4

I want to setup a WAN, DMZ and private LAN.

I want to do a Deny ALL and just open the 4-5 ports that I need to DMZ and a Deny all on the private LAN

on the DMZ are a web web servers, all have public IP's.

I have 3 NICS in this box.

em1 = WAN and that is a static IP provided by my ISP em3 = LAN and pfSense provided that a 192.168.x.x address.

So my connection goes INTERNET -> pfSense Box -> public switch -> public servers are plugged in here with public IP's. I then want also pfSense Box -> private switch -> private stuff like wireless, laptops, etc.

What I dont see is how to create a DMZ (if that needs to be separate)?

How does one edit the rule sets?

Anyone have a good play by play tutorial?

UPDATE 1: OK, I see that people usually create a DMZ by defining the OPT interface.

Jason
  • 41
  • 3

1 Answers1

2

The best way to set this up is to deny all by default between all three zones and only allow ports as needed. You should create a ruleset for INTERNET <-> DMZ traffic, INTERNET <-> PRIVATE traffic, and DMZ <-> PRIVATE traffic. All rulesets should be deny all by default. Then, as needed, open up specific ports.

Another best practice is to only open ports to and from specific IPs. If you intend to only modify a specific webserver with DMZ_IP_X over SSH from a specific machine with PRIV_IP_Y, then you should open port 22 only from PRIV_IP_Y to DMZ_IP_X and not all traffic on port 22 from PRIVATE to DMZ.

In essence, you want to treat your DMZ as though it's another private zone. The only real difference is that you should turn off DHCP in your DMZ and have separate routing rules to allow those machines to talk directly with the internet. As far as firewalling rules, you still want to deny all by default, only opening specific ports as needed.

Agrajag9
  • 180
  • 9