Home page logo

basics logo Security Basics mailing list archives

Re: DMZ / Firewall rule diagramming
From: Michael Gale <michael.gale () bluesuperman com>
Date: Sun, 05 Dec 2004 19:26:16 -0700


Check out some firewall appliances ... most of them have some sort of standard.

For example I used the following:

Connections from Internal to the DMZ are allowed if they match one of the forward rules on the firewall.

The forward rules only allow packets from sources addresses to destination addresses on specific ports which are ruled to be a business requirement.

For connections coming from the DMZ to the internal network which are required for business (Example. Postfix SMTP server to forward mail on to Exchange). The DMZ server connects to a proxy or a NATing rule.

DMZ server never know the IP of a internal server, the DMZ network has the same relations with the internal network as the external network does with the DMZ.

So the DMZ mail server would connect it port 25 on the firewall and that traffic would get forwarded to the Exchange server.

That is the standard that I use ... was this what you were looking for ?


Craig Humphrey wrote:

Can anyone point me at some resources on how to diagram firewall rules?
Every time I talk to another engineer, they want it in a different
format... It's driving me nuts!  So I'm looking for something reasonably
standard that I can at least use internally, if not force on the


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]