Re: [m0n0wall] DMZ by IP?

From:	Chris Buechler <cbuechler at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] DMZ by IP?
Date:	Sun, 5 Dec 2004 19:43:58 -0500

On Sun, 05 Dec 2004 17:00:27 -0500, Max Khitrov <mkhitrov at umd dot edu> wrote:
> 
> How would all my servers be accessible from the outside if many ports
> aren't forwarded? I'll have a bunch of services running like mail, http,
> ftp, ssh, vnc, and a number of others. 

Open 25, 80, 21, 22, and 5900.  FTP will be more difficult than the
rest, see this.  http://wiki.m0n0.ch/wikka.php?wakka=PassiveFTP

Yeah it'll require a few inbound NAT rules.  

> In either case, this just seems to be like an easy thing to do, so maybe
> a feature for the next release? Basically in NAT forwarding create an
> ability to specify if a port is not forwarded to any specific host, then
> in should go to the default one. Just a thought...
> 

What's the point of a firewall if you're going to open all the ports
unconditionally?  You have nothing more than a NAT box at that point. 
That's a really bad idea, but you could use inbound NAT with ranges to
accomplish that now.

-Chris