[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  GC <gc at giecie dot com>
 Cc:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] DMZ rules
 Date:  Sun, 10 Oct 2004 04:20:05 -0700
Geert,

Well, like you mentioned, there will be many possible ways to create
rules, but here's how I would go about it...


So, the list of ports that you must configure:
Mail: 25, 8880
HTTP: 80, 8080
HTTPS: 443
FTP: 20, 21

and given your IP Range
> ISP range: x.x.x.168/29
> WAN: x.x.x.174/30
> LAN: 192.168.12.0/24
> DMZ: x.x.x.169/29
(On the WAN side I'm assuming it's a /29 but it doesn't matter)
When you say that your DMZ is "public", I'm also assuming that you
want to do 1:1 NAT... (You can't connect to the external IP from your
internal LAN hosts as specified in the m0n0 documentation; you must
connect directly to the internal IP) So, given that's all true, I'd
drop some rules allowing inbound traffic as follows:

On WAN inteface, protocol TCP, PERMIT source=* port=* destination=x.x.x.169 
destPort=25,8880,80,8080,443,20,21 <-- you have to create separate
rules for each one except maybe 20-21

That should be it.  Well, I forgot how active FTP connections work,
but you may also need to create:
DMZ interface, protocol TCP, PERMIT source=x.x.x.169 port=21 dest=* destport=*

.. and before creating this rule, you need to create an explicit block
rule BLOCKING traffic into the LAN by:
DMZ interface, protocol ANY, DENY source=* dest=(NOT) LAN subnet.


> So you mean to block everything in the first rule and proceed with
> 'allow rules' per wanted traffic. (with the rules priority in mind)
> Can you give some examples in I think about WAN - LAN - DMZ?

Oh no... definitely not have a full access rule.  That would be really
bad networking design.  When you leave off all rules, things are
blocked implicitly so you don't have to specify an explicit block
rule.  Then start creating allow rules for traffic that needs to be
passed around.


I think that is it.  Maybe someone else can verify it, I haven't
extensively tested how m0n0 and 1:1 NAT works (I'm wondering whether
you need to set a Server NAT entry as well) but for the time being
just try this config out.


/sylikc