Hello everyone!
I'm trying to add a DMZ to my current home "setup".
Up to now I have managed to have (in a small fanless card) PPPoE,
Router, DHCP, DNS and Firewall. I recently added an additional nic, to
make a DMZ (nothing special, hosting a blog, and little else). At
this point, however, I would like to understand if the Firewall part
makes sense, and above all how to add some things.
Basically, of course, I want the LAN to be able to talk quietly to hosts in the DMZ, while I don't want the opposite to happen.
I came up with more or less this configuration:
At this point i don't understand how to grant access to the internet to the DMZ, but don't let it connect to any of the hosts in the LAN.
I'm trying to add a DMZ to my current home "setup".
Up to now I have managed to have (in a small fanless card) PPPoE,
Router, DHCP, DNS and Firewall. I recently added an additional nic, to
make a DMZ (nothing special, hosting a blog, and little else). At
this point, however, I would like to understand if the Firewall part
makes sense, and above all how to add some things.
Basically, of course, I want the LAN to be able to talk quietly to hosts in the DMZ, while I don't want the opposite to happen.
I came up with more or less this configuration:
Code:
### Firewall Configuration ###
##############################
# Macro
##############################
## Network Interfaces
ext_if="tun0"
int_if="re1"
dmz_if="re2"
## Hosts
lan="192.168.1.0/24"
server="192.168.1.3"
desktop="192.168.1.4"
webserver="192.168.2.10"
tcp_services = "{www, http, https}"
torrent = "{51413}"
udp_services = "{domain, ntp}"
##############################
# Options
##############################
## Skip all Pf process on interface
set block-policy drop
set skip on lo
scrub in
##############################
# NAT
##############################
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
#############################
# Port Forwarding
#############################
## Allow access to webserver
rdr pass on $ext_if inet proto tcp from any to any port $tcp_services -> $webserver
##############################
# Filter Rules
##############################
## Default Policy (Blacklist)
block log all
# Allow access to dmz from lan
pass in on $dmz_if from $lan to any keep state
# Allow outgoing and keep state
pass out keep state
## Allow traffic on lan
pass quick on $int_if no state
At this point i don't understand how to grant access to the internet to the DMZ, but don't let it connect to any of the hosts in the LAN.