Help setting up standard rules for mail server/web server/vpn
-
Hi,
I am wondering if anyone can give me some tips (or a link to a guide) on how to best set up some pfsense firewall rules to allow WAN access to our mail server (exchange) and web server?
Cheers,
Kim -
Might give you a hint
http://doc.m0n0.ch/handbook/examples.html
http://doc.pfsense.org/index.php/Main_Page -
Thanks for that. Most of the examples show a configuration where the mail server is behind a DMZ.
We have one primary server which hosts our mail server, file sharing to the LAN, print server, etc. We need ultra-fast access to it for LAN file sharing, so it has a 2gb NIC connected to a GB switch - which all our users are connected to.
The pfSense box is an old server with 10/100 NIC's - so I don't want to put our file/print/mail server into a DMZ - otherwise all our LAN filesharing traffic would have to go through the pfSense NIC's - and it will slow everything down.
So I guess what I want to do is simply have pfSense as a firewall between our LAN/switch and our internet connection.
I would want to create the following types of rules:
Allow LAN to anywhere (don't need to lock down anything at this stage)
Allow WAN to ServerIP for http and https
Allow WAN to ServerIP for ftp
Allow WAN to ServerIP for exchange server (just SMTP?)Would I need to create these rules for both TCP and UDP?
And the WAN rules only need to be created on the "wan interface"? (and the LAN to anywere rule on the "lan interface"?)
My previous firewall (a Sonicwall) did not have a spot to choose what interface the rule applies to)…Cheers,
Kim -
Your setup sounds pretty basic. Should be able to run a pretty much stock-install, with the LAN changed to the correct subnet and DHCP disabled. (I'm assuming you are running DHCP/DNS on your [SBS?] server).
Just add in any VIPs on the WAN, then create port-forwards to the server- firewall, nat, port-forward. For Exchange, you should just need tcp- smtp, http, https. The port-forwards would be on the WAN, and if you keep the box checked, it will auto-create the correct firewall rules for you. -
Thanks for that. So in the NAT window, I would just do the following: (where 10.7.31.20 is our Exchange/Web Server) - see attachment? - Then the same for HTTP and HTTPS?
Do I also need to create a Firewall rule to Block * from the WAN? (and order the rules so this is the last rule?) - or does pfSense block everything else by default?
What are the VIPs?
Cheers,
Kim
-
@Kim:
Thanks for that. So in the NAT window, I would just do the following: (where 10.7.31.20 is our Exchange/Web Server) - see attachment? - Then the same for HTTP and HTTPS?
Yes. Once you have the first one done, you can use the handy + create a new rule based on the first one, and just change the ports.
@Kim:Do I also need to create a Firewall rule to Block * from the WAN? (and order the rules so this is the last rule?) - or does pfSense block everything else by default?
Defaults to blocked.
@Kim:What are the VIPs?
You would define Virtual Ips if you had additional static IP addresses assigned to you by your provider.