Setting up DMZ with webserver HELP!

pethead · Feb 2, 2012, 12:23 PM

So, I am trying to set up a DMZ and I failed brutally so I decided to start from scratch, when I configure the opt1 interface am I just suppoused to add firewall rules to block all traffic from Dmz -> Lan and allow all traffic from Wan -> DMZ? what else do i need to configure for it to work properrly? And please tell me how to set up the firewall rules, I've been checking around different guides but they just say set them firewall rules to how u want them, and i have no clue how to configure then properly. >:( appreciate if i get any help at all.

marcelloc · Feb 2, 2012, 12:56 PM

To publish some service on DMZ normally you need redirect nat rules (firewall-> nat)

While creating a port forwarding nat, you have an option to associate that nat with a firewall rule.

Also consider buying the pfsense book or read doc.pfsense.org for tutorials on how to configure pfsense and create rules.

wallabybob · Feb 2, 2012, 1:15 PM

@pethead:

what else do i need to configure for it to work properrly?

Lets start with determining how you want the firewall to behave?

1. Do you want to allow any trash from the internet to your DMZ or do you want to restrict access to the DMZ to particular services such as web server?

2. Do you want the DMZ to have unrestricted access to the Internet? If not, what access are you prepared to allow?

3. Do you want unrestricted access from the DMZ to your LAN? If not, what access are you prepared to allow?

4. Is there a router between your pfSense WAN interface or a modem? If there is a router/firewall you will probably need to configure that to allow appropriate access to your DMZ.

pethead · Feb 2, 2012, 2:20 PM

@wallabybob:

@pethead:

what else do i need to configure for it to work properrly?

Lets start with determining how you want the firewall to behave?

1. Do you want to allow any trash from the internet to your DMZ or do you want to restrict access to the DMZ to particular services such as web server?

2. Do you want the DMZ to have unrestricted access to the Internet? If not, what access are you prepared to allow?

3. Do you want unrestricted access from the DMZ to your LAN? If not, what access are you prepared to allow?

4. Is there a router between your pfSense WAN interface or a modem? If there is a router/firewall you will probably need to configure that to allow appropriate access to your DMZ.

First of all I just want to get the web server up and running and then later on go and configure specifics

1. I just want to put a web server with working Ftp on the DMZ.

2. Yes I want the DMZ to have unrestricted access to the internet.

3. Rather not have any unrestricted access from the DMZ to LAN but I don't mind skipping it since I'm just laborating with pfsense and want to get things up and running. mostly just want to get the web server up and running.

4. No there is no router between. my WAN connection goes directly into my pfsense which I then have going out over 2 subnets, 192.168.0.1/24 and my DMZ 192.168.1.1/24

I just got the pfsense book for version 1.2.3 haven't seen anyone for 2.0? I'll go read up a little but still appreciate answers.

These are my firewall setting rules that i added for the allow all to dmz and block dmz to lan: http://imageshack.us/g/338/pfsenserules.jpg/ are they even rightly configured?

marcelloc · Feb 2, 2012, 2:24 PM

@pethead:

First of all I just want to get the web server up and running and then later on go and configure specifics

1. I just want to put a web server with working Ftp on the DMZ.

2. Yes I want the DMZ to have unrestricted access to the internet.

3. Rather not have any unrestricted access from the DMZ to LAN but I don't mind skipping it since I'm just laborating with pfsense and want to get things up and running. mostly just want to get the web server up and running.

4. No there is no router between. my WAN connection goes directly into my pfsense which I then have going out over 2 subnets, 192.168.0.1/24 and my DMZ 192.168.1.1/24

I just got the pfsense book for version 1.2.3 haven't seen anyone for 2.0? I'll go read up a little but still appreciate answers.

These are my firewall setting rules that i added for the allow all to dmz and block dmz to lan: http://imageshack.us/g/338/pfsenserules.jpg/ are they even rightly configured?

you will need to nat ports 80,443, and 21 on wan interface to dmz ip.

copy the default rule from wan to opt1 to get full internet access from dmz.

if you want, change source from any to not lan subnet on copied rule from on opt rules tab.

stephenw10 · Feb 2, 2012, 9:14 PM

@marcelloc:

copy the default rule from wan to opt1 to get full internet access from dmz.

I think you mean LAN to OPT1 (DMZ) Marcelloc? ;)

Two important things to consider when making firewall rules:

1. By default everything is blocked. This means that unless you put rules in place to explicitly allow traffic nothing will get through. The only exception to this is the LAN interface which has two rules already configured by default.

2. Firewall rules filter traffic entering your pfSense box via whatever interface you have set it on and only entering.

Therefore to allow internet access from your DMZ interface you need a rule that allows traffic with source: your DMZ subnet (or a specific IP in the DMZ) on the DMZ interface.

Steve

marcelloc · Feb 2, 2012, 9:17 PM

@stephenw10:

I think you mean LAN to OPT1 (DMZ) Marcelloc? ;)

Thanks stephenw10, just one more typo. :)

wallabybob · Feb 2, 2012, 10:08 PM

@pethead:

I just got the pfsense book for version 1.2.3 haven't seen anyone for 2.0?

There is not yet a book for pfSense 2.0

@marcelloc:

you will need to nat ports 80,443, and 21 on wan interface to dmz ip.

See Section 7.2 (page 130) of pfSense book for a lengthier discussion of Port Forwards and how to create appropriate rules.