John,
You will have to make specific rules for each protocol for each IP that you want to go from/to, unless its something like ALLOW port 25 FROM 192.168.0.100 TO * . Or TO WAN. A setup I had of maybe 4 servers in the DMZ, plus the allow out rules from the LAN I ended up with close to 100 rules in there. It does get to be a headache, but security is never convenient... Cavell McDermott Domino Admin APW Ltd. - Texas Campus 214-343-1400 - Main 214-355-2022 - Direct 214-341-9950 - Fax http://www.apw.com johndean@engage net.com To: [EMAIL PROTECTED] Sent by: cc: sonicwall-owner Subject: [SonicWALL]- Rules question @peake.com 07/10/2002 07:08 AM Please respond to sonicwall This might get lengthy, I apologize. Replacing a failing Pro-VX with the new Pro-300 sonicwall RMA'd to me. The old Pro-VX was set up to pretty much allow anything from the LAN to the WAN because of the political BS here. That's changed, so on the new Pro-300 I had set the default rules to be deny, then added specific rules that would be allowed. Now, I currently have 28 rules allowing various things (our own proprietary stuff, obvious things like HTTP, DNS, telnet, NTP, https, etc) and the 29th rule is deny (default) WAN to DMZ, 30th is deny (default) * to LAN, and 31st rule is deny (default) LAN to * My mail server is using 1 to 1 NAT for port 80 (exchange's OWA) and port 25 (SMTP). There are rules in the top for it, and that works fine. Anything I have going specifically to an IP address seems to work just great. However, I have 3 servers in the DMZ, and while I have rules above the bottom three deny rules (the only rules that deny anything), I can't get at them at all from outside. My question is, if there's a deny default rule at the bottom, are rules that allow a protocol to go from * to * enough to allow something? I would have thought so. My setup shows some of the explicit rules for 1 to 1 nat on the top, my SMTP rules that go to an explicit address, my outbound SMTP that allows it only from my internal SMTP server to *, an FTP that goes from * to the DMZ. From there on down, everything was the allowed protocols (PC Anywhere, HTTP, DNS, then all of our proprietary ports that the devices we make here use). All of the allowed protocols were from * to *. I would've thought that was enough to allow the traffic. Do I actually have to specify each protocol in any possible direction it can go? That would give me a handful of rules for each one. I don't think the sonicwalls can hold *that* many rules, can they? IIRC wasn't there a limit of like 100 rules? Anyone come across bizarre (to me) behavior like this? I'm guessing I'm missing something obvious or proprietary to sonicwall, because from a logical standpoint I would've expected this to work with no problems. Thanks for any info John --- [This E-mail scanned for viruses by Declude/F-Prot AV] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/ --- [This E-mail scanned for viruses by Declude/F-Prot AV] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
