11.3 DMZ Rule Sets

Depending on the types of services offered within the DMZ, the firewall rule sets might be very simple, or very complex. In a typical design, where only a web server, mail server, and DNS server are placed in the DMZ, the rule set is relatively simple. Traffic destined for the appropriate ports on the appropriate servers should be allowed, and everything else denied .

The secondary firewall is a little more complex. Obviously, administrators do not want mail stored on a server in the DMZ, and certainly users should not be checking mail on a server in the DMZ, so the mail server in the DMZ is really a dummy . It simply relays all incoming mail to a mail server on the private network. To accomplish this, the secondary firewall has to allow Port 25 traffic from the public mail server IP address to the private mail server IP address.

Unless the network is using a multiple DMZ design, the web server IP address has to be allowed to query the database server on the private network, so that a port or ports will need to be allowed. If the DNS administrators are running a split-DNS design, the public DNS server will need to query the private DNS server on Port 53. To simplify the rule set, the source port of the public DNS server will need to be set to Port 53.

Various employees will need to be able to access the servers for monitoring and management purposes. Traffic from the internal network should be allowed to the private interfaces of the servers, but no traffic should be allowed past the private server interfaces. Remember, it is just as important to filter private to public traffic as it is to filter public to private traffic.