Please check my setup plus couple questions

tedced

I'd restrict traffic from DMZ >> LAN

create any allow rules you want for DMZ >> LAN
then create a reject rule that catches everything else DMZ >> LAN

place them before your DMZ >> ANY rule

tedced

Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
No, you do not need the rule on the DMZ for outsiders to use your site
What is the best way to setup access to the server on the DMZ from the LAN interface?
it depends on how you want to access it; setup rules for HTTP, SMTP, RDP, POP etc…
How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
Do you have an internal DNS server? The easiest way would be to have an internal DNS server point to the 192.168.1.10 address of your server
I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?
"Works but is it to open" Thats bang on. Just allow through what you need too.

jahonix

You have to NAT port 465 and not 25 if that's what you're using for SMTP.

Similar for your RDP. If you want it externally on 1609 you have to NAT it to 5900 internally.
But then you have to allow traffic on the WAN interface at 1609 since that is what the interface 'sees'.

Chris

far_ken_beauty

@jahonix:

You have to NAT port 465 and not 25 if that's what you're using for SMTP.

Similar for your RDP. If you want it externally on 1609 you have to NAT it to 5900 internally.
But then you have to allow traffic on the WAN interface at 1609 since that is what the interface 'sees'.

Chris

Well spotted I have change port 465 to 25  ;)

I have VNC running on custom port 1609 ;) I have chnaged WAN rule accordingly.
Well spotted

far_ken_beauty

@tedced:

Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
No, you do not need the rule on the DMZ for outsiders to use your site
What is the best way to setup access to the server on the DMZ from the LAN interface?
it depends on how you want to access it; setup rules for HTTP, SMTP, RDP, POP etc…
How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
Do you have an internal DNS server? The easiest way would be to have an internal DNS server point to the 192.168.1.10 address of your server
I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?
"Works but is it to open" Thats bang on. Just allow through what you need too.

Thankyou I have removed the extra rule on the DMZ.

I will try a few rules for access to the server. I need to access a share as well as vnc.

I don't have an internal DNS but could set one up on the server.

As for having access for the server on the DMZ i will try a few rules. Any suggestions. Source ip of machine on port 80 to port 80 for web access?

Many thanks.

far_ken_beauty

@tedced:

I'd restrict traffic from DMZ >> LAN

create any allow rules you want for DMZ >> LAN
then create a reject rule that catches everything else DMZ >> LAN

place them before your DMZ >> ANY rule

Will try thanks.

far_ken_beauty

@tedced:

I'd restrict traffic from DMZ >> LAN

create any allow rules you want for DMZ >> LAN
then create a reject rule that catches everything else DMZ >> LAN

place them before your DMZ >> ANY rule

I am having a few issues sorting out rules so that DMZ can only access internet and not LAN.
I want the LAN to access the DMZ although.
Any pointers?

Perry

might help you out http://doc.m0n0.ch/handbook/examples.html

jahonix

@far_ken_beauty:

I am having a few issues sorting out rules so that DMZ can only access internet and not LAN.

This is rather easy: on the DMZ create a rule that drops (or rejects) all packets with destination LAN.

@far_ken_beauty:

I want the LAN to access the DMZ although.

;-)
So you don't want to disable DMZ -> LAN completely as stated above!
Usually we have a two way communication. LAN sends a request to DMZ and DMZ answers to LAN. The latter conflicts with  'DMZ can only access the internet' …

Create dedicated rules for the services you want to have access to.
Following Perry's link is a good start.

Chris

far_ken_beauty

Thanks guys I will check out Perrys link. Thanks Perry.
Yeah I just want to secure the DMZ from the LAN, but still need some access. I will investigate opening up certain services that I need.
Cheers.

far_ken_beauty

@Perry:

might help you out http://doc.m0n0.ch/handbook/examples.html

Helped a treat!

far_ken_beauty

Ok getting there…....
I can access this from the LAN but not DMZ even when I give DMZ access to all.
ftp://ftp.bom.gov.au/anon/gen/fwo/IDV17101.txt a port issue? Works on LAN though. :-\

jahonix

search the forum for 'FTP-Helper'

Chris

far_ken_beauty

@jahonix:

search the forum for 'FTP-Helper'

Chris

You my friend are a champ! Disable the ftp helper and away it goes ;D
Thanks mate. ;)