Firewall rules

5 pts.
Tags:
DNS
Firewalls
LAN
Network security
Good Day! Currently, this is a simple LAN network with firewall diagram in my company. Please kindly refer to http://hgym.photosite.com/firewall/LANfirewall.html for the mentioned diagram. I wish to set an IP on the network interface of the FTP/Web/Mail Server. Any suggestion? Meanwhile, I would like to set certain firewall rules if the users in 192.168.1.0/24 wish to access FTP/Web/Mail Server My suggestion: From Internal To DMZ, Port 100. Any more suggestions for the firewall rules? In the suggestions would be appreciate if IP, Subnets and outgoing DNS policy be included. Thanks a million!

Answer Wiki

Thanks. We'll let you know when a new response is added.

*** Improved by Wrobinson on 12/22/07 ***

Essentially, you need to know the ports for all incoming and outgoing traffic that you want to allow. Below, is a list of the ports used for the services that you mentioned:

FTP – TCP 20, 21
Web – TCP 80, 443 (S-HTTP)
Mail – 25 (SMTP), 110 (POP), 143 (IMAP)

The way the Internet works is typically clients make requests on arbitrary ports above 1023 and connect to the standard ports listed above, among others for other services. If you want users on the Internet to access these services, then you need to configure rules on the firewall to allow incoming traffic from any IP address and port above 1023 to a published IP for these services. Now if you are using NAT, then one or more IP addresses configured at the firewall will be used to redirect traffic to the correct internal server. If you are using one-to-one NAT then a public IP address for each server or service is required which will direct traffic to the correct internal server.

You will also need to allow return traffic for incoming requests from the IP address of the servers running the service listed and the correct service port back to the Internet or any IP address and port above 1023.

To allow outgoing traffic for these services, it is essenatially the same in reverse, only NAT for all intents and purposes, does not come into play. That is, you do not need to take it into account.

You might want to tighten up security on the internal network by only allowing traffic from known internal subnets on ports above 1023 to any external IP address and allowed service ports.

How you implement these rules is dependant on the firewall and network architecture in question. I was unable to access the network diagram that you posted. I prefer not to sign up for another online account, just to see it. If you can post it publicly somewhere, that would be better.

Hopefully, this helps round out some of the uncertainty.

*** End update ***

You have not mentioned the brand of router, the brand or model of the firewall, or your public IP addressing scheme.

The public IP addressing scheme weighs most heavily on any advice I might offer, reasons being:
- Can we allocate individual public IPs for each server?
- Must we use port forwarding to different private IPs because of a single public IP address?
- What is/are the current IP NAT scheme(s), and would any of the above possibilities cause any conflicts with your existing setup?

Please reply publicly, as this gives someone else the opportunity to respond with a better answer than I might have – or in case I don’t happen to have an answer.

Bob

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Hunkgym
    Good Day! Firewall use - SifoWorks U-series firewall Router use - CISCO Router 3800 Series Thanks.
    5 pointsBadges:
    report
  • Astronomer
    I have never heard of this brand before but you should have some rules allowing the internal net to reach the DMZ and the outside. These may already be there by default, but I would check. Can you ping the DMZ systems from the internal net? If not, then you should disable existing filters to determine if it is a routing problem or a filtering problem. If you can reach the DMZ servers and the internet, then the remaining problem is the public visibility of the servers. Bob is correct about understanding how NAT is done in order to make this happen. Since you are using private addresses you have to NAT. How many public IPs do you have? Each server has to be mapped to a public IP with a static NAT. If each server serves a different protocol, e.g. email, web, ftp, then you can map them to the same public IP using the different port numbers. On the other hand, if more than one server is listening on port 80, then they cannot both be mapped to port 80 on the single public IP. You would either need an additional public IP or map one system to a port other then 80. Once you have NAT worked out, then it is a fairly simple matter to open the ports from the outside to your servers. As I said, I know nothing about your brand of firewall but meeting these common requirements should be in the vendor documentation. If it isn't, then I would look for another vendor. rt
    15 pointsBadges:
    report
  • Hunkgym
    Good Day! Thanks for the fruitful information. Currently I only have 1 Public IP which I purchase from the ISP. Anyway, technically, which one is the better choice, use additional public IP or map one system to a port other then 80? Would be appreciate too if you can share your relevant experience (about the brand of firewall you know or currently use) with all of us. Thanks!
    5 pointsBadges:
    report
  • Hunkgym
    Good Day! Thanks for the fruitful information. Currently I only have 1 Public IP which I purchase from the ISP. Anyway, technically, which one is the better choice, use additional public IP or map one system to a port other then 80? Would be appreciate too if you can share your relevant experience (about the brand of firewall you know or currently use) with all of us. Thanks!
    5 pointsBadges:
    report
  • Anuar.arifin
    Dear Hunkgym & Guys. Regarding on this issue. Since you have ONE Single IP from ISP. I would like you to use VIP (Virtual IP Server) rather than use MIP (Mapping IP based on my experienced For Example: VIP (Virtual IP Server) is from ONE single IP Public than you can map to many private IP DMZ Zone. One you use VIP for different IP Private DMZ then you need to specified the service or port to each server. MIP (Mapping IP) is usually MAP from ONE single IP Public to one Private IP, if you have extra IP Public you can use it that way I used NetScreen firewall...but I think your firewall need to check since all firewall support both for MIP & VIP Have a try first. Good luck Joe
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following