Products Partners Download Buy Network About Community Help  

User Guide Overview

Installing/Upgrading Introduction System Requirements Compatibility RAID Support Starting the Install/Upgrade Configuration Options Partitioning and RAID Troubleshooting

Post-Installation - First Boot Network Configuration Web-based Administration System Registration

Network Settings Bandwidth DHCP Server Hosts and DNS Server IP Settings LAN Configuration Multi-WAN Network Tools UPnP Wireless

Firewall 1 to 1 NAT Advanced DMZ Group Manager Incoming Outgoing Peer-to-Peer Port Forwarding

Security Intrusion Detection Intrusion Prevention

Accounts Users Groups Organization Administrators

System Backup and Restore Date Encrypted File Systems Language Running Services Shutdown and Restart SMTP Relay SSL Certificate Manager Webconfig

Backup LAN Backup/Recovery

Database Database

E-mail Antispam Antispam - Dspam Antispam - Training Antivirus Aliases Archive Filters / Greylist Maildrop POP and IMAP SMTP Mail Server Webmail Simple Webmail

File and Print Services Flexshare FTP Server Print Server Windows Networking

Filtering and Proxying Access Control Ad and Pop-up Blocker Content Filter Web Proxy

Groupware Groupware Setup

VPN Desktop-to-LAN / PPTP LAN-to-LAN / IPsec OpenVPN

Web Photo Gallery Web Server

Reports Current Status Dashboard Overview Intrusion Detection Logs SMTP Mail Statistics Web Proxy Web Server


Contact Us
  Sales Enquiry
  Tech Support

 
         
  Current Document and Section   Other Documents  
  - Documentation
    - User Guide
   DNS and Domains
Gateway Services Guide
Release Notes
Howtos
  
 

Firewall - DMZ

Contents

Overview

DMZ Firewall Information
Description Configuration tool for DMZ-based firewalls.
Package Name cc-firewall-dmz
Configuration Page Network > Firewall > DMZ


The DMZ solution is used to protect a separate network of public IP addresses. Typically, a third network card is used exclusively for the DMZ network.

  • If you are configuring a few extra public IPs (not a whole network), then go to the 1 to 1 NAT section of the User Guide.
  • If you are configuring a separate private network (192.168.x.x or 10.x.x.x), then investigate Hot LANs in the IP Settings section of the User Guide.

Installation

If you did not select this module to be included during the installation process, you must first install the module.

 
  This module is not available in the Community Edition  
 


Configuration

Network Configuration

Before you can use the DMZ firewall configuration, you need to configure one of your network cards with the DMZ role. In our example, we used the network settings tool to configure a third network card (eth2) with the following:

  • Role: DMZ
  • IP Address: 216.138.245.17
  • Netmask: 255.255.255.240
  • Network: 216.138.245.16/28

All the systems connected to this third network card can then be configured with an IP address in the 216.138.245.18 to 216.138.245.30 range.

Incoming Connections

By default, all inbound connections from the Internet to systems on the DMZ are blocked (with the exception of the ping protocol). You can permit connections to systems on the DMZ by allowing:

  • all ports and protocols to a single public IP
  • all ports and protocols to the whole network of public IPs
  • a specific port and protocol to a single public IP

In the screenshot below, both 216.138.245.27 and 216.138.245.28 are not firewalled at all, while 216.138.245.26 can only be accessed via TCP port 2000.

Image:Dmz_firewall.png

Pinhole Connections (DMZ-to-LAN)

In some situations, you may want to allow particular network traffic from your DMZ to your LAN -- a pinhole rule. In our example, we have a document management system running on port 2401 on the LAN (at IP address 192.168.2.2). We want to allow a web server in our DMZ to access this document management system and we create a pinhole rule to do it (see screenshot).

Image:Dmz_pinhole.png

Links

Retrieved from "http://www.clarkconnect.com/docs/Firewall_-_DMZ"

This page has been accessed 13,180 times. This page was last modified on 25 October 2007, at 14:59.


 
   
Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

Company | Contact | Legal | Help | Login