[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'P B'" <pjb141 at hotmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Rule Confirmation / Access from outside local netw ork
 Date:  Wed, 11 Feb 2004 14:16:46 +0100
> -----Original Message-----
> From: P B [mailto:pjb141 at hotmail dot com]
> Hi,
> 
> I am former Smoothwall/IPcop user and have moved to m0n0wall 
> (an excellent 
> solution, thanks Manuel) from release 27. I have a fairly 
> typical setup 
> comprising the following:
> 
> WAN interface - Ethernet ADSL modem
> LAN interface - 192.168.10.1/255.255.255.0
> DMZ interface - 192.168.20.1/255.255.255.0 - single 
> Clarkconnect box running 
> e-mail/web servers
> 
> I was using NMAP from the Clarkconnect box to check for open 
> ports, and 
> discovered that I could scan the boxes on the LAN interface 
> (not a good 
> thing!).
> 
> I reviewed the rules I set up when I configured m0n0wall and 
> discovered that 
> I had entered a DMZ -> any rule (not appreciating that this 
> would also allow 
> access to the LAN).
> 
> I have now modified the rules to lock down the configuration, 
> but would 
> appreciate comments on my revised setup:
> 
> 1. Inbound NAT for ports 25, 80, 143 and 443 to the same 
> ports on my NAT'd 
> server IP (192.168.20.2) - allowing automatic addition of the 
> firewall rules 
> for the same
> 
> 2. Retain the default LAN -> any rule
> 
> Now the crucial one:
> 
> Action: PASS
> Interface: DMZ
> Protocol: any
> Source: DMZ subnet
> Destination: *NOT* LAN subnet
> 
> (i.e. DMZ can access everything EXCEPT the LAN subnet)
> 
> Is there a better solution without limiting ports/protocols?

It is definately better

> 
> One other query:
> 
> How can I allow machines on my LAN interface to access the 
> DMZ server via 
> the domain name (i.e. http://www.domain.com rather than via 
> http://192.168.20.2)? I am running Gallery which can be 
> configured to use 
> EITHER the www.domain.com name OR the 192.168.20.2 IP 
> address. Using the 
> domain name I can't access Gallery from my LAN, with the IP 
> address it can't 
> be accessed from the outside world!
> 
> Thanks,
> Peter
> 
> _________________________________________________________________
> Find a cheaper internet access deal - choose one to suit you. 
> http://www.msn.co.uk/internetaccess
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------