On 9/21/06, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 9/21/06, Neil Schneider <telecomneil at gmail dot com> wrote:
> > I'm setting up a Soekris 4801 with the latest download (1.2). I want
> > to create a default rule for the DMZ. I'm using the following rule for
> > the DMZ interface.
> > Proto Source Port Destination Port Description
> > * DMZ net * ! LAN net * DMZ -> any
> > Is this a proper default rule for the DMZ.
> Yes. Ideally you'll want to restrict more than this, but this is a
> good start.
I have specific rules on the DMZ interface, like these.
Proto Source Port Destination Port Description
TCP LAN net HTTP 172.16.0.10 80 LAN -> DMZ
TCP LAN net HTTPS 172.16.0.10 443 LAN -> DMZ
TCP LAN net SMTP 172.16.0.10 25 LAN -> DMZ
TCP LAN net FTP 172.16.0.10 21 LAN -> DMZ
TCP LAN net 20 172.16.0.10 20 LAN -> DMZ
TCP LAN net 49152-65535 172.16.0.10 49152-65535 LAN -> DMZ
If I leave off this rule.
* DMZ net * ! LAN net * DMZ -> any
Will that work properly, allowing my LAN clients to access the
services I choose HTTP, HTTPS, SMTP, FTP etc, but denying access to
other services like MSQL?
> > I presume the default
> > without this rule would be to disallow all connections to or from the
> > DMZ. Is my presumption correct?
> Not allow anything outbound from the DMZ. Anything permitted from the
> LAN, WAN, or any other interface into the DMZ would be permitted, and
> reply traffic to that would be permitted by the state table.
So am I setting up the rules on the wrong interface? I have the
default allow rule for the LAN net. Does something else restrict
access to the DMZ? Or, do I need to set up a rule on the LAN interface
that says !DMZ net?
Thanks for your responses.
Neil Schneider telecomneil
at gmail dot com
Don't use this account for personal email, I don't check it often. If
you want to contact me directly use pacneil at linux geek dot net