[Firewall] DMZ-IP

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Jan 14 19:31:15 CET 2009

On Jan 14, 2009, at 11:48 AM, Darrick Hartman wrote:

> I'm trying to figure out a way to implement the following  
> 'feature'.  I don't think it's possible as a plugin because it would  
> likely need to be applied before many of the rules in the main script.
> The feature follows:
> Many firewall 'appliances' allow a so-called DMZ where all  
> unassigned inbound traffic is directed to a specific IP address on  
> the lan.  I need to duplicate this behavior and hope we can find a  
> way to do this cleanly with the Arno's script.
> So as an example:
> TCP 80 -> NAT
> TCP 25 -> NAT
> ALL other inbound traffic -> NAT
> I suppose that NAT_TCP_FORWARD, NAT_UDP_FORWARD could be used with  
> some very wide ranges with the specified ports listed before the  
> wide range, but I was hoping for something cleaner that would ensure  
> that DMZ-IP forwards would happen at the right time without having  
> to ensure they were listed last in these other fields.
> Darrick

Interesting idea...

This would allow multiple firewalls to be easily placed back-to-back,  
the first firewall handles what it chooses and then forwards  
everything else to another firewall downstream.

Possibly Arno could add something like:


before his DENY's, to forward traffic to a particular IP address  
immediately before they would normally be blocked.


More information about the Firewall mailing list