42.5. Example 5: Web Server in the DMZ


  • A web server is located in a DMZ (De-Militarized Zone) and has an official IP (LAN without NAT). Classic routing is used (see Section 10.7.1, „Classic Routing“).

  • The router of the provider has the IP, the external IP of the Intra2net system is (network mask

  • The DMZ uses the network (30 bit network with 4 IPs), the Intra2net system has the IP, the web server

  • Access to TCP ports 80 and 443 (predefined services http and https) of the web server is permitted from the Internet.

  • The clients from the LAN have full access to the web server

  • The clients from the LAN may only access the Internet via the proxy, email is only possible via the Intra2net system

  • The web server only has access to TCP port 3306 of a database server (IP in the LAN.

  • The web server may use the DNS and SMTP services of the Intra2net system.

42.5.1. Sample Solution

The clients in the LAN are assigned a firewall profile for clients, see previous task. For full access to the web server it is necessary to check "Access to local networks allowed".

Rules for the DMZ

Provider Rule