>>What are mandatory DMZ rules to apply when using mail, www & ftp servers
>>WAN - - - - -|Mono| - - - - - LAN
>>Workstations on the LAN & WAN can/may contact the servers in DMZ.
>>A simple question with a lot of possible answers...
>Mandatory rules... well, there is quite a bit of options depending on
>how much security you want to enforce.
Strive for full security because DMZ is completely exposed to the WAN
(Internet), and must be blocket direction LAN (correct?).
>It all depends on what configuration your mail,www,ftp servers are
>running. What services are running on your mail server?
SMTP port 25 & Web Access 8880
>Is www server running HTTPS?
HTTP port 80, 8080
HTTPS port 443
>Is your FTP server set up to use passive mode
>(PASV)? If it is, what is the port range that it's allocated for PASV
>connections? In some FTP servers, you can specify a port range to
>tell the FTP server only to use those ports when telling a client to
>make a PASV connection. If you can't, the default (which will
>seriously expose your server) is 1024-65535.
For security reasons I would opt for active FTP only using ports 21 &
20. Modifications can be done on the FTP servers.
>Please give some insight into the internal IP of your server, services
>running, ports, etc etc
WAN - - - - -|Mono| - - - - - LAN
publ. IP | priv. IP's
all publ. IP's
ISP range: x.x.x.168/29
What's the best way to tweak Mono rules. Put a log on a full access rule
and block with extra rules all suspicious traffic?