Mailserver / Webserver in DMZ or not?

General questions.
aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 3:09 pm

Looks like you don't understand the difference between firewall and router. IPFire is a router + firewall. Port Forwarding is a routing service and has nothing to do with the firewall services of IPFire. All devices in the DMZ are in front of the firewall and not behind it so this devices got unlimited acces to the web.

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 3:13 pm

aesis wrote:Looks like you don't understand the difference between firewall and router. IPFire is a router + firewall. Port Forwarding is a routing service and has nothing to do with the firewall services of IPFire. All devices in the DMZ are in front of the firewall and not behind it so this devices got unlimited acces to the web.


So my image is wrong, but also the image from the tutorial on another website? Ok, let's leave it at that. We're not getting anywhere this way...
Image

aesis
Posts: 803
Joined: November 17th, 2012, 10:21 pm

Re: Mailserver / Webserver in DMZ or not?

Post by aesis » January 25th, 2015, 3:18 pm

houseofdreams wrote:
aesis wrote:Looks like you don't understand the difference between firewall and router. IPFire is a router + firewall. Port Forwarding is a routing service and has nothing to do with the firewall services of IPFire. All devices in the DMZ are in front of the firewall and not behind it so this devices got unlimited acces to the web.


So my image is wrong, but also the image from the tutorial on another website? Ok, let's leave it at that. We're not getting anywhere this way...

Right. I give up here.

User avatar
Roberto Peña
Posts: 619
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Mailserver / Webserver in DMZ or not?

Post by Roberto Peña » January 25th, 2015, 8:10 pm

Hello.

According networking scheme is presented, the DMZ can never go straight to the Internet and the IPFire NAT. To access the server that is located inside the DMZ to do a redirect port. I do not know if it goes through the iptables, but it is necessary to do a redirect, sure.

In this scenario, the public IP is taken by the IPFire, being a Modem. This is the same whether it is a Router. The IPFire NAT.

The Hacker, once inside the DMZ server (if accessible), you can not access the GREEN as it passes through the iptables, passing only through the ports that are enabled and depending on the direction thereof.

It's what I think.
Image
Image

User avatar
Roberto Peña
Posts: 619
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Mailserver / Webserver in DMZ or not?

Post by Roberto Peña » January 25th, 2015, 8:15 pm

The DMZ no bypasses iptables, but goes through NAT. That's what concerns Aesis. Pure and simple routing.
Image
Image

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » January 25th, 2015, 8:28 pm

Yeah, also according to the IPFire wiki pages, if you look at the diagram, more specifically the RED -> ORANGE section it clearly states Closed. Use port forwarding

default-policy.png
default-policy.png (39.18 KiB) Viewed 1488 times

http://wiki.ipfire.org/en/configuration ... ult-policy

I can say that I don't know if the real firewall ( SPI, IDS, IPS) section is or isn't bypassed in the DMZ, but as I said earlier and no again is visible in this table, port forwarding is needed. This was not needed in a simple "1 IP DMZ router". Port forwarding isn't a real firewall solution, but if you don't open a port to the orange network, it is closed, so this is some sort of security in my opinion...

So maybe we need to chalk this one off to a language barrier maybe? :)
Image

dbrooke
Posts: 18
Joined: July 22nd, 2013, 3:55 pm

Re: Mailserver / Webserver in DMZ or not?

Post by dbrooke » February 17th, 2015, 9:23 pm

houseofdreams, it's pretty sad the help you are getting here! I had a bit of help getting my DMZ setup, so I am no guru, but if I can help, let me know. Yes, I do port forwarding for my DMZ (mail server, web servers, gaming servers), as well as some SNAT for some some of the services. Services will need local IP.s.. I use the 10.x.x.x block.. and just change the last number to the public IP last number.. so if your pub IP is: 208.208.208.8, my DMZ ip is 10.0.0.8.

Donovan

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » February 17th, 2015, 9:35 pm

dbrooke wrote:houseofdreams, it's pretty sad the help you are getting here! I had a bit of help getting my DMZ setup, so I am no guru, but if I can help, let me know. Yes, I do port forwarding for my DMZ (mail server, web servers, gaming servers), as well as some SNAT for some some of the services. Services will need local IP.s.. I use the 10.x.x.x block.. and just change the last number to the public IP last number.. so if your pub IP is: 208.208.208.8, my DMZ ip is 10.0.0.8.

Donovan


Globally speaking, you get a lot of help here on the forum. In this case, I think it's more a translation problem. The firewall / router configuration page also is completely renewed, simplified, so the router/firewall settings are now al on one page. Maybe this was setup different in the older versions, I started using IPFire after the update...
Image

nextwerk
Posts: 5
Joined: May 15th, 2015, 7:33 pm

Re: Mailserver / Webserver in DMZ or not?

Post by nextwerk » May 15th, 2015, 7:42 pm

Sorry for pushing this thread, but i've got a question to you houseofdreams.
I have a similar setup here with a Kerio Connect Installation. How did you solve the DMZ/LAN/AD Stuff?
I'm also interested to make my setup more secure. PortForwarding from RED to ORANGE and FW-Rules from GREEN to ORANGE?

Thanks for a reply.

Best regards
Matthias

PS: Maybe we could "talk" by Mail or PM, unless it's interesting for others here. ;)

houseofdreams
Posts: 67
Joined: January 18th, 2015, 3:35 pm

Re: Mailserver / Webserver in DMZ or not?

Post by houseofdreams » May 19th, 2015, 1:09 pm

nextwerk wrote:Sorry for pushing this thread, but i've got a question to you houseofdreams.
I have a similar setup here with a Kerio Connect Installation. How did you solve the DMZ/LAN/AD Stuff?
I'm also interested to make my setup more secure. PortForwarding from RED to ORANGE and FW-Rules from GREEN to ORANGE?

Thanks for a reply.

Best regards
Matthias

PS: Maybe we could "talk" by Mail or PM, unless it's interesting for others here. ;)


Sorry for the late response.

I Only have the following rules in place:

E-Mail Rule Group (25; 465; 587; 993; 995)
Https (443)

All from red to orange. From green to orange you don't need to configure forwarding, as this direction is allways allowed.

I do have some pinholes in place from orange to green, to make regular backups of the mailserver, but I'm planning to change this to an offsite backup location. I only want to use pinholes if it's absolutely nessecairy.

If you have any questions, just ask :)
Image

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests