[ previous ] [ next ] [ threads ]
 
 From:  "Chet Harvey" <chet at pittech dot com>
 To:  "Christian Hjalmarsson" <christian at hjalmarsson dot net>, "m0n0wall at lists dot m0n0 dot ch"
 Subject:  Rv: [m0n0wall] DMZ
 Date:  Tue, 20 Apr 2004 10:23:05 -0100
A DMZ is a seperate network from your LAN that should be locked down tight
as it is exposed to the internet. As a rule of thumb ANY box that sits in a
DMZ should be patched with the latest security fixes. Also any AND all
unnecessary daemons should be disabled.

Here is a link with a decent explaination of DMZ's:

http://www.pittech.com/dmz.htm


That said, as for firewall rules you should allow out only the ports needed
from a server to the web.

Example:

Outbound rules:

webserverA allow port 80 out
webserverB allow port 443 out

NAT rules:

NAT IP to webserverA
NAT IP to webserverB

Inbound rules:

allow 80 from any to webserverA
allow 443 from any to webserverB

Now as for your LAN segment to the DMZ rules:

allow ANY on LAN to DMZ (you can go crazy and allow only port level access
here also)

DENY ALL from DMZ to LAN


--------- Mensagem Original --------
From: Christian Hjalmarsson <christian at hjalmarsson dot net>
To: m0n0wall at lists dot m0n0 dot ch <m0n0wall at lists dot m0n0 dot ch>
Subject: [m0n0wall] DMZ
Date: 20/04/04 07:36

>
> How do I conf a DMZ network
> How shall the rules look like ?
> Need as much info as you can get me :)
>
> --
> Best regards,
> Christian
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>
>
>