Bonjour,
Assuming we extract the iptables rules that implement the recommended firewall configuration, it should be possible to buy a retail router and set it up with OpenWrt.
Terse firewall description
Admin Subnet: 10.20.1.0/24
Admin Gateway: 10.20.1.1
Admin Workstation: 10.20.1.2
Application Subnet: 10.20.2.0/24
Application Gateway: 10.20.2.1
Application Server (OPT1): 10.20.2.2
Monitor Subnet: 10.20.3.0/24
Monitor Gateway: 10.20.3.1
Monitor Server (OPT2) : 10.20.3.2
Ports:
OSSEC: 1514
ossec_agent_auth: 1515
- Disable DHCP
- Disallow everything
- Allow TCP ssh from Admin to all
- Allow UDP OSSEC from App to Mon
- Allow TCP ossec agent auth from App to Mon
- Allow TCP/UDP DNS from App/Mon to IP of know name servers
- Allow UDP NTP from App/Mon to all
- Allow TCP any port from Mon to all
- Allow TCP 80/443 from App/Mon to all
- Allow TCP any port from Admin to all
OpenWrt compatible hardware:
Cheers