Firewall Configuration
This chapter describes how to use firewall policies to establish and control connectivity through the DFL-
1000 firewall. This chapter contains the following sections:
•
Controlling connections from the Internet
•
Controlling connections to the Internet
•
Controlling connections to and from the DMZ
•
•
•
•
•
•
•
•
•
Controlling connections from the Internet
By default, the DFL-1000 firewall denies access to the internal or DMZ network from the Internet. To
accept incoming connections, you must add policies to the Incoming policies list.
Use Incoming policies to give users on the Internet access to an Internet server (for example, your
organization's web server) that is protected by your firewall. When you are running the DFL-1000 in NAT
mode, you can locate these servers on the DMZ network or the internal network. When you are running
the DFL-1000 in Transparent mode, you can locate internet servers on the internal network only.
This section describes:
•
Accepting incoming connections in NAT mode
•
Accepting incoming connections in Transparent mode
•
•
Arranging policies in the incoming policy list
Accepting incoming connections in NAT mode
The most secure way to operate an Internet server is to run the DFL-1000 in NAT mode and isolate the
server on your DMZ network. Isolating the server on the DMZ is more secure because from there the
server cannot be used to indirectly attack the internal network. You can, however, install the server on
your internal network if required.
Running the DFL-1000 in NAT mode hides the actual addresses of the computers on your internal and
DMZ networks from the Internet. To provide Internet access to a server on your DMZ or internal network,
you must add a Virtual IP that creates an association between the Internet IP address of the server and
the actual address of the computer on your DMZ or internal network that is running the server.
Once you have created a Virtual IP, you can add Incoming policies to accept connections to the server.
Adding an Incoming policy to accept connections
Use the following procedure to accept connections from the Internet to a server on the DMZ or the
Internal network:
•
Add a Virtual IP for the server. See
.
DFL-1000 User’s Manual
26