[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'P B'" <pjb141 at hotmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Rule Confirmation / Access from outside local netw ork
 Date:  Wed, 11 Feb 2004 14:28:49 +0100
> -----Original Message-----
> From: P B [mailto:pjb141 at hotmail dot com]
> Hi,
> 
> I am former Smoothwall/IPcop user and have moved to m0n0wall 
> (an excellent 
> solution, thanks Manuel) from release 27. I have a fairly 
> typical setup 
> comprising the following:
> 
> WAN interface - Ethernet ADSL modem
> LAN interface - 192.168.10.1/255.255.255.0
> DMZ interface - 192.168.20.1/255.255.255.0 - single 
> Clarkconnect box running 
> e-mail/web servers
> 
> I was using NMAP from the Clarkconnect box to check for open 
> ports, and 
> discovered that I could scan the boxes on the LAN interface 
> (not a good 
> thing!).
> 
> I reviewed the rules I set up when I configured m0n0wall and 
> discovered that 
> I had entered a DMZ -> any rule (not appreciating that this 
> would also allow 
> access to the LAN).
> 
> I have now modified the rules to lock down the configuration, 
> but would 
> appreciate comments on my revised setup:
> 
> 1. Inbound NAT for ports 25, 80, 143 and 443 to the same 
> ports on my NAT'd 
> server IP (192.168.20.2) - allowing automatic addition of the 
> firewall rules 
> for the same
> 
> 2. Retain the default LAN -> any rule
> 
> Now the crucial one:
> 
> Action: PASS
> Interface: DMZ
> Protocol: any
> Source: DMZ subnet
> Destination: *NOT* LAN subnet
> 
> (i.e. DMZ can access everything EXCEPT the LAN subnet)
> 
> Is there a better solution without limiting ports/protocols?

It is definately better than DMZ -> any, which does exactly what it says :-)

Maybe you should check which ports are needed by your server and only open
them up (smtp only, maybe ftp for updates I guess?).

> 
> One other query:
> 
> How can I allow machines on my LAN interface to access the 
> DMZ server via 
> the domain name (i.e. http://www.domain.com rather than via 
> http://192.168.20.2)? I am running Gallery which can be 
> configured to use 
> EITHER the www.domain.com name OR the 192.168.20.2 IP 
> address. Using the 
> domain name I can't access Gallery from my LAN, with the IP 
> address it can't 
> be accessed from the outside world!
> 
> Thanks,
> Peter

Use the DNS forwarder and add the 'www' host on the domain 'domain.com' and
wait for your clients to clear their cache. It should work.

In the archives, you will find a more detailed explanation...

Regards,
Joachim


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------