Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Locking down DMZ and LAN

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jan.gestre
      last edited by

      Hi guys,

      I want to solicit your expert opinion regarding the lockdown rules I've created based on http://doc.pfsense.org/index.php/Example_basic_configuration , I have yet to put the boxes (pfSense, FTP and MAIL) into production.  I have an FTP server and a Mail server on the DMZ and an Active Directory in my LAN and the following are the rules:

      Outbound LAN

      1. Allow TCP 80 (HTTP) from LAN subnet to anywhere
              2. Allow TCP 443 (HTTPS) from LAN subnet to anywhere
              3. Allow TCP 21 (FTP) from LAN subnet to anywhere
      4. Allow TCP 22 (SSH) from LAN subnet to anywhere
              5. Allow TCP 25 (SMTP) from LAN subnet to anywhere
              6. Allow TCP\UDP 53 from LAN subnet (DNS) to ip of primary DNS server
              7. Allow TCP\UDP 53 from LAN subnet (DNS) to ip of secondary DNS server
              8. Allow TCP 110 (POP3) from LAN subnet to anywhere
              9. Allow TCP 143 (IMAP) from LAN subnet to anywhere
      10. Allow TCP 465 (SMTP-SSL) from LAN subnet to anywhere
      11. Allow TCP 995 (POP3-SSL) from LAN subnet to anywhere

      Outbound DMZ

      1. Allow TCP 80 from DMZ subnet (HTTP) to anywhere # Enabled only when updating
              2. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of primary DNS server
              3. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of secondary DNS server
              4. Allow UDP 123 from DMZ subnet (NTP) to ip of remote time server

      The following are my apprehensions:

      1. Will these rules suffice?
      2. Will the LAN clients be able to access the mail and ftp on the dmz if these rules are implemented?
      3. Will the LAN client still be able to use popular IM's such as Yahoo, MSN and Skype?
      4. Will the FTP and MAIL services on my DMZ still be accessible to the outside world?
      5. How can I further lock it down?
      6. If a Site-to-Site VPN is implemented, do I need additional rules?

      TIA

      Jan

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        1. Only you can say ;)  I'd allow 123/UDP to the pfSense host from both LAN and DMZ and make the pfSense host the timeserver.
        2. Yes
        3. Probably not
        4. If you port forward to those services
        5. Restrict by destination (say by only allowing LAN clients to access email services on the DMZ, not the entire Internet)
        6. Depends on how you implement the VPN.  There is no way to filter OpenVPN right now, but IPSec can be filtered.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.