Tue Jan 07, 2014 5:56 pm
Your question is so broad, it would take a book to answer it. There are a lot of books out there, take your pick!
In terms of hardware and/or OS, this is a MT forum, so I would assume that you have ROS running on a RB of some sort... perfectly suited for a basic firewall appliance.
Onto the configuration...
The general ideas behind building a firewall are pretty simple, but you need to first ask a few questions with regards to the types of networks you want to protect and the types of firewalls that are appropriate for each.
So, what are you zones?
*) Data Center
*) Co-Located customers
*) Hosted customers
*) Broadband customers
**) Residential
**) Business
**) Enterprise
Residential and Business customers may not even need firewalls, as they can sit behind NAT, so incoming connections are blocked anyways. If you insist on giving these customers real addresses, simply block incoming connections on privileged and well known ports. Anything more than that, and they'll have you chasing your tail to figure out why things aren't working.
You will probably want to protect these customers from each other as well, but you don't need a firewall to do this, just configure end-to-end client isolation to prevent any sideways communication.
Co-located and Enterprise customers should have raw access (no firewall at all), they can take care of themselves.
For your data center, allow those services you need and block everything else. Restrict access to sensitive services to approved source addresses, or maybe only through a VPN connection.
As for the specific configuration of your firewall(s), it's going to be specific to your needs, so we can't provide the answers, but it should be pretty easy to figure out once you have the logic down.
Good luck!