "http". |
21. | Source: Choose ANY from the selection box to allow all source addresses. |
22. | Destination: Choose ANY from the selection box to allow all destination addresses. |
23. | Save: Confirm your changes with clicking the button Save. So you can request your mails on the mailserver in the DMZ from the internal network and also access the webserver in the DMZ. |
The firewall acts as a mail relay that relays the incoming mails via SMTP to the mailserver in the DMZ. Therefore you have to allow SMTP packets to pass the firewall.
1. | Choose Firewall in the main menu. |
2. | Choose the tab Firewall rules. |
3. | Incoming: Choose "ext0" as incoming interface. |
4. | Outgoing: Choose "local" as outgoing interface. |
5. | Go!: Click this button to show the rules for packets that come from outside ("ext0") to the firewall. |
6. | Add Rule: Click this button to add a new rule. The browser will redirect you to a detail form. |
7. | Service: Choose the value "smtp". |
8. | Source: Choose ANY from the selection box to allow all source addresses. |
9. | Destination: Choose ANY from the selection box to allow all destination addresses. |
10. | Target: This selection box keeps its value ("ACCEPT"). |
11. | Save: Confirm your changes with clicking the button Save. |
To send e-mails via Gibraltar, also the SMTP port from the internal network to the firewall has to be accessible.
Repeat the prior operation with the incoming interface "int0" and the outgoing interface "local". Additionally restrict the source IP address to the ones of the internal network by entering 192.168.1.0/24 in the textfield Source IP address.
DNS requests to the local DNS server on Gibraltar should also be possible. Add a rule for the incoming interface "int0" and the outgoing interface "local" as well as for the incoming interface "dmz0" and the outgoing interface "local" that allows packets for the service "dns".
The mail server in the DMZ sends emails to the SMTP server on Gibraltar. So you have to add a rule for the incoming interface "dmz0" to the outgoing interface "local" that allows TCP packets on the service "smtp".
For the correct forwarding of the packets in the Internet, the internal addresses have to be masqueraded with the public IP address as source IP address, when they go through the firewall (NAT).
Also inquiries to the HTTP port (80) of the firewall have to be forwarded to the webserver in the DMZ. This settings are done in the NAT module.
NAT - rules
1. | Choose NAT in the main menu. |
2. | Choose the card NAT rules. |
3. | Track: Choose "outgoing ext0" from this select box, because all packets that leave the firewall via modem have to be masqueraded with the public IP address. |
4. | Add rule: Click this button to add a NAT rule. The browser will redirect to a detail form. |
5. | Source IP address: Enter the value 192.168.1.0/24 because all packets that come from the internal network and leave the firewall via "ext0" have to be masqueraded with a new source IP address. |
6. | Target: Leave the value "SNAT" in this select box because the source IP address should be masqueraded with public IP address we know. |
7. | --to: Enter the new source IP address (in our case: 80.50.30.50). |
8. | Save: Confirm your changes with clicking the button Save. |
Repeat this operation for the source IP address 192.168.0.0/24 because also packets from the DMZ have to be masqueraded.
To relay requests from the port 80 of the firewall to the webserver in the DMZ we have to do the following settings:
1. | Choose NAT in the main menu. |
2. | Choose the tab NAT rules. |
3. | Track: Choose "incoming ext0" from this select box to masquerade the outgoing packets. |
4. | Add rule: Click this button to add a new NAT rule. The browser will redirect to a detail form. |
5. | Dest. IP address: Enter the value 80.50.30.50 in this text field as the inquiries arrive at the IP address of the firewall. |
6. | Service: Choose the value "http" from the selection box. |
7. | Target: Leave the value "DNAT" because the destination address has to be changed. |
8. | --to: Enter the new destination IP (in our case: 192.168.0.3). |
9. | Save: Confirm your changes with clicking the button Save. |
Now the destination IP address of HTTP packets has changed to the address of the WWW server (192.168.0.3). In order that the packets arrive at the WWW server, we have to add a packet filter rule in the module Firewall. This rule will allow HTTP packets to get into the DMZ from outside.
1. | Choose Firewall in the main menu. |
2. | Choose the tab Firewall rules. |
3. | Incoming: Choose the value "ext0" from this select box. |
4. | Outgoing: Choose the value "dmz0" from this select box. |
5. | Go!: Click this button to show the rules for packets that go the way "ext0" -> "dmz0". |
6. | Add Rule: Click this button to add a new rule. The browser will redirect to a detail form where you can configure the rule. |
7. | Dest. IP address: Enter the IP address of the webserver in this text field (192.168.0.3). |
8. | Service: Choose the value "http". |
9. | Target: Leave the value "ACCEPT". |
10. | Save: Confirm your changes with clicking the button Save. |
Configuration of the mail relaying
The mail relay receives e-mails and relays them to your mail server in the DMZ. Therefore the mail server cannot be accessed directly from the Internet and thus it is more secured from attacks. To forward incoming e-mails to the internal e-mail server, please act as follows:
1. | Choose Mail in the main menu. |
2. | Choose the tab Relay incoming. |
3. | Managed Domains: Enter the domains you administrate on your mail servers in this element group. |
4. | Add server: Click this button to add a server to this list. |
5. | Domain: Enter the name of the domain you want to administrate in this text field (e.g. "esys.at"). |
6. | Mailserver IP address: Enter the IP address of the mail server that manages the mails for the stated domain (e.g. 192.168.0.2). |
7. | Save: Confirm your changes with clicking the button Save. |
8. | Choose the tab General settings. |
9. | Activate virus and spam checks: Activate this option to check your e-mails for viruses and spam. |
10. | Scan e-mails for: Activate the domain you want to check for viruses and spam. |
11. | Save: Confirm your changes with clicking the button Save. |
To adjust the settings for the mail relay to outside, please act as follows:
1. | Choose Mail in the main menu. |
2. | Choose the tab Relay outgoing. |
3. | Local networks: Click the button Add network address to add a new network address. All networks in this list are allowed to send e-mails. Keep the setting 127.0.0.1/8 because Gibraltar also sends e-mails to the administrator. |
4. | Network address: Enter the value 192.168.1.0/24 to allow your clients from the internal network to send e-mails. Enter furthermore the value 192.168.0.0/24, because e-mails are also sent from the DMZ . |
5. | Save: Confirm your changes with clicking the button Save. |
Save config
1. | Save your configuration on an USB-stick or to HDD. |
|