ISPConfig - Behind Hardware Firewall

Discussion in 'General' started by RunneR, May 28, 2006.

  1. RunneR

    RunneR New Member

    We have recently purchased a hardware firewall and two new servers. Our goal is to install the hardware firewall between the internet connection and the servers, one of which is ISPConfig and the other is a MyDNS Server running MyDNSConfig.

    What ports need to be allowed IN BOUND as to not cause any issues on either of the servers.

    Each server will have its own INTERNAL and EXTERNAL IP address.

    The Hardware Firewall allows several configurations including : direct mapping of one to one IPs with the traffic wide open both ways OR one to one IPs with select traffic INBOUND and wide open OUTBOUND.

    Any direction is appreciated.

    RunneR
     
  2. itgroup

    itgroup New Member

    firewall

    Hi,
    If you have 'watchguard' type hardware firewall, you will need to do the following:

    assuming:
    Web server: 192.168.1.2
    Mail server : 192.168.1.3
    DSL Router: 192.169.1.99
    Watchguard: 192.168.1.1

    DSL router: - forward ports: 53, 80 , 443 to 192.168.1.2
    forward ports: 25, 110, 143 to 192.168.1.3

    Watchguard: setup IP 'drop in' as 192.168.1.1
    configure services: smtp proxy, dns proxy, web proxy, pop3
    Set static route: 192.168.1.2 255.255.255.0 192.168.1.1

    Web server: set gateway to 192.168.1.99
    MAil server: set gateway to 192.168.1.99

    regards
    steve
     
  3. RunneR

    RunneR New Member

    Working it out.

    Well we have a CheckPoint Firewall.
    It allows rules.

    So this is what I have set up so far.

    I figure I can lock it down more as I go.

    ONE TO ONE -
    First
    FORWARD 1.2.3.4 TO 192.16.8.0.10
    FORWARD 1.2.3.5. TO 192.16.8.0.11

    Then I allow some traffic.
    Then I lock out the rest of the traffic.

    RULE /// SOURCE /// DESTINATION
    Allow ANY DMZ:20 - 25 (TCP)
    Allow ANY DMZ:80 (TCP)
    Allow ANY DMZ:110 (TCP)
    Allow ANY DMZ:143 (TCP)
    Allow ANY DMZ:443 (TCP)
    Deny ANY DMZ:*(TCP/UDP)

    So, am I getting close?

    Or have I forgotten anything?
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    You might also want to allow port 53 (TCP and UDP) for MyDNS and 993 for IMAPs and 995 for POP3s.
     
  5. RunneR

    RunneR New Member

    Excellent

    Excellent - I am running with it this evening as a test trial.

    Thank you for all the help.

    RunneR
     

Share This Page