sun-cluster.isba

     File: /home/pierre/isba/dev/samples/sun-cluster.isba
     Date: Sun Nov 18 07:06:29 MET 2001
     User: pierre

Ipf rules





local processes: let all pass
 
block all packets with IP options
block too shorts packets
to avoid log pollution

inbound traffic on public interface:
default block
anti-spoofing
SSH serveur
ftp:     active FTP server, 1/2
wu-pasv: passive FTP serveur (port data)
         and configure wu-ftpd
WWW servers
Netscape admin server
Sybase server

RIP
 
entree protocole 2 (RIP?)
ping, ping-reply: allowed
(no logging)
time exceeded, unreachable:
allowed (with logging)

let RPC in from the other node
(scconf/logical host declarations)
java application: ClusterManager
java application: ClusterManager
open TCP high ports in
from the other node
smtp for Lyris
mailing list
Patrol communications

don't return a 'port-unr' packet
to a poor guy asking for a route
other UDP ports: return a 'port unreachable'
packet to avoid a timeout
other TCP ports: return a Reset packet
to avoid a timeout

default block
SSH client
DNS/tcp client
DNS/udp client
HTTP client
sendmail client
NTP client
ADSM backup client
uncrypted X11 client
FTP client: passive ftp 1/1,
and active ftp 1/2
(see NAT for the 2/2)
active FTP serveur 2/2:
open port 20 outbound
Sybase server
Patrol communications
 

RIP
let protocol 2 out (gated)
ping, ping-reply: ok (no logging)
time exceeded, unreachable: ok
(with logging)
let RPC out to other node
(scconf/logical host declarations)
java application: ClusterManager
java application: ClusterManager
open high ports out to other node
let Reset packets out
(for denied TCP connections)

default block
let RPC in
let UDP/603 in (smad)
these ports are used during
a cluster reconfiguration
these ports are used during
a cluster reconfiguration
java application: ClusterManager
java application: ClusterManager
open high ports out to other node

ping, ping-reply: autorises

default block
let RPC out
let UDP/603 out (smad)
these ports are used during
a cluster reconfiguration
these ports are used during
a cluster reconfiguration
java application: ClusterManager
java application: ClusterManager
open high ports out to other node

ping and reply allowed


#	Action	Opts	Intf	From	To	Service	Misc	Group	Comment
	sun-cluster.isba: ruleset for a 2-nodes Sun Cluster: nickel and chrome
	#include-objects include/all-hosts
	LOCALHOST TRAFFIC AND GENERAL RULES
1	pass out	quick	lo0						local processes: let all pass
2	pass in	quick	lo0
3	block in	log body quick					with ipopts		block all packets with IP options
4	block in	log body quick					with short		block too shorts packets
5	block in	quick				polluting-ports			to avoid log pollution
	PUBLIC INTERFACES: INBOUND TRAFFIC (group 10)
6	block in	log	ifpubs					head 10	inbound traffic on public interface: default block
7	block in	log quick		spoofed-addr				group 10	anti-spoofing
8	pass in	log first quick			all-clust-ip	ssh	flags S keep state keep frags	group 10	SSH serveur
9	pass in	quick		allow-ftp-from	all-clust-ip	ftp wu-pasv	flags S keep state keep frags	group 10	ftp: active FTP server, 1/2 wu-pasv: passive FTP serveur (port data) and configure wu-ftpd
10	pass in	quick		allow-www-from	all-clust-ip	www	flags S keep state keep frags	group 10	WWW servers
11	pass in	quick		allow-www-from	all-clust-ip	www-admin	flags S keep state keep frags	group 10	Netscape admin server
12	pass in	quick			isis	sybase		group 10	Sybase server

13	pass in	quick		servers-rip	multicast	route		group 10	RIP
14	pass in	quick		hispubip	multicast	icmp-ping		group 10
15	pass in	log quick				proto-2		group 10	entree protocole 2 (RIP?)
16	pass in	quick			all-clust-ip	icmp-ping		group 10	ping, ping-reply: allowed (no logging)
17	pass in	log quick			all-clust-ip	icmp-other		group 10	time exceeded, unreachable: allowed (with logging)

18	pass in	log quick		hispubip	mypubip	sunrpc	keep state	group 10	let RPC in from the other node (scconf/logical host declarations)
19	pass in	quick		hispubip	mypubip	scmgr		group 10	java application: ClusterManager
20	pass in	quick		hispubip	mypubip		srcport scmgr	group 10	java application: ClusterManager
21	pass in	quick		hispubip	mypubip	tcp-high-ports		group 10	open TCP high ports in from the other node
22	pass in	quick		servers-smtp	lyris	smtp	flags S keep state keep frags	group 10	smtp for Lyris mailing list
23	pass in	quick		patrol-hosts	all-clust-ip	patrol		group 10	Patrol communications

24	block in	quick			dmz1-servers	route		group 10	don't return a 'port-unr' packet to a poor guy asking for a route
25	block in return-icmp	log quick				proto-udp		group 10	other UDP ports: return a 'port unreachable' packet to avoid a timeout
26	block in return-rst	log quick				proto-tcp	flags S	group 10	other TCP ports: return a Reset packet to avoid a timeout
	PUBLIC INTERFACES: OUTBOUND TRAFFIC (group 20)
27	block out	log	ifpubs					head 20	default block
28	pass out	log first quick				ssh	flags S keep state keep frags	group 20	SSH client
29	pass out	quick			servers-dns	dns-tcp	flags S keep state keep frags	group 20	DNS/tcp client
30	pass out	quick			servers-dns	dns-udp	keep state	group 20	DNS/udp client
31	pass out	quick				www	flags S keep state keep frags	group 20	HTTP client
32	pass out	log first quick			servers-smtp	smtp	flags S keep state keep frags	group 20	sendmail client
33	pass out	quick			servers-ntp	ntp	keep state	group 20	NTP client
34	pass out	log first quick			servers-adsm	adsm	flags S keep state keep frags	group 20	ADSM backup client
35	pass out	log first quick			allow-X11-to	X11	flags S keep state keep frags	group 20	uncrypted X11 client
36	pass out	quick				ftp	flags S keep state keep frags	group 20	FTP client: passive ftp 1/1, and active ftp 1/2 (see NAT for the 2/2)
37	pass out	quick					srcport ftp-data flags S keep state keep frags	group 20	active FTP serveur 2/2: open port 20 outbound
38	pass out	quick		isis			srcport sybase	group 20	Sybase server
39	pass out	quick			patrol-hosts	patrol		group 20	Patrol communications
40	pass out	quick			intdns1	162		group 20

41	pass out	quick					srcport route	group 20	RIP
42	pass out	log quick				proto-2		group 20	let protocol 2 out (gated)
43	pass out	quick				icmp-ping		group 20	ping, ping-reply: ok (no logging)
44	pass out	log quick				icmp-other		group 20	time exceeded, unreachable: ok (with logging)
45	pass out	quick		mypubip	hispubip	sunrpc	keep state	group 20	let RPC out to other node (scconf/logical host declarations)
46	pass out	quick		mypubip	hispubip	scmgr		group 20	java application: ClusterManager
47	pass out	quick		mypubip	hispubip		srcport scmgr	group 20	java application: ClusterManager
48	pass out	quick		mypubip	hispubip	tcp-high-ports		group 20	open high ports out to other node
49	pass out	log quick					flags R/R	group 20	let Reset packets out (for denied TCP connections)
	PRIVATE INTERFACES: INBOUND TRAFFIC (group 30)
50	block in	log	ifprivs					head 30	default block
51	pass in	quick		hisprivip	myprivip	sunrpc	keep state	group 30	let RPC in
52	pass in	quick		hisprivip	myprivip	smad		group 30	let UDP/603 in (smad)
53	pass in	log first quick		hisprivip	myprivip	clust-rec		group 30	these ports are used during a cluster reconfiguration
54	pass in	log first quick		hisprivip	myprivip		srcport clust-rec	group 30	these ports are used during a cluster reconfiguration
55	pass in	quick		hisprivip	myprivip	scmgr		group 30	java application: ClusterManager
56	pass in	quick		hisprivip	myprivip		srcport scmgr	group 30	java application: ClusterManager
57	pass in	quick		hisprivip	myprivip	tcp-high-ports		group 30	open high ports out to other node
	in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running
58	pass in	quick		hisprivip	myprivip	icmp-ping		group 30	ping, ping-reply: autorises
	PRIVATE INTERFACES: OUTBOUND TRAFFIC (group 40)
59	block out	log	ifprivs					head 40	default block
60	pass out	quick		myprivip	hisprivip	sunrpc	keep state	group 40	let RPC out
61	pass out	quick		myprivip	hisprivip	smad		group 40	let UDP/603 out (smad)
62	pass out	log first quick		myprivip	hisprivip	clust-rec		group 40	these ports are used during a cluster reconfiguration
63	pass out	log first quick		myprivip	hisprivip		srcport clust-rec	group 40	these ports are used during a cluster reconfiguration
64	pass out	quick		myprivip	hisprivip	scmgr		group 40	java application: ClusterManager
65	pass out	quick		myprivip	hisprivip		srcport scmgr	group 40	java application: ClusterManager
66	pass out	quick		myprivip	hisprivip	tcp-high-ports		group 40	open high ports out to other node
	in last 5 rules, don't use 'flags S keep state', to be able to restart IP-Filter while the cluster is running
67	pass out	quick		myprivip	hisprivip	icmp-ping		group 40	ping and reply allowed
	Warning: this ruleset is only a sample ... don't use it!

Nat rules

#	Action	Intf	Original From	->	Translated Address	Translated Service	Comment
	sun-cluster.isba: NAT rules
1	map	ifpub1	0/0	->	0/32	proxy port ftp ftp/tcp	FTP client: active ftp 2/2 (accept port 20 inbound connection) on main interface
2	map	ifpub2	0/0	->	0/32	proxy port ftp ftp/tcp	FTP client: active ftp 2/2 (accept port 20 inbound connection) on backup interface

Hosts/Nets

#	Name	Value	Comment	Included from
1		0/0	for Nat: specifies any original address
2		0/32	for Nat: specifies current IP address
3	admhost1	192.170.1.2	DMZ3: admin host1	dmz3-admin
4	admhost2	192.170.1.8	DMZ3: PC Jean	dmz3-admin
5	admhost3	192.170.1.9	DMZ3: PC Frederic	dmz3-admin
6	admhost4	192.170.1.7	DMZ3: PC Denis	dmz3-admin
7	admhost5	192.170.1.4	DMZ3: PC Pierre	dmz3-admin
8	admhost6	192.170.1.1	DMZ3: admin host2	dmz3-admin
9	admhost7	192.170.1.10	DMZ3: PC Christophe	dmz3-admin
10	admhost8	192.170.1.6	DMZ3: PC Stephane	dmz3-admin
11	admhost9	192.170.1.5	DMZ3: Sun Cluster admin host	dmz3-admin
12	admhostss1	192.170.1.25	DMZ3: ssadmin host1	dmz3-admin
13	admhostss2	192.170.1.26	DMZ3: ssadmin host2	dmz3-admin
14	adsm1	192.170.1.3	DMZ3: ADSM backup server	dmz3-admin
15	akhenaton	200.201.156.239	www.akhenaton.com	dmz1-nt-servers
16	all-clust-ip	nickel chrome argon-lhost helium-lhost	all cluster IP addresses
17	allow-X11-to	dmz3-admin	let X11 out to these machines only
18	allow-ftp-from	dmz3-admin hispubip fw1s fw3s	accept inbound FTP from these machines only
19	allow-www-from	any	accept inbound HTTP from these machines only
20	amazone	200.201.156.141	DMZ1: www.nestor.com	dmz1-unix-servers
21	antares	200.201.2.245	Workstation Manu	lan-csd-sys
22	anubis	200.201.156.245	www.anubis.com	dmz1-nt-servers
23	argon	200.201.156.132	DMZ1: web server on cluster	dmz1-unix-servers
24	argon-lhost	argon dfe argon-trav europe-trav europe	DMZ1: argon logical host IP addresses	dmz1-unix-servers
25	argon-trav	200.201.156.144	DMZ1: web server on cluster	dmz1-unix-servers
26	becerede1	200.201.156.135 200.201.156.138 200.201.156.139 159.156.156.140	Many web servers	dmz1-nt-servers
27	broadcast-24	255.255.255.0		all-hosts
28	broadcast-32	255.255.255.255		all-hosts
29	charybde	200.201.156.252	DMZ1: AGE www.charybde.com	dmz1-unix-servers
30	chrome	200.201.156.250	DMZ1: Sun cluster node 2	dmz1-unix-servers
31	chrome-priv	204.152.65.2 204.152.65.18 204.152.65.34	chrome private network IP addresses
32	cluster1	192.170.14.11	Test Sun cluster	lan-csd-sys
33	cluster2	192.170.14.12	Test sun cluster	lan-csd-sys
34	dfe	200.201.156.133	DMZ1: web server on cluster	dmz1-unix-servers
35	dmz1-servers	200.201.156.128/25	Servers DMZ	dmz1-unix-servers
36	dmz3-admin	192.170.1.0/27	DMZ3: admin hosts	dmz3-admin
37	dmz32-relays	200.201.156.16/28	Relays DMZ	dmz32-relays
38	esnts1	192.170.14.13	Network Terminal Server 1 - test cluster	lan-csd-sys
39	esnts2	192.170.14.14	Network Terminal Server 2 - test cluster	lan-csd-sys
40	europe	200.201.156.147	DMZ1: europe web server on cluster	dmz1-unix-servers
41	europe-trav	200.201.156.145	DMZ1: europe-trav web server on cluster	dmz1-unix-servers
42	extradf	200.201.156.251	www.extradf.com	dmz1-nt-servers
43	fw-internet-s	fw1s fw3s	Internet firewalls - servers DMZ	dmz-firewalls
44	fw1a	192.170.1.11	firewall1, admin DMZ	dmz-firewalls
45	fw1e	200.201.156.2	firewall1, internet side	dmz-firewalls
46	fw1i	200.201.127.65	firewall1, internal side	dmz-firewalls
47	fw1r	200.201.156.17	firewall1, relays DMZ side	dmz-firewalls
48	fw1s	200.201.156.129	firewall1, servers DMZ side	dmz-firewalls
49	fw2a	192.170.1.12	firewall2, admin DMZ	dmz-firewalls
50	fw2e	200.201.152.2	firewall2, out side	dmz-firewalls
51	fw2i	200.201.157.6	firewall2, internal side	dmz-firewalls
52	fw2r	200.201.152.81	firewall2, relays DMZ side	dmz-firewalls
53	fw3a	192.170.1.13	firewall3, admin DMZ	dmz-firewalls
54	fw3e	200.201.156.10	firewall3, internet side	dmz-firewalls
55	fw3i	200.201.157.10	firewall3, internal side	dmz-firewalls
56	fw3r	200.201.156.30	firewall3, relays DMZ side	dmz-firewalls
57	fw3s	200.201.156.254	firewall3, servers DMZ side	dmz-firewalls
58	fw4a	192.170.1.14	firewall4, admin DMZ	dmz-firewalls
59	fw4e	200.201.152.14	firewall4, out side	dmz-firewalls
60	fw4i	200.201.157.18	firewall4, internal side	dmz-firewalls
61	fw4r	200.201.152.94	firewall4, relays DMZ side	dmz-firewalls
62	helium-lhost	isis	DMZ1: logical host helium on cluster	dmz1-unix-servers
63	hisprivip	#if-target(nickel, chrome-priv, nickel-priv)	Other cluster node private addresses
64	hispubip	#if-target(nickel, chrome, nickel)	Public IP address of the other node (physical address)
65	horus	to_be_defined	www.horus.com	dmz1-nt-servers
66	intdns1	200.201.1.81	Internal DNS server	lan-csd-sys
67	intdns2	200.201.1.85	Internal DNS server secondary	lan-csd-sys
68	intranet2	200.201.156.61	DMZ32: intranet NT server	dmz32-relays
69	isis	200.201.156.243	DMZ1: Sybase server on cluster	dmz1-unix-servers
70	jade	200.201.2.26	Workstation Patrice	lan-csd-sys
71	jasmin	200.201.156.241	DMZ1: www.roger.com	dmz1-unix-servers
72	logserv	192.170.1.19	DMZ3: log server	dmz3-admin
73	lyris	argon	DMZ1: SMTP mailing list on cluster	dmz1-unix-servers
74	mailhost2	200.201.1.207	Main mail host	lan-csd-inet
75	mailhost3	200.201.1.203	Backup mail host	lan-csd-inet
76	md-host	200.201.152.50	DMZ22 md	dmz-extranet
77	mini1	200.201.156.19	DMZ32: relay NT	dmz32-relays
78	multicast	224.0.0.0/4	for RIP rule
79	mvs-adsm0	200.201.1.11	Site central - MVS (sauvegarde)	mvs-hosts
80	mvs-dl	200.201.1.20	Site central - MVS	mvs-hosts
81	mvs-fi	200.201.1.40	Site central - MVS	mvs-hosts
82	mvs-g2	200.201.1.10	Site central - MVS	mvs-hosts
83	mvs-mi	200.201.1.50	Site central - MVS	mvs-hosts
84	mvs-perf-hosts	mvs-g2 mvs-sc mvs-dl mvs-fi mvs-mi mvs-tp	Machines MVS pouvant recevoir des perfs de mf2/mf3	mvs-hosts
85	mvs-sc	200.201.1.12	Site central - MVS	mvs-hosts
86	mvs-tp	200.201.1.60	Site central - MVS	mvs-hosts
87	myprivip	#if-target(nickel, nickel-priv, chrome-priv)	My own private addresses
88	mypubip	#if-target(nickel, nickel, chrome)	My public IP address (physical node address)
89	nickel	200.201.156.150	DMZ1: Sun cluster node 1	dmz1-unix-servers
90	nickel-priv	204.152.65.1 204.152.65.17 204.152.65.33	nickel private network IP addresses
91	ntcom1	200.201.156.136 200.201.156.137	www.com1.com	dmz1-nt-servers
92	ntcom2	200.201.156.246 200.201.156.247	www.com2.com	dmz1-nt-servers
93	packetshaper1	200.201.156.4	Packet Shaper 1	dmz-firewalls
94	packetshaper3	200.201.156.11	Packet Shaper 3	dmz-firewalls
95	patrol-hosts	mailhost3 admhost1 admhost6	Patrol communications (port 1987)
96	proxy1	200.201.1.201	Proxy 1	lan-csd-inet
97	proxy2	200.201.1.208	Proxy 2	lan-csd-inet
98	realsec1	200.201.156.3	RealSecure host1	dmz-firewalls
99	realsec3	200.201.156.12	RealSecure host2	dmz-firewalls
100	relay1	200.201.156.18	DMZ32: Relay 1	dmz32-relays
101	relay2	200.201.156.29	DMZ32: Relay 2	dmz32-relays
102	relay4	200.201.152.93	DMZ32: Relay 4	dmz32-relays
103	rout2fed	200.201.157.9	inner router 2	dmz-firewalls
104	rout2fedext	200.201.152.12	extranet router 2	dmz-firewalls
105	rout2fedext2	200.201.152.13	extranet routeur 2 bis	dmz-firewalls
106	rout2internet	200.201.156.9	internet router 2	dmz-firewalls
107	rout2rle	200.201.157.17	extranet router 1	dmz-firewalls
108	rout3fed	200.201.127.66	inner router 3	dmz-firewalls
109	rout3fedext	200.201.152.4	extranet router 3	dmz-firewalls
110	rout3fedext2	200.201.152.5	extranet router 3 bis	dmz-firewalls
111	rout3internet	200.201.156.1	internet router 3	dmz-firewalls
112	rout3rle2	200.201.157.5	extranet router 2	dmz-firewalls
113	scylla	200.201.156.143	DMZ1: AGE www.scylla.com	dmz1-unix-servers
114	servers-adsm	adsm1	ADSM backup server
115	servers-dns	fw1e fw3e	only DNS servers used
116	servers-ntp	admhost1 admhost6	only NTP servers used
117	servers-rip	fw1s fw3s	only RIP servers used
118	servers-smtp	relay1 relay2	only SMTP servers used
119	sidhost1	200.201.1.215	SecurId server	lan-csd-inet
120	sidhost2	200.201.1.216	SecurId backup server	lan-csd-inet
121	spoofed-addr	10.0.0.0/16 172.16.0.0/12 127.0.0.0/8
122	ss1	192.170.1.21	DMZ3: ss1	dmz3-admin
123	ss2	192.170.1.22	DMZ3: ss2	dmz3-admin
124	ss3	192.170.1.23	DMZ3: ss3	dmz3-admin
125	ss4	192.170.1.24	DMZ3: ss4	dmz3-admin
126	sun002	200.201.2.233	Sun terminal	lan-csd-inet
127	sunadmin	192.170.14.15	Test cluster admin station	lan-csd-sys
128	tijuana	200.201.2.134	Workstation Pierre	lan-csd-sys
129	tisane	200.201.156.142	DMZ1: www.tisane.com	dmz1-unix-servers
130	tracks0	200.201.152.51	DMZ22 tracks0	dmz-extranet
131	tracks1	200.201.152.61	DMZ22 tracks1	dmz-extranet
132	webdi1	200.201.156.151	www.di1.com	dmz1-nt-servers
133	webdi2	200.201.156.240	www.di2.com	dmz1-nt-servers
134	webresh	200.201.156.131	DMZ1: web server	dmz1-unix-servers
135	xyplex1a21	192.170.14.35	Xyplex 21	lan-csd-inet
136	xyplex1a30	192.170.14.33	Xyplex 30	lan-csd-inet
137	xyplex2a20	192.170.14.34	Xyplex 20	lan-csd-inet
138	xyplex2a21	192.170.1.16	DMZ3: Xyplex21	dmz3-admin
139	xyplex2a30	192.170.1.18	DMZ3: Xyplex30	dmz3-admin

Services

#	Name	Proto	Value	Comment
1		udp	162
2	X11	tcp	5999><6010
3	adsm	tcp	14000	ADSM backup port
4	an-appli	tcp	#if-target(nickel, 4000)
5	clust-rec	tcp	6999><8000	ports used by ccdd daemon during a cluster reconfiguration
6	dns-tcp	tcp	53
7	dns-udp	udp	53
8	ftp	tcp	21
9	ftp-data
10	icmp-other	icmp	3 11	allowed ICMP-types, with logging
11	icmp-ping	icmp	0 8	allowed ICMP-types (ping), no logging
12	ntp
13	patrol	tcp/udp	1987	port Patrol
14	polluting-ports	tcp/udp	67 137 138 139 140 1804 8500	ports silently blocked to avoid log pollution
15	proto-2	2
16	proto-tcp	tcp		specifies proto tcp, no port
17	proto-udp	udp		specifies proto udp, no port
18	route
19	scmgr	tcp	1097	used by java com.sun.scm.admin.server.scmgr.ClusterManager
20	smad	udp	603	Sun cluster communication
21	smtp	tcp	25
22	ssh	tcp	22
23	sunrpc	tcp/udp	111	unfortunately used by SunCluster
24	sybase	tcp	4100	Sybase port
25	tcp-high-ports	tcp	>1024	Unprivilegied ports
26	wu-pasv	tcp	18999><20000	Passive FTP server: (and configure wu-ftp (passive ports ...))
27	www	tcp	80
28	www-admin	tcp	82

Interfaces

#	Name	Value	Comment
1	allifs	ifpubs ifprivs	All cluster interfaces
2	ifpriv1	qfe1	private network, interface 1
3	ifpriv2	qfe5	private network, interface 2
4	ifprivs	ifpriv1 ifpriv2	both private interfaces
5	ifpub1	qfe0	public network, interface 1
6	ifpub2	qfe4	public network, interface 2
7	ifpubs	ifpub1 ifpub2	both NAFO0 public interfaces
8	lo0	lo0	Loopback interface

Ruleset Properties

Version

1.0

Ruleset
targets

	Target hostname or IP address	SSH user on target	use sudo	ipfilter conf dir.	ipf rules filename	nat rules filename
1	nickel	isba	X	/etc/opt/ipf	ipf.conf	ipnat.conf
2	chrome	isba	X	/etc/opt/ipf	ipf.conf	ipnat.conf
3

Setup
infos
-
Ruleset
comments
-
List
of
changes
-
...

This ruleset protects a 2-node Sun Cluster living in a DMZ
from its potentially compromised neighbours.
All networks (public and private) are doubled.
Private networks are used by SunCluster only, for cluster
administration (heartbeats, etc)
Public networks are used for access to hosted servers: WWW, FTP, SMTP, SSH.

Both private interfaces must have the same set of rules,
and both public interfaces must have the same set of rules,
whence the interfaces groups 'ifprivs' and 'ifpubs'.


        ----------------                       ----------------
       |     nickel     |                     |     chrome     |
       |                |                     |                |
       |                |                     |                |
       |           qfe1 |---------------------| qfe1           |
       |                |  Private networks   |                |
       |           qfe5 |---------------------| qfe5           |
       |                |                     |                |
       |   qfe0  qfe4   |                     |   qfe0  qfe4   |
        ----------------                       ----------------
            |     |                                |     |
            |     |                                |     |
     -------+--------------------------------------+--------------    DMZ
                  |         Public networks              |
     -------------+--------------------------------------+--------