DMZ access to Internet based SQL Servers, but no internal SQL Servers

[RoboJ1M]

Hi,

I have a server in our DMZ that requires access to SQL Servers on the internet.

So I've added a service: SQLServer: TCP 1433 (External)

And I've added a rule

Source: MyServer
Dest: any
Service: SQLServer

Will this also allow the DMZ server access to the LAN because I've specified the Destination as 'any'?
Or will 'any' be considered 'any address outside of our internal network' because I marked the Service as External?

Thanks,

Jim.

[sixstone]

I have a server in our DMZ that requires access to SQL Servers on the internet.

So I've added a service: SQLServer: TCP 1433 (External)

And I've added a rule

Source: MyServer
Dest: any
Service: SQLServer

Will this also allow the DMZ server access to the LAN because I've specified the Destination as 'any'?
Or will 'any' be considered 'any address outside of our internal network' because I marked the Service as External?

Hi Jim,

Firstly, internal attribute in Services means that no other defined service may use the given port. Regarding to your questions, depending on where you added rule, the behaviour may change. Any means any host wherever it is, LAN or WAN.

Hope this helps.

[RoboJ1M]

Yeah, I found that out.

OK, so how can I define 'any external address'? Or 'any address via eth0'?
In shorewall I had a Zone called 'net'

I suppose I could put a DENY rule on the internal firewall for the DMZ subnet, but that's a big fudgy.
And it doesn't protect any of the other subnets on the external firewall.

I can't create on object with all of my internal subnets and use it for an inverse match because you can't have overlapping objects and I've already defined some single IP objects for the various servers.

Thanks,

Jim.

[javi]

Hi,

Can you tell me a bit more about your network?

Where's your LAN, your DMZ, where is eBox placed, how are you networks connected to eBox and so on?