[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  GC <gc at giecie dot com>
 Cc:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] DMZ rules
 Date:  Fri, 8 Oct 2004 17:53:01 -0700
Geert,

> What are mandatory DMZ rules to apply when using mail, www & ftp servers
> in DMZ?
> 
> WAN - - - - -|Mono| - - - - -  LAN
>                             |
>                             |
>                         DMZ
> 
> Workstations on the LAN & WAN can/may contact the servers in DMZ.
> A simple question with a lot of possible answers...

Mandatory rules... well, there is quite a bit of options depending on
how much security you want to enforce.

It all depends on what configuration your mail,www,ftp servers are
running.  What services are running on your mail server?  Is www
server running HTTPS?  Is your FTP server set up to use passive mode
(PASV)?  If it is, what is the port range that it's allocated for PASV
connections?  In some FTP servers, you can specify a port range to
tell the FTP server only to use those ports when telling a client to
make a PASV connection.  If you can't, the default (which will
seriously expose your server) is 1024-65535.

Please give some insight into the internal IP of your server, services
running, ports, etc etc


/sylikc