[ previous ] [ next ] [ threads ]
 
 From:  GC <gc at giecie dot com>
 To:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  DMZ rules
 Date:  Sat, 09 Oct 2004 14:30:00 +0200
sylikc wrote:

>Geert,
>
>  
>
>>What are mandatory DMZ rules to apply when using mail, www & ftp servers
>>in DMZ?
>>
>>WAN - - - - -|Mono| - - - - -  LAN
>>                            |
>>                            |
>>                        DMZ
>>
>>Workstations on the LAN & WAN can/may contact the servers in DMZ.
>>A simple question with a lot of possible answers...
>>    
>>
>
>Mandatory rules... well, there is quite a bit of options depending on
>how much security you want to enforce.
>  
>
Strive for full security because DMZ is completely exposed to the WAN 
(Internet), and must be blocket direction LAN (correct?).

>It all depends on what configuration your mail,www,ftp servers are
>running.  What services are running on your mail server?  
>
SMTP port 25 & Web Access 8880

>Is www server running HTTPS?  
>
HTTP port 80, 8080
HTTPS port 443

>Is your FTP server set up to use passive mode
>(PASV)?  If it is, what is the port range that it's allocated for PASV
>connections?  In some FTP servers, you can specify a port range to
>tell the FTP server only to use those ports when telling a client to
>make a PASV connection.  If you can't, the default (which will
>seriously expose your server) is 1024-65535.
>  
>
For security reasons I would opt for active FTP only using ports 21 & 
20. Modifications can be done on the FTP servers.

>Please give some insight into the internal IP of your server, services
>running, ports, etc etc
>  
>

WAN - - - - -|Mono| - - - - -  LAN
publ. IP       |             priv. IP's
               |
              DMZ
         all publ. IP's

ISP range: x.x.x.168/29
WAN: x.x.x.174/30
LAN: 192.168.12.0/24
DMZ: x.x.x.169/29


>/sylikc
>  
>
What's the best way to tweak Mono rules. Put a log on a full access rule 
and block with extra rules all suspicious traffic?

Geert