Scenerio: I work at a local computer sales/repair company that is also an internet service provider. We currently have a firewall protecting our internal network from the outside world. I need to ba able to plug our computer repair customers into our network (for internet updates, etc) while protecting our clients computers from the outside world as well as protect our network from the customers adware, spyware, virus infested computer. My thought was to put in an interal firewall and plug the customer computers into that, however in my mind that would protect the customers PC from our network not our network from the customer pc. Any advice on how to handle this would be appreciated..

hi,

i really not understand your idea.

novice

Putting in another firewall would work fine. Keep in mind they operate just as well in both directions as they do in only a single direction. Ideally, you could do something like:

INTERNET
----------------------- Firewall 0
WEB SERVER
MAIL SERVER
----------------------- Firewall 1
TRUSTED NETWORK
----------------------- Firewall 2
CLIENT MACHINE

Firewall 0 would allow in ports 25 (SMTP), 80 (HTTP), and 443 (HTTPS), and everything out. Firewall 1 would allow nothing in, and everything out. Firewall 2 would allow nothing in, and out only to port 80 (HTTP) not bound for a local network (i.e. !192.168.0.0/16, or whatever address grouping you're using). This is pretty restrictive to those client machines, which can only access non-local servers listening on port 80. And it's also really flexible for your trusted network, which can send anything out, but won't get anything pushed into it.

The real configuration will take more work (since you'll probably have to play with NAT, etc.) but at least it's conceptually fairly easy to manage.

is your current firewall a linux box?? cuz if so, you don't need to add another firewall to do this... you just need to add another network card to your current firewall...

Thank you taylor_venable this is exactly what I was looking for.

Sorry for my poor description I type think I think, erratic and usually only I can understand it.

IMHO it's kinda weird that one would choose to add another firewall in order to achieve an inferior result (more complex management and lower security) as to what one would get by simply adding one or two zones to the current firewall... then again, i don't even know if you have the ability to add another zone, as you completely ignored my question... hehe...

BTW, one of the linux firewalls i manage is set to serve very similar functionality to what you are trying to achieve - it's a basic iptables firewall with 4 network interfaces... each interface is a zone: eth0 is the Internet, eth1 is LAN #1, eth2 is LAN #2, and eth3 is the DMZ... all of the internal networks are completely firewalled from each other (this is in stark contrast to using a separate firewall with a ! 192.168.0.0/16 rule on it)...

it's kinda curious actually, cuz the guy i installed the firewall for originally also thought he would have to use multiple firewalls for the setup he had in mind... it was a pleasant surprise for him when he realized that wasn't the case...

anyways, to each his own... good luck...