Firewall settings?

TType85

[H]ard|Gawd
Joined
Jul 8, 2001
Messages
1,486
I'm a semi-newb on getting firewalls setup but I wonder if this is possible.

Currently we have the following

Internet Connection --> [PFSense*] --> Network (10.150.1.x)
* Ports 80/443 open and NATed to appropriate web servers, nothing else open.

What I want to do is

Internet Connection --> [PFSense*] --> DMZ Web (10.150.2.x) --> [PFSense**] --> Network (10.150.1.x)
* Ports 80/443 open and NATed to appropriate web servers, nothing else open.
** Ports 7070/1433 open both ways, windows file share open but can only be done from BEHIND the 2nd firewall.

I don't want to be able to hit anything but 7070/1433 on their appropriate servers (NAT?) The windows file shares that need to be pulled from the DMZ are on the same machine as the 7070 port.

How would I set the firewall rules up for this? Am I even making sense?
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
You're making sense, this is called Double NAT since you're changing the IP twice. There are several reasons why someone might do this, one such reason would be for your public available servers to reach your non-public SQL databases.

I would suggest keeping your file server behind the second firewall, then let your DMZ servers do the SMB/UNC browsing to retrieve what they need. That way if your server become compromised, then no data other than the website is available.
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,330
Double natting adds a little latency if that is a concern. Just puttin it out there.
 

TType85

[H]ard|Gawd
Joined
Jul 8, 2001
Messages
1,486
You're making sense, this is called Double NAT since you're changing the IP twice. There are several reasons why someone might do this, one such reason would be for your public available servers to reach your non-public SQL databases.

I would suggest keeping your file server behind the second firewall, then let your DMZ servers do the SMB/UNC browsing to retrieve what they need. That way if your server become compromised, then no data other than the website is available.

Thanks for the reply. Good to know I am on the right track.

Double natting adds a little latency if that is a concern. Just puttin it out there.

Latency is not a big issue with this application, but i'll keep an eye on that.
 
Top