[ previous ] [ next ] [ threads ]
 
 From:  "Quark IT - Hilton Travis" <Hilton at quarkit dot com dot au>
 To:  "NHEM Vichika" <nhemvichika dot rsa at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Host in DMZ cannot use service at LAN.
 Date:  Wed, 29 Nov 2006 08:21:48 +1000
Hi NHEM,

By opening up http access to your LAN, you have effectively negated the protection that running a
DMZ will offer - you have basically opened your LAN up to the world.

The idea of a DMZ is to host Internet-accessible servers in.  You now have Internet-accessible
servers in your LAN.  You could easily do away with the DMZ and just run these services in your LAN
as you no longer have any extra protection as would have been provided by a properly configured
network.

--

Regards,

Hilton Travis                          Phone: +61 (0)7 3344 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed.

                    Quark Group Pty. Ltd.
      T/A Quark Automation, Quark AudioVisual, Quark IT

> -----Original Message-----
> From: NHEM Vichika [mailto:nhemvichika dot rsa at gmail dot com]
> Sent: Friday, 24 November 2006 12:31 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Host in DMZ cannot use service at LAN.
> 
> Hi
> I'm one of m0n0wall lover. Now I've got a problem "Host in DMZ zone can
> not
> access the services (ex. http...) in LAN zone".
> I've follow your manual but it doesn't work. I have downloaded that
> m0n0wall
> 1.22 and 1.23b1, and I have test both version, it's not work.
> Or I miss some instructions.
> Here my steps:
> 
> 
> LAN (192.168.0.0/24)--------(.252)[m0n0wall](.250)-------DMZ (
> 192.168.10.0/24)
>                                                         |
>                                                         |--------
> {Internet}
> 
> client (192.168.10.240) from DMZ can not access HTTP server (apache2,
> 192.168.0.199)  in LAN zone.
> I have add NAT inbound like below:
> 
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> -----------------------------------------
> If                Proto            Ext.port rang
> NAT
> IP                  Int.port range                  Description
> DMZ           TCP             80 (HTTP)
> 192.168.0.199        80 (HTTP)                      Allow http to www
> Server
> 
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> -----------------------------------------
> 
> and also rule in my DMZ interface:
> 
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> -----------------------------------------
> Proto           Source           Port           Destination
> Port                      Description
> TCP             *                    *               192.168.0.199
> HTTP(80)               NAT Allow http to www Server
> -----------------------------------------------------------------------
> -----------------------------------------------------------------------
> -----------------------------------------
> 
> Please help me.
> best regards,
> 
> NHEM Vichika