Re: [m0n0wall] Host in DMZ cannot use service at LAN.

From:	"NHEM Vichika" <nhemvichika dot rsa at gmail dot com>
To:	"Quark IT - Hilton Travis" <Hilton at quarkit dot com dot au>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Host in DMZ cannot use service at LAN.
Date:	Wed, 29 Nov 2006 09:00:53 +0700
Hi

By opening up http access to your LAN, you have effectively negated the
> protection that running a DMZ will offer - you have basically opened your
> LAN up to the world.


I know the advantages of DMZ  which give services to world. My reason is
that I would like to test some services that given from LAN to DMZ (stated
in m0n0wall manual, like DNS or http, others services). Is it possible?

The idea of a DMZ is to host Internet-accessible servers in.


That's right.




> -----Original Message-----
> > From: NHEM Vichika [mailto:nhemvichika dot rsa at gmail dot com]
> > Sent: Friday, 24 November 2006 12:31 PM
> > To: m0n0wall at lists dot m0n0 dot ch
> > Subject: [m0n0wall] Host in DMZ cannot use service at LAN.
> >
> > Hi
> > I'm one of m0n0wall lover. Now I've got a problem "Host in DMZ zone can
> > not
> > access the services (ex. http...) in LAN zone".
> > I've follow your manual but it doesn't work. I have downloaded that
> > m0n0wall
> > 1.22 and 1.23b1, and I have test both version, it's not work.
> > Or I miss some instructions.
> > Here my steps:
> >
> >
> > LAN (192.168.0.0/24)--------(.252)[m0n0wall](.250)-------DMZ (
> > 192.168.10.0/24)
> >                                                         |
> >                                                         |--------
> > {Internet}
> >
> > client (192.168.10.240) from DMZ can not access HTTP server (apache2,
> > 192.168.0.199)  in LAN zone.
> > I have add NAT inbound like below:
> >
> > -----------------------------------------------------------------------
> > -----------------------------------------------------------------------
> > -----------------------------------------
> > If                Proto            Ext.port rang
> > NAT
> > IP                  Int.port range                  Description
> > DMZ           TCP             80 (HTTP)
> > 192.168.0.199        80 (HTTP)                      Allow http to www
> > Server
> >
> > -----------------------------------------------------------------------
> > -----------------------------------------------------------------------
> > -----------------------------------------
> >
> > and also rule in my DMZ interface:
> >
> > -----------------------------------------------------------------------
> > -----------------------------------------------------------------------
> > -----------------------------------------
> > Proto           Source           Port           Destination
> > Port                      Description
> > TCP             *                    *               192.168.0.199
> > HTTP(80)               NAT Allow http to www Server
> > -----------------------------------------------------------------------
> > -----------------------------------------------------------------------
> > -----------------------------------------
> >
> > Please help me.
> > best regards,
> >
> > NHEM Vichika
>



-- 
NHEM Vichika
System Administrator
Royal School of Adminstration
#17, st. 466, Phnom Penh, Cambodia
Mobile: (855) 12 70 37 60
Phone Work: 023 726014 / 215408
Fax: (855) 23 726014
Email: nhemvichika dot rsa at gmail dot com