Hi, I am trying out DMZ. But my LAN users (192.168 range) can access DMZ (10.10.10.x) range without any restrictions. On this firewall machines there are 3 cards 1 for DMZ range, 1 for LAN range and for my ISP. I have, $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT # Is this a Bad Idea? $IPTABLES -P FORWARD DROP For FORWARD I allow just, $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 3128 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.0.0/16 -p tcp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -s 192.168.0.0/16 -p udp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -s 10.0/8 -p tcp -j ACCEPT $IPTABLES -A FORWARD -s 10.0/8 -p udp -j ACCEPT $IPTABLES -A FORWARD -d 10.10.10.2 -p tcp --dport 25 -j ACCEPT (This I am just testing whether I can access my DMZ port 25 from outside) But still my LAN users can access 10.10.10.2:25 and also the webin 10000 port. What am I missing? Thanks a lot in advance and waiting eagerly for any answers. With warm regards, -Payal
