DMZ creation for a server.

Hi,

please post your firewall rules so we can review and assist.

Ian

This is the firewall rule for DMZ.

Hi,

that rule will not achieve much. No users internal or external can access the server,

You will need a firewall rule to allow internal devices to access the server on specific ports.

You will need a business rule to allow external users to access the server again with specific ports.

To allow the server to update you will need a firewall rule to allow the server to contact the anti-x sources.

Ian

So, first of all, you have a LAN network and a separate DMZ network that a single machine resides, right? 

Your goal is to allow the LAN clients to access the DMZ, to allow WAN clients to access the DMZ and allow the DMZ machine to get updates, correct?

Notice that these are 3 different things, meaning 3 different firewall rules.

Logic of the SFOS firewall is: 

User/Network rule is when you want to allow/deny a direct access to computers or networks from a network. Eg. you want to allow access from LAN to DMZ, or allow LAN to a specific machine to DMZ, or allow DMZ to access the internet.

Business application rule is when you want to allow a specific service to an internal machine, but let sophos manage the connections and filter it. In this case sophos seems like the machine you're connecting to.

The firewall rules are always enabled with the initiation of the source connection! That means that if a client tries to access the DMZ from the LAN, then you have to make a rule with Source LAN and destination the machine!

More specific, the business application rule you're trying to use is for WAN use, since we assume the LAN is secure. So, the initiator of the connection is from the internet(which means Source Zone=WAN) and Destination is also the WAN!(Probably port2 or whatever your wan port is). Next to that, add the port the machines are using to get the updates. On bottom of that is the protected devices(Forward to). That's the place where you point where your DMZ Machine is.

That's the rule to allow clients from the internet to access the DMZ.

Next you will have to make a user application rule with Source=LAN destination=your DMZ to allow clients from the lan to get updates and another user application rule with source=your dmz machine / destination=WAN to allow your DMZ machine to access the internet.

Once you get the logic, it's pretty straightforward

So, first of all, you have a LAN network and a separate DMZ network that a single machine resides, right? 

Your goal is to allow the LAN clients to access the DMZ, to allow WAN clients to access the DMZ and allow the DMZ machine to get updates, correct?

Notice that these are 3 different things, meaning 3 different firewall rules.

Logic of the SFOS firewall is: 

User/Network rule is when you want to allow/deny a direct access to computers or networks from a network. Eg. you want to allow access from LAN to DMZ, or allow LAN to a specific machine to DMZ, or allow DMZ to access the internet.

Business application rule is when you want to allow a specific service to an internal machine, but let sophos manage the connections and filter it. In this case sophos seems like the machine you're connecting to.

The firewall rules are always enabled with the initiation of the source connection! That means that if a client tries to access the DMZ from the LAN, then you have to make a rule with Source LAN and destination the machine!

More specific, the business application rule you're trying to use is for WAN use, since we assume the LAN is secure. So, the initiator of the connection is from the internet(which means Source Zone=WAN) and Destination is also the WAN!(Probably port2 or whatever your wan port is). Next to that, add the port the machines are using to get the updates. On bottom of that is the protected devices(Forward to). That's the place where you point where your DMZ Machine is.

That's the rule to allow clients from the internet to access the DMZ.

Next you will have to make a user application rule with Source=LAN destination=your DMZ to allow clients from the lan to get updates and another user application rule with source=your dmz machine / destination=WAN to allow your DMZ machine to access the internet.

Once you get the logic, it's pretty straightforward