On Tuesday 10 August 2004 9:27 am, Antony Stone wrote:
> On Tuesday 10 August 2004 8:22 am, Brent Clark wrote:
> > Hi all
> >
> > If possible would someone be so kind as to have a look at my ruleset and
> > if possible, share some pointers. I have another linux box (Ip address
> > 192.168.3.3, connected to eth1 on the FW) I have a lan (192.168.2.0/24)
> > connected to eth0 For my internet handling I have a ppp connection. Im
> > also currently toying with dyndns (ez-ipupdate).
>
> 4. Do you *really* want to allow *all* NEW packets from the Internet to the
> DMZ, no matter what protocol they are? You might as well simply stick
> your 192.168.3.3 machine on a public IP address with no firewall....
The above comment is not quite accurate - you are, of course, only DNATting
packets to TCP port 80, therefore only HTTP should get through to the DMZ,
however I would still recommend narrowing down the FORWARD rule just to make
it obvious that's what's happening when you look at the filter rules, rather
than having to refer to the nat rules to figure out what traffic is being
allowed.
In other words, make the ruleset slightly more obvious, so you don't make the
same mistake I did, when you come to read the ruleset in 3 months' time :)
Regards,
Antony.
--
People who use Microsoft software should be certified.
Please reply to the list;
please don't CC me.
