Firewall rules

Good Day!

Currently, this is a simple LAN network with firewall diagram in my
company.

Please kindly refer to http://hgym.photosite.com/firewall/LANfirewall.html
for the mentioned diagram.


I wish to set an IP on the network interface of the FTP/Web/Mail
Server. Any suggestion?


Meanwhile, I would like to set certain firewall rules if the users in
192.168.1.0/24 wish to access FTP/Web/Mail Server


My suggestion:

>From Internal To DMZ, Port 100.


Any more suggestions for the firewall rules? In the suggestions would
be appreciate if IP, Subnets and outgoing DNS policy be included.

Thanks a million!

Re: Firewall rules

hunkgym wrote:
> Currently, this is a simple LAN network with firewall diagram in my
> company.
>
> Please kindly refer to
> http://hgym.photosite.com/firewall/LANfirewall.html
> for the mentioned diagram.

Three-legged-firewall with LAN and DMZ nets is a really basic firewall
scenario.

> I wish to set an IP on the network interface of the FTP/Web/Mail
> Server. Any suggestion?

You need to forward the FTP, HTTP(s), and SMTP ports from the external
interface to the respective hosts in the DMZ. In the case of FTP you
also need to deal with the fact, that FTP always uses two connections.

> Meanwhile, I would like to set certain firewall rules if the users in
> 192.168.1.0/24 wish to access FTP/Web/Mail Server

Allow access from the LAN to the servers in your DMZ and limit access to
the required ports.

> My suggestion:
>
> From Internal To DMZ, Port 100.

Suggestion for what? What is this rule supposed to achieve? Why port
100? Which protocol? And why from LAN to all DMZ?

Besides, you didn't even mention what firewall you use, so the syntax
may be entirely different.

> Any more suggestions for the firewall rules? In the suggestions would
> be appreciate if IP, Subnets and outgoing DNS policy be included.

My suggestion: get someone with clue to do this for you. From what you
wrote here you seem to lack even the most basic firewalling knowledge.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Firewall rules

On Jun 28, 5:33 am, Ansgar -59cobalt- Wiechers
wrote:
> hunkgym wrote:
> > Currently, this is a simple LAN network with firewall diagram in my
> > company.
>
> > Please kindly refer to
> >http://hgym.photosite.com/firewall/LANfirewall.html
> > for the mentioned diagram.
>
> Three-legged-firewall with LAN and DMZ nets is a really basic firewall
> scenario.
>
> > I wish to set an IP on the network interface of the FTP/Web/Mail
> > Server. Any suggestion?
>
> You need to forward the FTP, HTTP(s), and SMTP ports from the external
> interface to the respective hosts in the DMZ. In the case of FTP you
> also need to deal with the fact, that FTP always uses two connections.
>
> > Meanwhile, I would like to set certain firewall rules if the users in
> > 192.168.1.0/24 wish to access FTP/Web/Mail Server
>
> Allow access from the LAN to the servers in your DMZ and limit access to
> the required ports.
>
> > My suggestion:
>
> > From Internal To DMZ, Port 100.
>
> Suggestion for what? What is this rule supposed to achieve? Why port
> 100? Which protocol? And why from LAN to all DMZ?
>
> Besides, you didn't even mention what firewall you use, so the syntax
> may be entirely different.
>
> > Any more suggestions for the firewall rules? In the suggestions would
> > be appreciate if IP, Subnets and outgoing DNS policy be included.
>
> My suggestion: get someone with clue to do this for you. From what you
> wrote here you seem to lack even the most basic firewalling knowledge.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Good Day!

Firewall use - SifoWorks U-series firewall

Router use - CISCO Router 3800 Series

Thanks.

Re: Firewall rules

Good Day!

Thanks for the fruitful information. Currently I only have 1 Public IP
which I purchase from the ISP. Anyway, technically, which one is the
better choice, use additional public IP or map one system to a port
other then 80?

Would be appreciate too if you can share your relevant experience
(about the brand of firewall you know or currently use) with all of
us.

Thanks!


> > > Currently, this is a simple LAN network with firewall diagram in my
> > > company.
>
> > > Please kindly refer to
> > >http://hgym.photosite.com/firewall/LANfirewall.html
> > > for the mentioned diagram.
>
> > Three-legged-firewall with LAN and DMZ nets is a really basic firewall
> > scenario.
>
> > > I wish to set an IP on the network interface of the FTP/Web/Mail
> > > Server. Any suggestion?
>
> > You need to forward the FTP, HTTP(s), and SMTP ports from the external
> > interface to the respective hosts in the DMZ. In the case of FTP you
> > also need to deal with the fact, that FTP always uses two connections.
>
> > > Meanwhile, I would like to set certain firewall rules if the users in
> > > 192.168.1.0/24 wish to access FTP/Web/Mail Server
>
> > Allow access from the LAN to the servers in your DMZ and limit access to
> > the required ports.
>
> > > My suggestion:
>
> > > From Internal To DMZ, Port 100.
>
> > Suggestion for what? What is thisrulesupposed to achieve? Why port
> > 100? Which protocol? And why from LAN to all DMZ?
>
> > Besides, you didn't even mention what firewall you use, so the syntax
> > may be entirely different.
>
> > > Any more suggestions for the firewall rules? In the suggestions would
> > > be appreciate if IP, Subnets and outgoing DNS policy be included.
>
> > My suggestion: get someone with clue to do this for you. From what you
> > wrote here you seem to lack even the most basic firewalling knowledge.
>
> > cu
> > 59cobalt
> > --
> > "If a software developer ever believes a rootkit is a necessary part of
> > their architecture they should go back and re-architect their solution."
> > --Mark Russinovich
>
> Good Day!
>
> Firewall use - SifoWorks U-series firewall
>
> Router use - CISCO Router 3800 Series
>
> Thanks.

Re: Firewall rules

hunkgym wrote:
> Currently I only have 1 Public IP which I purchase from the ISP.
> Anyway, technically, which one is the better choice, use additional
> public IP or map one system to a port other then 80?

Do you want more than one web server to be publicly available? If so,
I'd recommend getting additional IP addresses, because otherwise your
users would need to know the port number(s) for the other web server(s),
which would be less convenient for them.

> Would be appreciate too if you can share your relevant experience
> (about the brand of firewall you know or currently use) with all of
> us.

The brand doesn't matter that much. What you really need to begin with
is a firewall policy where you specify who needs to access which host,
and from where.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich