41.5. Example 5: Web Server in the DMZ

Scenario:

  • A web server is located in a DMZ (De-Militarized Zone) and has an official IP (LAN without NAT). Classic routing is used (see Section 11.7.1, „Classic Routing“).

  • The router of the provider has the IP 88.89.90.1, the external IP of the Intra2net system is 88.89.90.2 (network mask 255.255.255.252).

  • The DMZ uses the network 88.89.90.4/255.255.255.252 (30 bit network with 4 IPs), the Intra2net system has the IP 88.89.90.5, the web server 88.89.90.6

  • Access to TCP ports 80 and 443 (predefined services http and https) of the web server is permitted from the Internet.

  • The clients from the LAN have full access to the web server

  • The clients from the LAN may only access the Internet via the proxy, email is only possible via the Intra2net system

  • The web server only has access to TCP port 3306 of a database server (IP 192.168.1.40) in the LAN.

  • The web server may use the DNS and SMTP services of the Intra2net system.

41.5.1. Sample Solution

The clients in the LAN are assigned a firewall profile for clients, see previous task. For full access to the web server it is necessary to check Access to local networks allowed.

Rules for the DMZ

Provider Rule