D-Link DFL-2500 User Guide - Page 141
DMZ & Port Forwarding
View all D-Link DFL-2500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 141 highlights
122 Chapter 14. IP Rules continue to pass the packets through the rule list until a second rule matches. When the packets are leaving the rule list, this rule redirects them to the destination. Problem with the current rule set This rule set makes the internal addresses visible to machines in the DMZ (see 16, DMZ & Port Forwarding). When internal machines connect to the firewall's external interface ip ext, they will be allowed to proceed by Rule 2 without NAT (the first matching principle). From security perspective, all machines in the DMZ that provide public services should be regarded as any other Internet servers connected to untrusted networks. Alternative Solutions 1. Keep Rule 1 and reverse the sequence of Rule 2 and Rule 3, so that the NAT rule is carried out for internal traffic before the Allow rule matches. 2. Keep Rule 1 and Rule 3, change Rule 2 so that it only applies to external traffic (most likely traffic from interface WAN) - an "Allow" rule to permit Rule 1 from external connections (most likely interface WAN) on all-nets to the firewalls external public address ip ext. Tip Determining the best course of action and the sequential order of the rules must be done on a case-by-case basis, taking all circumstances into account. D-Link Firewalls User's Guide