Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3509 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create DMZ and block all traffic except certain hosts

JeffGreen

 I have a Sophos SG450 and have configured interface 7 with an internal IP of 10.50.0.9/29. I want this interface to be a DMZ and only allow traffic from a couple hosts to be able to access the computer attached to that interface. It's IP is 10.50.0.10/29. I am able to ping and get to the web from my DMZ test computer, but I can also get from anything TO my test computer. I've created a firewall rule to deny Any > Any > DMZ Host, yet it still passes traffic both ways. What am I missing? Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    What do you mean by "get to" - how are you testing?  Is the issue concerning web filtering?

    Cheers - Bob

  • 0 in reply to BAlfson

    Sorry, Bob. What I'm trying to do is move an SQL server into a DMZ so that it can only be accessed from a front-end web server. With everything mentioned above in place, I am still able to ping from anywhere within my network to 10.50.0.10, even though there's a firewall rule preventing any source, any service to that IP address. I'm sure I'm missing something simple. Thanks.

  • 0 in reply to JeffGreen

    Just to keep your configuration "clean" and easy to administer, I would get rid of that firewall rule.  The default is to block everything that is not explicitly allowed.

    Moreover, the "Any" Service object does not include Ping or other ICMP Services.

    Pinging is regulated on the 'ICMP' tab of 'Network Protection >> Firewall'.  I'd be interested in knowing if you could leave those settings as-is and solve your problem with two new firewall rules, in order:

    {Web Server IP} -> Ping -> {SQL Server IP} : Allow

    Internal (Network) -> Ping -> DMZ (Network) : Drop

    The question for me is whether the settings on the 'ICMP' tab are considered before or after manually-created firewall rules.  I believe it's after, but haven't tested my intuition.

    In any case, you were fine as only pings were getting through.

    Cheers - Bob

Reply
  • 0 in reply to JeffGreen

    Just to keep your configuration "clean" and easy to administer, I would get rid of that firewall rule.  The default is to block everything that is not explicitly allowed.

    Moreover, the "Any" Service object does not include Ping or other ICMP Services.

    Pinging is regulated on the 'ICMP' tab of 'Network Protection >> Firewall'.  I'd be interested in knowing if you could leave those settings as-is and solve your problem with two new firewall rules, in order:

    {Web Server IP} -> Ping -> {SQL Server IP} : Allow

    Internal (Network) -> Ping -> DMZ (Network) : Drop

    The question for me is whether the settings on the 'ICMP' tab are considered before or after manually-created firewall rules.  I believe it's after, but haven't tested my intuition.

    In any case, you were fine as only pings were getting through.

    Cheers - Bob

Children
No Data