Checking my DMZ for any security issues.
-
Hi,
I have finally setup my DMZ where I can access the internet, however, I am not sure it entirely secure yet. Any help would be great.
LAN 192.168.1.1/24
DMZ 192.168.2.1/24Currently I can ping DMZ from LAN and also I can still ping LAN from DMZ (I obviously need to fix this.)
I am using NAT outbound rule to gain internet access on my DMZ is this ok? I have seen a tutorial that made a virtual ip linked to dmz and used NAT 1:1.
Rules as per attached images.
Basically, I just want a secure DMZ where I can access the DMZ from LAN BUT NOT access the LAN from DMZ.
Thanks
Any advice would be great.
 -
You are only blocking TCP traffic from DMZ to LAN.
I would also add a rule blocking IPv4 any to This Firewall (self) below some pass rules for anything on pfSense that you want DMZ to be able to access (like DNS, perhaps)
You probably want to limit DNS to specific DNS servers. You can make an alias like dmz_dns_servers to make this easier to maintain and use it as the destination for your rule.
General rule: pass specifically what you want then block all.
And using reject instead of block can make connections fail immediately instead of having to wait for them to time out.
-
You are only blocking TCP traffic from DMZ to LAN.
I would also add a rule blocking IPv4 any to This Firewall (self) below some pass rules for anything on pfSense that you want DMZ to be able to access (like DNS, perhaps)
Done all the things you said
You probably want to limit DNS to specific DNS servers. You can make an alias like dmz_dns_servers to make this easier to maintain and use it as the destination for your rule.
So with this make a Host alias with both my DNS IPs and then set the destination in the DNS rule to the alias?
Cheers
-
That's what I would do. Depends on how much you want to limit what the DMZ hosts can do. Seems pretty harmless to limit them to known
DHCPDNS Servers, though I was assuming you were telling them to use servers maybe on LAN or pfSense itself. -
That's what I would do. Depends on how much you want to limit what the DMZ hosts can do. Seems pretty harmless to limit them to known DHCP Servers, though I was assuming you were telling them to use servers maybe on LAN or pfSense itself.
Did what you recommended. Does that also mean I have to point to my DNS on every machine on my DMZ? cause my machine on the DMZ would not work until I did (though I think that was before I did this step)?
Is there anything else I can do to lock down my DMZ even more without restricting SSH, HTTP, HTTPS and DNS?
Cheers
-
Yes, if you block access to DNS servers except a specific set, your hosts need to be using passed addresses for DNS, yes.
In general: only pass traffic you need to have passed to destinations it needs to pass to and block everything else.
Post up another screenshot of the DMZ rules so we can see your handiwork.
-
Post up another screenshot of the DMZ rules so we can see your handiwork.
Here is the latest.
Also my NAT port forwarding is attached. I only have HTTP & HTTPS forwarded to the server.
Cheers
