[ previous ] [ next ] [ threads ]
 
 From:  "Brian Buys" <bbuys at tritel dot com>
 To:  =?iso-8859-1?Q?J=FCrg_Schneider?= <Juerg dot Schneider at fabrimex dot ch>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] newbie DMZ question **success**
 Date:  Tue, 8 Jun 2004 18:26:17 -0600
> > **Establish firewall rules**
> > WAN - allow: protocol = tcp   source = any     destination =
> > DMZ server ip
>
> Port?

I left port as "any" for the test.  Since I was only testing http, I could
have configured it for port 80 though.

> > DMZ - allow *.* (for testing only, to make sure I could talk
> > from DMZ to LAN
> > and DMZ to WAN, this rule will not exist in final cut.
>
> According to your OS you will need some. I've currently:
>
> DNS to DMZ IP of m0n0wall (forwarder).
> NTP to my favorite timeserver.
> HTTP and FTP to Debian Mirrors.

You are right, I will need some rules.  I was just pointing out that the *.*
rule was not sticking around ;)

> > **Additional Settings**
> > Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e.
> >  .248/29)
> >
> > Server NAT = called the ip address for the DMZ server
> >
> > Outbound NAT - *enabled* advanced outbound NAT.  As soon as I
> > did this, I had WAN to DMZ access.  Writing an advanced rule
> > for my LAN gave it WAN and DMZ access again.
>
> I'm not shure, but I think this will not be necessary, if you
> use official IPs. I've 'Advanced Outbound NAT' for my other LAN
> segments. Does your DMZ server have a additional private IP?
> You could do also a DMZ with '1:1 NAT' and private IPs. Then it
> will be necessary.

I did each step one-at-a-time in the order listed above, then tested from
WAN side to get to DMZ http server.  It was not until I had done all 3
(Proxy Arp, ServerNAT, and Enable Adv. Out. NAT) that I was able to connect
from WAN to DMZ properly.

Cheers,

Brian