Services on the dmz network – SnapGear 2.0.1 User Manual

Network Connections

42

Services on the DMZ Network

Once you have configured the DMZ connection, you will also want to configure the
CyberGuard SG appliance to allow access to services on the DMZ. There are two
methods of allowing access.

If the servers on the DMZ have public IP addresses, you need to add packet filtering
rules to allow access to the services. See the section called Packet Filtering in the
chapter entitled Firewall.

If the servers on the DMZ servers have private IP addresses, you need to port forward
the services. See the section called Incoming Access in the chapter entitled Firewall.
Creating port forwarding rules automatically creates associated packet filtering rules to
allow access. However, you can also create custom packet filtering rules if you wish to
restrict access to the services.

You may also want to configure your CyberGuard SG appliance to allow access from
servers on your DMZ to servers on your LAN. By default, all network traffic from the DMZ
to the LAN is dropped. See the section called Packet Filtering in the chapter entitled
Firewall.

Direct LAN

Select Direct LAN to use the DMZ port as a second LAN connection. Using this
configuration, the firewall between the DMZ and LAN is deactivated. Set up the
connection in the same manner to your primary LAN connection, as detailed in the LAN
section of this chapter.

Bridged LAN

See the Bridged Internet section earlier in this chapter.

DMZ as a second Internet connection

You may configure the DMZ port as a second Internet connection, this will generally be
used in conjunction with the load balancing capability of your CyberGuard SG appliance.
The DMZ port may also be configured as a backup connection for Internet failover.

These configurations are set up in a similar manner to your primary Internet port. Refer
to the previous section in this chapter, entitled Internet.