firewall

Mike Sheldon msheldon@desertraven.com
Fri, 21 Apr 2000 14:53:20 -0700 

I believe the ports you will need to leave open for NetBIOS are TCP:138 and
TCP:139

The ideal is to put the public servers in the DMZ, and allow NetBIOS traffic
between the private zone and DMZ, while blocking NetBIOS access from the
outside and allowing port 80 from the outside to the DMZ. I've worked for a
company that is set up this way.

If I remember right:

outside to private: no access allowed.
private to outside: NAT
private to DMZ: unlimited access for specified private hosts (development/IT
group only)
DMZ to private: limited access to development/IT and private database
servers.
outside to DMZ: port 80, 443, 25, etc... only
DMZ to outside: port 80 and 443 *replies* only, port 25, etc...

Michael J. Sheldon
Internet Applications Developer
Phone: 480.699.1084
http://www.desertraven.com/
PGP Key Available on Request

-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Joel
Dudley
Sent: Friday, April 21, 2000 14:25
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: firewall


I am seting up a firewall for work using the standard
squid/ipchains/marquerade setup.  Our e-commerce servers are going to be on
the public side of the firewall, they all run IIS on NT because our product
is written in visual fox pro.  Now the programmers on the private side of
the firewall are going to want to be able to map drives on the public
servers to change data.  I told them that this is a no-no and that they
should just use the development server I set up to make changes.  Turns out
they wont listen to me and the boss agrees with them.  I beleive that all NT
domain control will go out the window when I implement the firewall (if i
set it up right), so all of the servers will reside in their own isolated
"commerce" domain.  is there any way I can allow this wondoze freaks to map
drives accross tis network without comprimising too much security?  maybe I
sould just allow ftp access accross from the internal network.  Thanks for
any ideas on this situation.

- Joel


_______________________________________________
Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss