Tendo

The diagram above shows the network configuration of a typical LAN connected to the Internet via a Linux based system acting as a router. The LAN that we wish to protect is on the left side of the diagram. The internet is shown on the right side. All communication between the LAN and internet passes through the gateway machine which is marked by the dog. Guarddog runs on the gateway machine. The most important aspect of this setup from a security point of view is that all of the network traffic between the LAN and the internet passes through one machine: the gateway. This provides us with an obvious "choke point" that we can place the firewall on to filter the network traffic.
The diagram also shows the zones that we will setup in Guarddog.

There seems to be a bit of confusion surrounding the function of a firewall versus the task of packet routing. Firewalls act as network traffic filters. Filtering and blocking unwanted and dangerous network traffic. They are security devices. Features such as routing and IP masquerade are not primarily security devices. They are advanced networking features.
Guarddog is a firewall and is not used for configuring networking features such as IP masquerade and routing. These networking features must be configured using a different program.

Before we continue, you should go and configure the routing setup for your machine and confirm that it is routing/masquerading network traffic as expected. To make the task of debugging your gateway configuration easier, you can disable Guarddog by checking the Disable firewallcheckbox on the Advanced tab and then applying the changes. This will allow you to test your routing setup separately without Guarddog blocking any test traffic.

If you configured and tested your routing and network settings with Guarddog disabled, enable firewalling in Guarddog again and apply. If all is going well then you will find that your LAN is once again totally cut off from the internet. Guarddog has a fail-safe, "what is not explicitly permitted, is denied" design. What this means in this situation is that since Guarddog hasnt been told to allow traffic from your LAN out to the internet, or visa versa, it will assume that the traffic should be blocked. This is intended to make it easy to get a secure configuration (even if it is too secure) and difficult to have an insecure configuration.
The way we specify to Guarddog that computers on the LAN are allowed to access computers on the Internet is by using zones. We simply create a zone to hold the addresses of all of the computers on our LAN and then specify that this zone is connected to the Internet, and probably to the Local zone also, and then go to the Protocols tab and tick on whatever protocols should be allowed between the LAN and the Internet.

Go to the Zone tab and create a new zone and call it "LAN". In the Zone Addresses list enter the IP addresses of the computers on your LAN. The address list understands several notations for addresses and can also accept whole network blocks. If you are running an IP masqueraded network using the 192.168.1.0/255.255.255.0 private address space, you can enter the whole block into a single address line using 192.168.1.0/255.255.255.0 format or the shorter 192.168.1.0/24 format.
Next, go to the Connection list and tick Internet and Local to specify that your LAN zone should be connected to the Internet and Local zones.
Now, go to the Protocol tab and make sure that Protocols Served from Zone: is set to Internet. In the list of protocols below you should see a column of check boxes for the Local zone and another column for the LAN zone. Just like when we were turning on protocols for the local zone in the first tutorial, we can do the same for the LAN zone. Tick the list of protocols that machines in the LAN zone should be able to use with the Internet.
When you are ready, apply the changes and see if your machines on your LAN can access the internet. Thats all there is to it.