Locking down DMZ and LAN



  • Hi guys,

    I want to solicit your expert opinion regarding the lockdown rules I've created based on http://doc.pfsense.org/index.php/Example_basic_configuration , I have yet to put the boxes (pfSense, FTP and MAIL) into production.  I have an FTP server and a Mail server on the DMZ and an Active Directory in my LAN and the following are the rules:

    Outbound LAN

    1. Allow TCP 80 (HTTP) from LAN subnet to anywhere
            2. Allow TCP 443 (HTTPS) from LAN subnet to anywhere
            3. Allow TCP 21 (FTP) from LAN subnet to anywhere
    4. Allow TCP 22 (SSH) from LAN subnet to anywhere
            5. Allow TCP 25 (SMTP) from LAN subnet to anywhere
            6. Allow TCP\UDP 53 from LAN subnet (DNS) to ip of primary DNS server
            7. Allow TCP\UDP 53 from LAN subnet (DNS) to ip of secondary DNS server
            8. Allow TCP 110 (POP3) from LAN subnet to anywhere
            9. Allow TCP 143 (IMAP) from LAN subnet to anywhere
    10. Allow TCP 465 (SMTP-SSL) from LAN subnet to anywhere
    11. Allow TCP 995 (POP3-SSL) from LAN subnet to anywhere

    Outbound DMZ

    1. Allow TCP 80 from DMZ subnet (HTTP) to anywhere # Enabled only when updating
            2. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of primary DNS server
            3. Allow TCP\UDP 53 from DMZ subnet (DNS) to ip of secondary DNS server
            4. Allow UDP 123 from DMZ subnet (NTP) to ip of remote time server

    The following are my apprehensions:

    1. Will these rules suffice?
    2. Will the LAN clients be able to access the mail and ftp on the dmz if these rules are implemented?
    3. Will the LAN client still be able to use popular IM's such as Yahoo, MSN and Skype?
    4. Will the FTP and MAIL services on my DMZ still be accessible to the outside world?
    5. How can I further lock it down?
    6. If a Site-to-Site VPN is implemented, do I need additional rules?

    TIA

    Jan



    1. Only you can say ;)  I'd allow 123/UDP to the pfSense host from both LAN and DMZ and make the pfSense host the timeserver.
    2. Yes
    3. Probably not
    4. If you port forward to those services
    5. Restrict by destination (say by only allowing LAN clients to access email services on the DMZ, not the entire Internet)
    6. Depends on how you implement the VPN.  There is no way to filter OpenVPN right now, but IPSec can be filtered.

Log in to reply