[ previous ] [ next ] [ threads ]
 
 From:  "P B" <pjb141 at hotmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Rule Confirmation / Access from outside local network
 Date:  Wed, 11 Feb 2004 03:54:00 +0000
Hi,

I am former Smoothwall/IPcop user and have moved to m0n0wall (an excellent 
solution, thanks Manuel) from release 27. I have a fairly typical setup 
comprising the following:

WAN interface - Ethernet ADSL modem
LAN interface - 192.168.10.1/255.255.255.0
DMZ interface - 192.168.20.1/255.255.255.0 - single Clarkconnect box running 
e-mail/web servers

I was using NMAP from the Clarkconnect box to check for open ports, and 
discovered that I could scan the boxes on the LAN interface (not a good 
thing!).

I reviewed the rules I set up when I configured m0n0wall and discovered that 
I had entered a DMZ -> any rule (not appreciating that this would also allow 
access to the LAN).

I have now modified the rules to lock down the configuration, but would 
appreciate comments on my revised setup:

1. Inbound NAT for ports 25, 80, 143 and 443 to the same ports on my NAT'd 
server IP (192.168.20.2) - allowing automatic addition of the firewall rules 
for the same

2. Retain the default LAN -> any rule

Now the crucial one:

Action: PASS
Interface: DMZ
Protocol: any
Source: DMZ subnet
Destination: *NOT* LAN subnet

(i.e. DMZ can access everything EXCEPT the LAN subnet)

Is there a better solution without limiting ports/protocols?

One other query:

How can I allow machines on my LAN interface to access the DMZ server via 
the domain name (i.e. http://www.domain.com rather than via 
http://192.168.20.2)? I am running Gallery which can be configured to use 
EITHER the www.domain.com name OR the 192.168.20.2 IP address. Using the 
domain name I can't access Gallery from my LAN, with the IP address it can't 
be accessed from the outside world!

Thanks,
Peter

_________________________________________________________________
Find a cheaper internet access deal - choose one to suit you. 
http://www.msn.co.uk/internetaccess