Re: Setting up a firewall

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 10:27:15 -0400

Frank Baisch wrote:
> I am about to setup a firewall on a small LAN, less then 20 users.
> The server is Windows 2003 SBS with 2000 Pro and a couple on NT 40
> clients. The router is a netopia 4522-XL router and the firewall is
> a WatchGuard Firebox System FB700. This is my first firewall and
> looking for any advice, hints scenarios or things to look out for
> during setup. The router is controlled by the ISP, I can not change
> the settings, but can have them changed. Also, the MX record for out
> SMTP server is controlled by another consultant.
>
> First, should I have NAT disabled on the router? It is currently
> active.

Yes.
>
> Can I setup the firewall without changing the IP address for the
> server? This would make it easier so I don't have to have the MX
> record changed.

You don't need to change your server's IP address. Set up the Watchguard so
that the LAN IP is on your local IP network - and use that address as the
default gateway for the server & all clients.
>
> I want to able VPN access down the road. Does this make a difference
> when first setting up the firewall?

No - but you might want to find out whether the Watchguard can handle VPN
connections/authentication on its own - many firewalls do, and it's less of
a resource load on the server that way.
>
> Which ports should be open and which should be closed?

All inbound ports should be closed by default. You need port 25
open/forwarded to your Exchange server's private IP, either 80 or 443
forwarded to same for OWA, etc (prefer 443 and SSL). If you have external
POP users (which I hope you don't...) leave 110 open. Etc etc etc.

Many companies also block all outbound ports besides 80 and 443 (with the
exception of the server's LAN IP which needs more than that to function). Up
to you on that front.
>
> Any advice or suggestions is greatly appreciated.
>
> Thanks in advance.
>
> Frank

Relevant Pages

  • Re: Networking/Security Question...
    ... The router itself will be a Cisco 1721. ... >setup is very simple... ... XP sp2 having the firewall on by default. ... > # but deny established connections that don't have a dynamic rule. ...
    (freebsd-net)
  • Re: iptables configuration
    ... I have a RH firewall setup to protect my LAN, ...
    (comp.os.linux.security)
  • Re: [SLE] Firewall zones
    ... Looking at the firewall configuration in Yast, ... My network card is assigned its IP address by the router using DHCP. ... It connects to the LAN and to the router; the router in turn talks to the ... All the systems on the LAN are supposed to have the same firewall protection, ...
    (SuSE)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)
  • Re: Which home user router has a decent firewall inside it?
    ... Not for your LAN. ... The NAT translation on the router will ... NAT will inspect any packets if at all. ... public IP addresses in your LAN) and keep the firewall active. ...
    (comp.security.firewalls)