[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] rules for DMZ
 Date:  Thu, 21 Sep 2006 17:26:20 -0400 
On 9/21/06, Neil Schneider <telecomneil at gmail dot com> wrote:
> I'm setting up a Soekris 4801 with the latest  download (1.2). I want
> to create a default rule for the DMZ. I'm using the following rule for
> the DMZ interface.
>
> Proto   Source          Port    Destination     Port    Description
>   *         DMZ  net         *       ! LAN net            *       DMZ -> any
>
> Is this a proper default rule for the DMZ.

Yes.  Ideally you'll want to restrict more than this, but this is a
good start.


> I presume the default
> without this rule would be to disallow all connections to or from the
> DMZ. Is my presumption correct?
>

Not allow anything outbound from the DMZ.  Anything permitted from the
LAN, WAN, or any other interface into the DMZ would be permitted, and
reply traffic to that would be permitted by the state table.

-Chris