This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network definition for Internet traffic

With 3 NICs (Internal, DMZ and Internet), What network definnition must I use or create to identify the Internet traffic source?
I want to avoid the use of 'any'.

This thread was automatically locked due to age.

Parents

0 JimmyM over 20 years ago

You have to use ANY. If you want to prevent your DMZ from connected to your internal network (recommended) you need 3 rules.

Source------------Dest----------service--------action
Internal(net)-----Any-----------Any-----------Allow
DMZ(net)---------Internal(net)-Any-----------Drop
DMZ(net)---------Any-----------Any------------Allow
Cancel
Vote Up 0 Vote Down

Cancel
0 DrStein over 20 years ago in reply to JimmyM

OK, but in NAT rules?
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 20 years ago in reply to DrStein

The only NAT rule you will need is a masquerade rule, if you are using private numbers (172..., 192.168..., 10...) for your internal networks.

If you use the HTTP proxy, you don't even need rules! (There are pros and cons to using the proxy, that will be determined by your particular requirements).

You can also elect to tighten up the Internal Any Any rule above to just the services you need to have go out...
Cancel
Vote Up 0 Vote Down

Cancel
0 DrStein over 20 years ago in reply to SecApp

I have a problem if I use masquerade rule for the internal network and DNAT on each IP of the DMZ with addicional IP on the Internet adapter: The internal clients don't resolve public IPs of the DMZ.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DrStein over 20 years ago in reply to SecApp

I have a problem if I use masquerade rule for the internal network and DNAT on each IP of the DMZ with addicional IP on the Internet adapter: The internal clients don't resolve public IPs of the DMZ.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data