Given the following "informal policy" details to be implemented using a firewall:
1. E-mail may be sent using SMTP in both directions through the firewall, but it must be relayed via the DMZ mail gateway that provides header sanitation and content filtering. External email must be disdained for the DMZ mail server.
2. Users inside may retrieve their email from the DMZ mail gateway, using either POP3 or POP3S, and authenticate themselves.
3. Users outside may retrieve their email from the DMZ mail gateway, but only if they use the secure POP3 protocol, and authenticate themselves.
4. Web request (both insecure and secure) are allowed from any internal user out through the firewall but must be relayed via the DMZ Web proxy, which provides content filtering (noting this is not possible for secure request), and users must authenticate with the proxy for logging.
5. Web request (both insecure and secure) are allowed from anywhere on the Internet to the DMZ Web server.
6. DNS lookup request by internal users allowed via the DMZ DNS server, which queries to the Internet.
7. External DNS requests are provided by the DMZ DNS servers.
8. Management and update of information on the DMZ servers is allowed using secure shell connections from relevant authorized internal users (may have different sets of users on each system as appropriate).
9. SNMP management requests are permitted from the internal management host to the firewalls, with the firewalls also allowed to send management traps (i.e. notification of some even occurring) to the management host.