|
||||||||||
> -----Original Message----- > From: P B [mailto:pjb141 at hotmail dot com] > Hi, > > I am former Smoothwall/IPcop user and have moved to m0n0wall > (an excellent > solution, thanks Manuel) from release 27. I have a fairly > typical setup > comprising the following: > > WAN interface - Ethernet ADSL modem > LAN interface - 192.168.10.1/255.255.255.0 > DMZ interface - 192.168.20.1/255.255.255.0 - single > Clarkconnect box running > e-mail/web servers > > I was using NMAP from the Clarkconnect box to check for open > ports, and > discovered that I could scan the boxes on the LAN interface > (not a good > thing!). > > I reviewed the rules I set up when I configured m0n0wall and > discovered that > I had entered a DMZ -> any rule (not appreciating that this > would also allow > access to the LAN). > > I have now modified the rules to lock down the configuration, > but would > appreciate comments on my revised setup: > > 1. Inbound NAT for ports 25, 80, 143 and 443 to the same > ports on my NAT'd > server IP (192.168.20.2) - allowing automatic addition of the > firewall rules > for the same > > 2. Retain the default LAN -> any rule > > Now the crucial one: > > Action: PASS > Interface: DMZ > Protocol: any > Source: DMZ subnet > Destination: *NOT* LAN subnet > > (i.e. DMZ can access everything EXCEPT the LAN subnet) > > Is there a better solution without limiting ports/protocols? It is definately better than DMZ -> any, which does exactly what it says :-) Maybe you should check which ports are needed by your server and only open them up (smtp only, maybe ftp for updates I guess?). > > One other query: > > How can I allow machines on my LAN interface to access the > DMZ server via > the domain name (i.e. http://www.domain.com rather than via > http://192.168.20.2)? I am running Gallery which can be > configured to use > EITHER the www.domain.com name OR the 192.168.20.2 IP > address. Using the > domain name I can't access Gallery from my LAN, with the IP > address it can't > be accessed from the outside world! > > Thanks, > Peter Use the DNS forwarder and add the 'www' host on the domain 'domain.com' and wait for your clients to clear their cache. It should work. In the archives, you will find a more detailed explanation... Regards, Joachim ----------------------------------------------- MISSION STATEMENT ----------------------------------------------- Oce enables its customers to manage their documents efficiently and effectively by offering innovative print and document management products and services for professional environments. ----------------------------------------------- DISCLAIMER ----------------------------------------------- This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (0032-2-729.48.11) or by e-mail and delete the material from any computer. Oce-Belgium/Oce-Interservices is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time. This e-mail message does not bring about a contractual obligation for Oce-Belgium/Oce-Interservices. Thank you for your cooperation. For further information about Oce-Belgium/Oce-Interservices please see our website at www.oce.be ----------------------------------------------- |