|
||||||||||
On 9/21/06, Chris Buechler <cbuechler at gmail dot com> wrote: > On 9/21/06, Neil Schneider <telecomneil at gmail dot com> wrote: > > I'm setting up a Soekris 4801 with the latest download (1.2). I want > > to create a default rule for the DMZ. I'm using the following rule for > > the DMZ interface. > > > > Proto Source Port Destination Port Description > > * DMZ net * ! LAN net * DMZ -> any > > > > Is this a proper default rule for the DMZ. > > Yes. Ideally you'll want to restrict more than this, but this is a > good start. I have specific rules on the DMZ interface, like these. Proto Source Port Destination Port Description TCP LAN net HTTP 172.16.0.10 80 LAN -> DMZ TCP LAN net HTTPS 172.16.0.10 443 LAN -> DMZ TCP LAN net SMTP 172.16.0.10 25 LAN -> DMZ TCP LAN net FTP 172.16.0.10 21 LAN -> DMZ TCP LAN net 20 172.16.0.10 20 LAN -> DMZ TCP LAN net 49152-65535 172.16.0.10 49152-65535 LAN -> DMZ If I leave off this rule. * DMZ net * ! LAN net * DMZ -> any Will that work properly, allowing my LAN clients to access the services I choose HTTP, HTTPS, SMTP, FTP etc, but denying access to other services like MSQL? > > > I presume the default > > without this rule would be to disallow all connections to or from the > > DMZ. Is my presumption correct? > > > > Not allow anything outbound from the DMZ. Anything permitted from the > LAN, WAN, or any other interface into the DMZ would be permitted, and > reply traffic to that would be permitted by the state table. So am I setting up the rules on the wrong interface? I have the default allow rule for the LAN net. Does something else restrict access to the DMZ? Or, do I need to set up a rule on the LAN interface that says !DMZ net? Thanks for your responses. -- Neil Schneider telecomneil at gmail dot com Don't use this account for personal email, I don't check it often. If you want to contact me directly use pacneil at linux geek dot net instead. |