Please check my setup plus couple questions



  • First of all this firewall rocks!
    I would like my setup to be checked by the "guys in the know."
    This is my first firewall setup and I want to make sure that I have not opened anything up I shouldn't have or have something done incorrectly. All seems to work OK…

    What I have are 3 interfaces, LAN, WAN, DMZ.
    WAN gets IP from PPoE. My router is connected to WAN interface in pure bridge mode.
    LAN IP interface is 192.168.0.2 and DMZ interface is 192.168.1.1
    My server on the DMZ hosts my website and mail, 192.168.1.10.
    Below is a copy of my firewall rules and NAT settigns.

    Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
    What is the best way to setup access to the server on the DMZ from the LAN interface?
    How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
    I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?

    Many many thanks.
    Paul.





  • I'd restrict traffic from DMZ >> LAN

    create any allow rules you want for DMZ >> LAN
    then create a reject rule that catches everything else DMZ >> LAN

    place them before your DMZ >> ANY rule



  • Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
    No, you do not need the rule on the DMZ for outsiders to use your site
    What is the best way to setup access to the server on the DMZ from the LAN interface?
    it depends on how you want to access it; setup rules for HTTP, SMTP, RDP, POP etc…
    How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
    Do you have an internal DNS server? The easiest way would be to have an internal DNS server point to the 192.168.1.10 address of your server
    I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?
    "Works but is it to open" Thats bang on. Just allow through what you need too.



  • You have to NAT port 465 and not 25 if that's what you're using for SMTP.

    Similar for your RDP. If you want it externally on 1609 you have to NAT it to 5900 internally.
    But then you have to allow traffic on the WAN interface at 1609 since that is what the interface 'sees'.

    Chris



  • @jahonix:

    You have to NAT port 465 and not 25 if that's what you're using for SMTP.

    Similar for your RDP. If you want it externally on 1609 you have to NAT it to 5900 internally.
    But then you have to allow traffic on the WAN interface at 1609 since that is what the interface 'sees'.

    Chris

    Well spotted I have change port 465 to 25  ;)

    I have VNC running on custom port 1609 ;) I have chnaged WAN rule accordingly.
    Well spotted



  • @tedced:

    Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
    No, you do not need the rule on the DMZ for outsiders to use your site
    What is the best way to setup access to the server on the DMZ from the LAN interface?
    it depends on how you want to access it; setup rules for HTTP, SMTP, RDP, POP etc…
    How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
    Do you have an internal DNS server? The easiest way would be to have an internal DNS server point to the 192.168.1.10 address of your server
    I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?
    "Works but is it to open" Thats bang on. Just allow through what you need too.

    Thankyou I have removed the extra rule on the DMZ.

    I will try a few rules for access to the server. I need to access a share as well as vnc.

    I don't have an internal DNS but could set one up on the server.

    As for having access for the server on the DMZ i will try a few rules. Any suggestions. Source ip of machine on port 80 to port 80 for web access?

    Many thanks.



  • @tedced:

    I'd restrict traffic from DMZ >> LAN

    create any allow rules you want for DMZ >> LAN
    then create a reject rule that catches everything else DMZ >> LAN

    place them before your DMZ >> ANY rule

    Will try thanks.



  • @tedced:

    I'd restrict traffic from DMZ >> LAN

    create any allow rules you want for DMZ >> LAN
    then create a reject rule that catches everything else DMZ >> LAN

    place them before your DMZ >> ANY rule

    I am having a few issues sorting out rules so that DMZ can only access internet and not LAN.
    I want the LAN to access the DMZ although.
    Any pointers?





  • @far_ken_beauty:

    I am having a few issues sorting out rules so that DMZ can only access internet and not LAN.

    This is rather easy: on the DMZ create a rule that drops (or rejects) all packets with destination LAN.

    @far_ken_beauty:

    I want the LAN to access the DMZ although.

    ;-)
    So you don't want to disable DMZ -> LAN completely as stated above!
    Usually we have a two way communication. LAN sends a request to DMZ and DMZ answers to LAN. The latter conflicts with  'DMZ can only access the internet' …

    Create dedicated rules for the services you want to have access to.
    Following Perry's link is a good start.

    Chris



  • Thanks guys I will check out Perrys link. Thanks Perry.
    Yeah I just want to secure the DMZ from the LAN, but still need some access. I will investigate opening up certain services that I need.
    Cheers.



  • @Perry:

    might help you out http://doc.m0n0.ch/handbook/examples.html

    Helped a treat!



  • Ok getting there…....
    I can access this from the LAN but not DMZ even when I give DMZ access to all.
    ftp://ftp.bom.gov.au/anon/gen/fwo/IDV17101.txt a port issue? Works on LAN though. :-\



  • search the forum for 'FTP-Helper'

    Chris



  • @jahonix:

    search the forum for 'FTP-Helper'

    Chris

    You my friend are a champ! Disable the ftp helper and away it goes ;D
    Thanks mate. ;)


Log in to reply