Basic lock down of the LAN and DMZ outgoing rules

Outbound LAN

Make sure the Default LAN > any rule is either disabled or removed.

  1. Allowing DNS access:
    1. If AZTCO-FW is the DNS server:
      1. Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address.
      1. If using Upstream DNS Servers:
        1. Allow TCP/UDP 53 (DNS) from LAN subnet to Upstream DNS Servers.
      1. Otherwise:
        1. Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere.
  2. Allowing all users to browse web pages anywhere:
    1. Allow TCP 80 (HTTP) from LAN subnet to anywhere.
  3. Allowing users to browse secure web pages anywhere:
    1. Allow TCP 443 (HTTPS) from LAN subnet to anywhere.
  4. Allowing users to access FTP sites anywhere:
    1. Allow TCP 21 (FTP) from LAN subnet to anywhere.
  5. Allowing users to access SMTP on a mail server somewhere:
    1. Allow TCP 25 (SMTP) from LAN subnet to anywhere.
  6. Allowing users to access POP3 on a mail server somewhere:
    1. Allow TCP 110 (POP3) from LAN subnet to anywhere.
  7. Allowing users to access IMAP on a mail server somewhere:
    1. Allow TCP 143 (IMAP) from LAN subnet to anywhere.
  8. Allowing remote connections to an outside windows server for remote administration:
    1. Allow TCP/UDP 3389 (Terminal server) from LAN subnet to IP address of remote server.
  9. Allowing LAN to access windows shares on the DMZ, via NETBIOS/Microsoft-DS:
    1. Allow TCP/UDP 137 from LAN subnet (NETBIOS) to DMZ subnet.
    2. Allow TCP/UDP 138 from LAN subnet (NETBIOS) to DMZ subnet.3.
    3. Allow TCP/UDP 139 from LAN subnet (NETBIOS) to DMZ subnet.4.
    4. Allow TCP 445 from LAN subnet (NETBIOS) to DMZ subnet.

Outbound DMZ

By default, there are no rules on OPT interfaces.

  1. Allowing servers to use Windows update or browse the WAN:
    1. Allow TCP 80 from DMZ subnet (HTTP) to anywhere.
    2. Allow TCP 443 from DMZ subnet (HTTP) to anywhere.
  2. Allow users to connect to an external DNS server:
    1. Allow TCP/UDP 53 from DMZ subnet (DNS) to IP address of the upstream DNS server(s)
  3. Allowing servers to use a remote time server:
    1. If using an upstream remote time server:
      1. Allow UDP 123 from DMZ subnet (NTP) to IP address of remote time server.
    1. Otherwise:
      1. Allow UDP 123 from DMZ subnet (NTP) to any.
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.