> OK, I think I have this working properly! I have to get my
> test server
> configured with some additional services before I know for
> sure, but I was
> successful using http as my test service.
Nice to hear.
> Here's how I did it (using Jeanne's subnet #'s for the example):
> Take my /28 subnet from ISP, divide it into (2) /29 subnets.
> WAN interface = .242/29
> WAN gateway = .241
> DMZ interface = .249/29
> DMZ server = .250/29, with gateway pointing to .249
> **Establish firewall rules**
> WAN - allow: protocol = tcp source = any destination =
> DMZ server ip
> DMZ - allow *.* (for testing only, to make sure I could talk
> from DMZ to LAN
> and DMZ to WAN, this rule will not exist in final cut.
According to your OS you will need some. I've currently:
DNS to DMZ IP of m0n0wall (forwarder).
NTP to my favorite timeserver.
HTTP and FTP to Debian Mirrors.
> **Additional Settings**
> Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e.
> Server NAT = called the ip address for the DMZ server
> Outbound NAT - *enabled* advanced outbound NAT. As soon as I
> did this, I had WAN to DMZ access. Writing an advanced rule
> for my LAN gave it WAN and DMZ access again.
I'm not shure, but I think this will not be necessary, if you
use official IPs. I've 'Advanced Outbound NAT' for my other LAN
segments. Does your DMZ server have a additional private IP?
You could do also a DMZ with '1:1 NAT' and private IPs. Then it
will be necessary.