Home page logo

basics logo Security Basics mailing list archives

RE: DMZ / Firewall rule diagramming
From: "aldr1c" <aldr1c () nildram co uk>
Date: Tue, 7 Dec 2004 21:21:04 -0000


        What you are after is laudable, but apparently not standardised.
How about coming at the issue from the other side?  OSSTMM provides
templates for testing firewall responses.  Would it be of use to use a
similar form/layout/series of Visio callouts to indicate the acceptable
responses for traffic types, port ranges, NAT/PAT etc?
        I think that it is going to be down to you (not really what you want
to hear, I know) and as always the rest of us would be interested in how you

All the best.


-----Original Message-----
From: Craig Humphrey [mailto:Craig.Humphrey () chapmantripp com] 
Sent: 06 December 2004 04:34
To: security-basics () securityfocus com
Cc: Michael Gale
Subject: RE: DMZ / Firewall rule diagramming

Hi Michael,

From the responses I'm getting, I don't think I explained the situation
very well.

I'm not after "how to write rules" or "what rules should I have".  I'm
looking for a generic way to diagram the rules I already have.
Preferably something nice a visual (like Visio), but even Visio starts
to get cumbersome with a complex DMZ, even breaking flows/rules into
layers only goes so far.

I was hoping that the industry had developed some formal standards for
diagramming DMZs and flows/rules.


-----Original Message-----
From: Michael Gale [mailto:michael.gale () bluesuperman com] 
Sent: Monday, December 06, 2004 3:26 PM
To: Craig Humphrey; security-basics () securityfocus com
Subject: Re: DMZ / Firewall rule diagramming


      Check out some firewall appliances ... most of them 
have some sort of 

For example I used the following:

Connections from Internal to the DMZ are allowed if they match one of 
the forward rules on the firewall.

The forward rules only allow packets from sources addresses to 
destination addresses on specific ports which are ruled to be 
a business 

For connections coming from the DMZ to the internal network which are 
required for business (Example. Postfix SMTP server to 
forward mail on 
to Exchange). The DMZ server connects to a proxy or a NATing rule.

DMZ server never know the IP of a internal server, the DMZ 
network has 
the same relations with the internal network as the external network 
does with the DMZ.

So the DMZ mail server would connect it port 25 on the 
firewall and that 
traffic would get forwarded to the Exchange server.

That is the standard that I use ... was this what you were 
looking for ?


No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.289 / Virus Database: 265.4.6 - Release Date: 05/12/2004

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.289 / Virus Database: 265.4.7 - Release Date: 07/12/2004

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]