Navigation

RunneR · #1 28th May 2006, 23:24

We have recently purchased a hardware firewall and two new servers. Our goal is to install the hardware firewall between the internet connection and the servers, one of which is ISPConfig and the other is a MyDNS Server running MyDNSConfig.

What ports need to be allowed IN BOUND as to not cause any issues on either of the servers.

Each server will have its own INTERNAL and EXTERNAL IP address.

The Hardware Firewall allows several configurations including : direct mapping of one to one IPs with the traffic wide open both ways OR one to one IPs with select traffic INBOUND and wide open OUTBOUND.

Any direction is appreciated.

RunneR

itgroup · #2 29th May 2006, 00:54

Hi,
If you have 'watchguard' type hardware firewall, you will need to do the following:

assuming:
Web server: 192.168.1.2
Mail server : 192.168.1.3
DSL Router: 192.169.1.99
Watchguard: 192.168.1.1

DSL router: - forward ports: 53, 80 , 443 to 192.168.1.2
forward ports: 25, 110, 143 to 192.168.1.3

Watchguard: setup IP 'drop in' as 192.168.1.1
configure services: smtp proxy, dns proxy, web proxy, pop3
Set static route: 192.168.1.2 255.255.255.0 192.168.1.1

Web server: set gateway to 192.168.1.99
MAil server: set gateway to 192.168.1.99

regards
steve

RunneR · #3 29th May 2006, 06:16

Well we have a CheckPoint Firewall.
It allows rules.

So this is what I have set up so far.

I figure I can lock it down more as I go.

ONE TO ONE -
First
FORWARD 1.2.3.4 TO 192.16.8.0.10
FORWARD 1.2.3.5. TO 192.16.8.0.11

Then I allow some traffic.
Then I lock out the rest of the traffic.

RULE /// SOURCE /// DESTINATION
Allow ANY DMZ:20 - 25 (TCP)
Allow ANY DMZ:80 (TCP)
Allow ANY DMZ:110 (TCP)
Allow ANY DMZ:143 (TCP)
Allow ANY DMZ:443 (TCP)
Deny ANY DMZ:*(TCP/UDP)

So, am I getting close?

Or have I forgotten anything?