*** Improved by Wrobinson on 12/22/07 ***
Essentially, you need to know the ports for all incoming and outgoing traffic that you want to allow. Below, is a list of the ports used for the services that you mentioned:
FTP – TCP 20, 21
Web – TCP 80, 443 (S-HTTP)
Mail – 25 (SMTP), 110 (POP), 143 (IMAP)
The way the Internet works is typically clients make requests on arbitrary ports above 1023 and connect to the standard ports listed above, among others for other services. If you want users on the Internet to access these services, then you need to configure rules on the firewall to allow incoming traffic from any IP address and port above 1023 to a published IP for these services. Now if you are using NAT, then one or more IP addresses configured at the firewall will be used to redirect traffic to the correct internal server. If you are using one-to-one NAT then a public IP address for each server or service is required which will direct traffic to the correct internal server.
You will also need to allow return traffic for incoming requests from the IP address of the servers running the service listed and the correct service port back to the Internet or any IP address and port above 1023.
To allow outgoing traffic for these services, it is essenatially the same in reverse, only NAT for all intents and purposes, does not come into play. That is, you do not need to take it into account.
You might want to tighten up security on the internal network by only allowing traffic from known internal subnets on ports above 1023 to any external IP address and allowed service ports.
How you implement these rules is dependant on the firewall and network architecture in question. I was unable to access the network diagram that you posted. I prefer not to sign up for another online account, just to see it. If you can post it publicly somewhere, that would be better.
Hopefully, this helps round out some of the uncertainty.
*** End update ***
You have not mentioned the brand of router, the brand or model of the firewall, or your public IP addressing scheme.
The public IP addressing scheme weighs most heavily on any advice I might offer, reasons being:
- Can we allocate individual public IPs for each server?
- Must we use port forwarding to different private IPs because of a single public IP address?
- What is/are the current IP NAT scheme(s), and would any of the above possibilities cause any conflicts with your existing setup?
Please reply publicly, as this gives someone else the opportunity to respond with a better answer than I might have – or in case I don’t happen to have an answer.