Protocols and ports typical open on a firewall for DMX

renee-brown · ‎08-20-2003

I am not knowledgeable in this area. What protocols and ports would I typical open on a fireall for a DMZ. Firewall PIX and Rapture (rule sets)?

please email me at rbrown21117@yahoo.com also.

THX

gfullage · ‎08-20-2003

Typically, in fact always, only open the minimum required to allow traffic through.

What this means is that it really depends on what type of servers you have on the DMZ. If you have a web server, only open TCP/80. If it also has secure pages on it, open TCP/443 as well. If you have a mail server, open TCP/25. Only open the necessary ports to the specific host, not to every host on the DMZ (only TCP/80 to your web server and only TCP/25 to your mail server).

Always, always, always, always deny everything else that is not explicitly necessary.

renee-brown · ‎08-21-2003

GREAT, one more question. could you provide the inbound and outbound connections? I wrote it but I would like to company against what you say> THX

gfullage · ‎08-21-2003

Outbound I wouldn't specifically allow anything, cause the PIX will dynamically open holes for the return traffic.

Inbound, let's say you have a web server at 200.1.1.1 and a mail server at 200.1.1.2 (these are statically mapped to internal addresses 10.1.1.1 and 10.1.1.2 respectively), you'd want something like the following:

access-list inbound permit tcp any host 200.1.1.1 eq www

access-list inbound permit tcp any host 200.1.1.2 eq smtp

access-group inbound in interface outside

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

static (inside,outside) 200.1.1.2 10.1.1.2 netmask 255.255.255.255