> > **Establish firewall rules**
> > WAN - allow: protocol = tcp source = any destination =
> > DMZ server ip
I left port as "any" for the test. Since I was only testing http, I could
have configured it for port 80 though.
> > DMZ - allow *.* (for testing only, to make sure I could talk
> > from DMZ to LAN
> > and DMZ to WAN, this rule will not exist in final cut.
> According to your OS you will need some. I've currently:
> DNS to DMZ IP of m0n0wall (forwarder).
> NTP to my favorite timeserver.
> HTTP and FTP to Debian Mirrors.
You are right, I will need some rules. I was just pointing out that the *.*
rule was not sticking around ;)
> > **Additional Settings**
> > Proxy ARP entry for entire DMZ subnet, using DMZ net ID (i.e.
> > .248/29)
> > Server NAT = called the ip address for the DMZ server
> > Outbound NAT - *enabled* advanced outbound NAT. As soon as I
> > did this, I had WAN to DMZ access. Writing an advanced rule
> > for my LAN gave it WAN and DMZ access again.
> I'm not shure, but I think this will not be necessary, if you
> use official IPs. I've 'Advanced Outbound NAT' for my other LAN
> segments. Does your DMZ server have a additional private IP?
> You could do also a DMZ with '1:1 NAT' and private IPs. Then it
> will be necessary.
I did each step one-at-a-time in the order listed above, then tested from
WAN side to get to DMZ http server. It was not until I had done all 3
(Proxy Arp, ServerNAT, and Enable Adv. Out. NAT) that I was able to connect
from WAN to DMZ properly.