m0n0wall Example DMZ Configurationsnettechonline.net/index.php/m0n0wall/64-m0n0wall... · the public IP 2.0.0.3 to the DMZ mail server and 2.0.0.4 to the DMZ web server. Go to the

m0n0wall Firewall Rules - DMZ or Captive Portal

Written by WebadminTuesday, 07 June 2011 20:19 - Last Updated Tuesday, 07 June 2011 21:12

Chapter 13. Example Configurations

m0n0wall Example DMZ Configurations

-webadmin- This article is part of the m0n0wall white papers published here: You cansubstitute the DMZ examples here and use this setup for Guest Wireless using the CaptivePortal feature.

Credits: Chris Buechler, Manuel Kasper

m0n0wall written by Manuel Kasper . Most documentation written by Chris Buechler. Additional Contributors listed in Contributors and Credits

Configuring a DMZ Interface Using NAT

This section will explain how to add a DMZ interface to the two interface (LAN/WAN) baseconfiguration from the Quick Start Guide .

You must have a functioning two interface setup before starting on configuring your DMZinterface.

The 1:1 NAT DMZ setup is most appropriate where you have multiple public IP's and wish toassign a single public IP to each DMZ host.

Network Diagram

1 / 16

http://doc.m0n0.ch/handbook/examples.html

http://neon1.net/

http://chrisbuechler.com/

http://chrisbuechler.com/

http://doc.m0n0.ch/handbook/intro-credits.html

http://m0n0.ch/wall/quickstart/



Example Network Diagram

2 / 16



This depicts the network layout we will have after configuring our DMZ interface.

Adding the Optional Interface

Log into your m0n0wall's webGUI, and click "(assign)" next to Interfaces.

Click the on this page to add your third interface.

3 / 16



Now restart your m0n0wall for the changes to take affect. Configuring the Optional Interface

After your m0n0wall restarts, log back into the webGUI. Under Interfaces, you will seeOPT1. Click on it.

4 / 16



Check the box at the top to enable the interface, give it a more descriptive name (I'll call it"DMZ"), and set up the desired IP configuration. The IP subnet must be different from theLAN subnet.

Configuring the DMZ Interface Firewall Rules

5 / 16



The main purpose of a DMZ is to protect the LAN from the publicly-accessible Internet hostson your network. This way if one of them were to be compromised, your LAN still hasprotection from the attacker. So if we don't block traffic from the DMZ to the LAN, the DMZ is basically useless.

First we will put in a firewall rule on the DMZ interface denying all traffic to the LAN while stillpermitting all traffic to the WAN. Click Firewall -> Rules, and click the at the bottom of the page.

6 / 16



7 / 16


Written by WebadminTuesday, 07 June 2011 20:19 - Last Updated Tuesday, 07 June 2011 21:12 Filling out this screen as shown below will permit all traffic out the DMZ interface to theinternet, but prohibit all DMZ traffic from entering the LAN. It also only permits outboundtraffic from the DMZ's IP subnet since only traffic from a source IP within your DMZ should come in on the DMZ interface (unless you have a routed DMZ, which would be strange).This prevents spoofed packets from leaving your DMZ.

8 / 16



9 / 16


Written by WebadminTuesday, 07 June 2011 20:19 - Last Updated Tuesday, 07 June 2011 21:12 Click Save after verifying your selections. Then click Apply Changes. Permitting select services from DMZ into the LAN

You probably have some services on your LAN that your DMZ hosts will need to access. Inour sample network, we need to be able to reach DNS on the two LAN DNS servers, cvsupprotocol to our LAN cvsup-mirror server, and NTP for time synchronization to the timeserver that resides on the cvsup-mirror server.

Always use specific protocols, ports, and hosts when permitting traffic from your DMZ toyour LAN. Make sure nothing that isn't required can get through.

Note

Don't forget that source ports (TCP and UDP) are randomly selected high ports, and notthe same as the destination port. You'll need to use "any" for source port.

My DMZ interface firewall rules now look like the following after permitting the requiredservices from DMZ to LAN.

10 / 16



Note that I added a rule to deny any traffic coming in on the DMZ interface destined for theLAN. This was not required because of the way we configured the allow rule, however I liketo put it in there to make it very clear where the traffic from DMZ to LAN is getting dropped.

When entering your rules, remember they are processed in top down order, and ruleprocessing stops at the first match. So if you had left the rule we added above as the toprule, it would drop packets from DMZ to LAN without getting to the permit rules you added. Irecommend you design your rules similar to how I have, with drop DMZ to LAN as the second last line, and permit DMZ to any except LAN as the last line.

Configuring NAT

Now you need to determine whether you'll use inbound or 1:1 NAT. If you have multiplepublic IP's, use 1:1 NAT. If you have only a single public IP, you'll need to use inbound NAT.If you have multiple public IP's, but more DMZ hosts than public IP's, you can use inboundNAT, or a combination of 1:1 and inbound.

Using 1:1 NAT

For this scenario, we'll say we have a /27 public IP subnet. We'll say it's 2.0.0.0/27.m0n0wall's WAN interface has been assigned with IP 2.0.0.2. I will use 1:1 NAT to assignthe public IP 2.0.0.3 to the DMZ mail server and 2.0.0.4 to the DMZ web server.

Go to the Firewall -> NAT screen and click the 1:1 tab. Click the . I will add two entries, one each for the mail server and web server.

11 / 16



After adding the rules, click Apply changes. You'll now see something like the following.

12 / 16



Testing the 1:1 NAT Configuration

You can test the 1:1 NAT we just configured by going to whatismyip.com on the machineconfigured for 1:1. If you don't have a GUI, lynx will work, or you can fetch or wget the URLand cat the resulting file. (fetch http://whatismyip.com && cat whatismyip.com | grep"IP is").

You should see the IP is the one you just configured in 1:1 NAT. If you get an IP other thanthe one you configured in 1:1, there is a problem with your configuration.

Using Inbound NAT

If you have only one public IP, or more need more publicly-accessible servers than youhave public IP addresses, you'll need to use inbound NAT. Go to the NAT screen, and onthe Inbound tab, click .

For this example, we will assume you have only one public IP, and it is the interfaceaddress of the WAN interface.

13 / 16



First, anything to the WAN IP to port 25 (SMTP) will go to the mail server in our DMZ.

Click Save, and click to add the inbound NAT rule for the HTTP server.

14 / 16



Click "Apply changes" and your configuration will be working. It should look like thefollowing.

15 / 16



16 / 16

Documents

m0n0wall Example DMZ Configurationsnettechonline.net/index.php/m0n0wall/64-m0n0wall... · the public IP 2.0.0.3 to the DMZ mail server and 2.0.0.4 to the DMZ web server. Go to the