Comments on: Firewall rules

By: anuar.arifin

anuar.arifin — Sat, 22 Sep 2007 21:08:58 +0000

Dear Hunkgym & Guys.

Regarding on this issue. Since you have ONE Single IP from ISP. I would like you to use VIP (Virtual IP Server) rather than use MIP (Mapping IP based on my experienced

For Example:

VIP (Virtual IP Server) is from ONE single IP Public than you can map to many private IP DMZ Zone.

One you use VIP for different IP Private DMZ then you need to specified the service or port to each server.

MIP (Mapping IP) is usually MAP from ONE single IP Public to one Private IP, if you have extra IP Public you can use it that way

I used NetScreen firewall…but I think your firewall need to check since all firewall support both for MIP & VIP

Have a try first.

Good luck Joe

By: hunkgym

hunkgym — Tue, 03 Jul 2007 10:59:13 +0000

Good Day!

Thanks for the fruitful information. Currently I only have 1 Public IP which I purchase from the ISP. Anyway, technically, which one is the better choice, use additional public IP or map one system to a port other then 80?

Would be appreciate too if you can share your relevant experience (about the brand of firewall you know or currently use) with all of us.

Thanks!

By: hunkgym

hunkgym — Tue, 03 Jul 2007 10:59:13 +0000

Good Day!

Would be appreciate too if you can share your relevant experience (about the brand of firewall you know or currently use) with all of us.

Thanks!

By: astronomer

astronomer — Mon, 02 Jul 2007 14:47:13 +0000

I have never heard of this brand before but you should have some rules allowing the internal net to reach the DMZ and the outside. These may already be there by default, but I would check. Can you ping the DMZ systems from the internal net?
If not, then you should disable existing filters to determine if it is a routing problem or a filtering problem.
If you can reach the DMZ servers and the internet, then the remaining problem is the public visibility of the servers.
Bob is correct about understanding how NAT is done in order to make this happen. Since you are using private addresses you have to NAT. How many public IPs do you have? Each server has to be mapped to a public IP with a static NAT. If each server serves a different protocol, e.g. email, web, ftp, then you can map them to the same public IP using the different port numbers. On the other hand, if more than one server is listening on port 80, then they cannot both be mapped to port 80 on the single public IP. You would either need an additional public IP or map one system to a port other then 80.
Once you have NAT worked out, then it is a fairly simple matter to open the ports from the outside to your servers. As I said, I know nothing about your brand of firewall but meeting these common requirements should be in the vendor documentation. If it isn’t, then I would look for another vendor.
rt

By: hunkgym

hunkgym — Fri, 29 Jun 2007 10:28:32 +0000

Good Day!

Firewall use – SifoWorks U-series firewall

Router use – CISCO Router 3800 Series

Thanks.