User`s guide

ManualsBrandsAllworx ManualsComputer equipment6x

Allworx Server Administrator’s Guide Version 7.6

Page 34 1-866-ALLWORX * 585-421-3850

www.allworx.com

Revised: 11/22/13

5.7 Network Mode: NAT/Firewall with Stealth

DMZ

This mode is the same as NAT/Firewall with DMZ except that all ICMP services (echo,

redirect, etc) are off. This makes it more difficult for attacks from the WAN to probe the

server. It also makes it more difficult for the administrator to troubleshoot any network

connectivity problems (since ping and traceroute won’t work).

Example 1: Secure Firewall

Example 2: Secure Firewall with Third-Party Email Server

Requirements Configuration

Use the Allworx server as the router between a

LAN and the Internet. Protecting the LAN from

the Internet is a requirement. Use the server as

the local email server with email being sent to it

from the WAN and LAN. The server is the LAN

timeserver. All other WAN services will be

denied.

Set the Network Mode to NAT/Firewall with Stealth

DMZ. Setting it to stealth mode reduces the ability of

Internet attacks to recognize the existence of the

Allworx server and its offered services.

Navigate to Network > Configuration > Modify and

edit in the Firewall section of the page, change the

Allworx Services (ports) exposed through DMZ so that

only SMTP, DNS, and SNTP are checked. Receiving

mail from the Internet requires SMTP for local users.

The email server requires DNS to resolve outbound

mail addresses. The server requires SNTP to get

accurate time from an Internet time server (configured

on the Maintenance > Time page).

Requirements Configuration

The requirements are identical to Example 1:

Secure Firewall except that instead of using the

Allworx server as the email server and uses

another host (at 192.168.101.12) on the LAN as

the email server.

The configuration is identical to the previous example

except for the following changes:

Uncheck the SMTP service from the list of exposed

Allworx services.

Go to Network > Configuration > Modify and edit in

the Firewall section of the page, add an entry to LAN

Addresses exposed through firewall where:

• WAN Port # is 25.

• Protocol is TCP.

• IP Address is set to the LAN email server,

192.168.101.12

• Local Port # is 25.