|
||||||||
Hi, I am former Smoothwall/IPcop user and have moved to m0n0wall (an excellent solution, thanks Manuel) from release 27. I have a fairly typical setup comprising the following: WAN interface - Ethernet ADSL modem LAN interface - 192.168.10.1/255.255.255.0 DMZ interface - 192.168.20.1/255.255.255.0 - single Clarkconnect box running e-mail/web servers I was using NMAP from the Clarkconnect box to check for open ports, and discovered that I could scan the boxes on the LAN interface (not a good thing!). I reviewed the rules I set up when I configured m0n0wall and discovered that I had entered a DMZ -> any rule (not appreciating that this would also allow access to the LAN). I have now modified the rules to lock down the configuration, but would appreciate comments on my revised setup: 1. Inbound NAT for ports 25, 80, 143 and 443 to the same ports on my NAT'd server IP (192.168.20.2) - allowing automatic addition of the firewall rules for the same 2. Retain the default LAN -> any rule Now the crucial one: Action: PASS Interface: DMZ Protocol: any Source: DMZ subnet Destination: *NOT* LAN subnet (i.e. DMZ can access everything EXCEPT the LAN subnet) Is there a better solution without limiting ports/protocols? One other query: How can I allow machines on my LAN interface to access the DMZ server via the domain name (i.e. http://www.domain.com rather than via http://192.168.20.2)? I am running Gallery which can be configured to use EITHER the www.domain.com name OR the 192.168.20.2 IP address. Using the domain name I can't access Gallery from my LAN, with the IP address it can't be accessed from the outside world! Thanks, Peter _________________________________________________________________ Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess |