[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Do I have to add both NAT and LAN/DMZ rules for external access?
 Date:  Thu, 7 Jun 2007 18:07:27 -0400
On 6/7/07, Frank Tarczynski <ftarz at mindspring dot com> wrote:
> I'm new to m0n0wall and still learning.  I'm moving from IPCop to m0n0wall
> and need some help in translating rules.
> I have 4 external SMTP servers that forward mail to me, so I want to open
> port 25 to them.
> I tried creating these rules for my DMZ segment:
> Proto    Source                         Port    Destination     Port            Description
> *                RFC 1918 networks      *       *                       *               Block
private networks
> TCP              XXX.XXX.XXX.XXX        *     25 (SMTP)       SMTP
> TCP              XXX.XXX.XXX.XXX        *     25 (SMTP)       SMTP
> TCP              XXX.XXX.XXX.XXX        *     25 (SMTP)       SMTP
> TCP              XXX.XXX.XXX.XXX        *     25 (SMTP)       SMTP
> as this is all I would need with IPCop.  But still all SMTP connections
> were blocked.

You need both NAT and firewall rules. NAT tells the traffic where to
go, the rules tell it what to allow to pass through those

> So I figured I need to add this to my NAT rules:
> Firewall: NAT: Inbound
> If      Proto   Ext. port range         NAT IP          Int. port range
> WAN     TCP             25 (SMTP)          25 (SMTP)
> and now my SMTP connections were allowed.
> But then it appeared that m0n0wall added this in my DMZ rules:
> TCP              *                              *     25 (SMTP)       NAT

If you're opening it from the Internet, it would be in your WAN rules, not DMZ.

You should just delete that rule and just use the 4 allow rules you
showed above. You don't want to create any block rules on a firewall
unless you cannot accomplish what you're attempting without them. Be
as specific as possible in your permit rules, and let everything else
hit the default deny bit bucket. This is true of all firewalls.