<< Back to man.ChinaUnix.net

Zone Pinholes Administrative Web Page

This subsection allows you to configure the Zone Pinholes settings for Endian Firewall. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

This page will only be visible if you have enabled the ORANGE and/or the BLUE zone within Network Wizard.

A DMZ or Demilitarized Zone (Orange zone) is used as a semi-safe interchange point between the external RED Zone and the internal GREEN zone. The GREEN zone has all your internal machines. The RED zone is the Internet at large. The DMZ allows them to share servers without allowing undue access to the internal LAN by those in the RED Zone.

For example, suppose that your business has a web server. Certainly, you want your customers (those in the RED zone) to be able to access it. But suppose you also want your web server to be able to send customer orders to employees in the GREEN zone? In a traditional firewall setup, this wouldn't work, because the request for access to the GREEN zone would be initiating from outside the GREEN zone. You certainly do not want to give all your customers direct access to the machines on the GREEN side, so how can this work? By using the DMZ and zone pinholes.

Figure 6.8. Adds a new pinhole rule

Adds a new pinhole rule

Zone pinholes give machines in the Orange (DMZ) zone (and also BLUE zone) limited access to certain ports on Green machines. Because servers (the machines in the ORANGE zone) have to have relaxed rules with respect to the RED zone, they are more susceptible to hacking attacks. By only allowing limited access from ORANGE to GREEN, this will help to prevent unauthorized access to restricted areas should your server be compromised.

The following describes the configuration fields of Add a new rule:

Protocol

The drop wodn list allows you to choose which protocol this rule will follow. Possible values are TCP and UDP. Some game servers and chat servers use UDP. If the protocol is not specified in the server documentation, then it is usually TCP.

Source Net

This is a drop menu that shows the available source networks on the machine. You will not find the GREEN network here, since GREEN can as trusted network access all zones per default.

Source IP

This is the IP address of the machine that you wish to give permission to access your internal servers.

Destination Net

This is a drop down menu that shows the available destination zones.

Destination IP

Fill in the ip address of the machine of your GREEN or BLUE zone which you want to open. The ip address must be part of the destination zone which you selected before.

Destination Port

This is the destination port you want to open. This is optional. If you do not specify a port, access to the machine will not be limited to a port.

Remark

You may add a remark which then helps you to easier identify the rule within the Current rule list.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Once you have entered all the information press Add. This will move the rule to the next section, and list it as an active rule.

Figure 6.9. Lists all configured pinhole rules

Lists all configured pinhole rules

Current rules lists the rules that are in effect. To remove one, click the Trash can icon. To edit one, click the Yellow pencil icon. To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click on the checkbox to enable it again.