[ previous ] [ next ] [ threads ]
 
 From:  "Neil Schneider" <telecomneil at gmail dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] rules for DMZ
 Date:  Thu, 21 Sep 2006 14:51:38 -0700
On 9/21/06, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 9/21/06, Neil Schneider <telecomneil at gmail dot com> wrote:
> > I'm setting up a Soekris 4801 with the latest  download (1.2). I want
> > to create a default rule for the DMZ. I'm using the following rule for
> > the DMZ interface.
> >
> > Proto   Source          Port    Destination     Port    Description
> >   *         DMZ  net         *       ! LAN net            *       DMZ -> any
> >
> > Is this a proper default rule for the DMZ.
>
> Yes.  Ideally you'll want to restrict more than this, but this is a
> good start.

I have specific rules on the DMZ interface, like these.

Proto  	Source  	Port  	Destination  	Port  	Description  	
TCP    LAN net      HTTP    172.16.0.10       80     LAN -> DMZ
TCP    LAN net      HTTPS   172.16.0.10      443     LAN -> DMZ
TCP    LAN net      SMTP   172.16.0.10       25     LAN -> DMZ
TCP    LAN net      FTP    172.16.0.10       21     LAN -> DMZ
TCP    LAN net      20    172.16.0.10       20     LAN -> DMZ
TCP    LAN net      49152-65535    172.16.0.10       49152-65535    LAN -> DMZ

If I leave off this rule.
  *         DMZ  net         *       ! LAN net            *       DMZ -> any

Will that work properly, allowing my LAN clients to access the
services I choose HTTP, HTTPS, SMTP, FTP etc, but denying access to
other services like MSQL?
>
> > I presume the default
> > without this rule would be to disallow all connections to or from the
> > DMZ. Is my presumption correct?
> >
>
> Not allow anything outbound from the DMZ.  Anything permitted from the
> LAN, WAN, or any other interface into the DMZ would be permitted, and
> reply traffic to that would be permitted by the state table.

So am I setting up the rules on the wrong interface? I have the
default allow rule for the LAN net. Does something else restrict
access to the DMZ? Or, do I need to set up a rule on the LAN interface
that says !DMZ net?

Thanks for your responses.

-- 

Neil Schneider                                           telecomneil
at gmail dot com

Don't use this account for personal email, I don't check it often. If
you want to contact me directly use pacneil at linux geek dot net
instead.