Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ rules

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    3 Posts 3 Posters 519 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlee_eye
      last edited by

      Hello,

      Question. Is our DMZ setup for rules appropriate? Please refer to attached image.

      Thank you.

      DMZ_SETUP.jpg

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        36361548-b159-43ad-a490-a55a42c1428e-grafik.png

        The yellow marked IPs are no network addresses. So they could not be used with a subnet mask.
        If you want to apply that rules to subnets enter the correct network address.

        In a block rule you should use the "any" as source.
        In pass rules on the other hand, "DMZ net" should be used instead of "any".

        1 Reply Last reply Reply Quote 0
        • JeGrJ
          JeGr LAYER 8 Moderator
          last edited by

          I agree, makes no sense to define point to point rules (first 5) and then throw /24 behind it so the whole network can talk to each other. Also those rules are TCP only so if you are that specific, why not also include the ports instead of "all"?

          I'd also sort the kind of infrastructure rules on top (allow DNS, Ping, NTP and 80/443 for updates or such likes) and make them more specific so it won't interfere with other rules. Normally if that's your DMZ I see no reason why my DMZ hosts should talk to any DNS out there if I have a resolver/forwarder with caching running myself. Same for NTP.

          I would consider creating a RFC1918 Alias with all private IP space and use that instead of LAN net as a target so to reject all traffic from DMZ to other internal networks. If you specifically need a single IP or subnet, add that with a pass above the reject. So you can't accidentally introduce a new subnet on your firewall and open it up to network segments that it shouldn't be visible.

          That are the basic thing's I'd consider.

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.