[ previous ] [ next ] [ threads ]
 
 From:  "Ernesto Vega" <ernesvega at gmail dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] LAN, WAN, DMZ
 Date:  Fri, 7 Apr 2006 11:45:40 -0400
2006/4/6, Chris Buechler <cbuechler at gmail dot com>:
> On 4/6/06, Ernesto Vega <ernesvega at gmail dot com> wrote:
> >
> > LAN: 10.1.1.1
> > WAN: 2xx.xxx.xxx.138
> > DMZ: 192.168.100.1
> > server1: 192.168.100.2 (1:1 NAT to 2xx.xxx.xxx.140)
> >
>
> looks fine.
>
>
> >

> > IP(2xx.xxx.xxx.140).
> >
>
> From the Internet or inside the network?
>
>

> > outside.
> >
>
> If you remove the 1:1 NAT temporarily, can that host get out to the Internet?
>

yes, I can. But I cannot access the host server1 from the internet on
it's public IP

>
> > Where do i put my rules ??? WAN or DMZ interface ??
> >
>
> On the interface where the traffic to be filtered is entering.  i.e.
> outbound traffic from DMZ is affected by rules on the DMZ interface.
> Inbound traffic originating from the Internet is affected by rules on
> the WAN interface (not including reply traffic to connections sourced
> within your networks, which are let through by the state table).
>


i stop it i can reach out the  internet but not the other way. Given
the fact that nat occurs prior to firewalling my rules are:

WAN

PROTO |   SOURCE     | PORT  | DESTINATION | PORT

*          |  *                    |  *        | 192.168.100.2  | *


DMZ

*         | 192.168.100.2   |    *      |       *               | *


what am i doing wrong ???

shoud i use static routes instead of nat ???

ernesto