I am former Smoothwall/IPcop user and have moved to m0n0wall (an excellent
solution, thanks Manuel) from release 27. I have a fairly typical setup
comprising the following:
WAN interface - Ethernet ADSL modem
LAN interface - 192.168.10.1/255.255.255.0
DMZ interface - 192.168.20.1/255.255.255.0 - single Clarkconnect box running
I was using NMAP from the Clarkconnect box to check for open ports, and
discovered that I could scan the boxes on the LAN interface (not a good
I reviewed the rules I set up when I configured m0n0wall and discovered that
I had entered a DMZ -> any rule (not appreciating that this would also allow
access to the LAN).
I have now modified the rules to lock down the configuration, but would
appreciate comments on my revised setup:
1. Inbound NAT for ports 25, 80, 143 and 443 to the same ports on my NAT'd
server IP (192.168.20.2) - allowing automatic addition of the firewall rules
for the same
2. Retain the default LAN -> any rule
Now the crucial one:
Source: DMZ subnet
Destination: *NOT* LAN subnet
(i.e. DMZ can access everything EXCEPT the LAN subnet)
Is there a better solution without limiting ports/protocols?
One other query:
How can I allow machines on my LAN interface to access the DMZ server via
the domain name (i.e. http://www.domain.com rather than via
http://192.168.20.2)? I am running Gallery which can be configured to use
EITHER the www.domain.com name OR the 192.168.20.2 IP address. Using the
domain name I can't access Gallery from my LAN, with the IP address it can't
be accessed from the outside world!
Find a cheaper internet access deal - choose one to suit you.