Firewall/NAT

I have three interfaces on the router. The LAN-one is going into a switch to home-pc's and fileserver, using Port Address Translation to access the web and almost no ports open (only one or two to the fileserver).

I though, for some extra security I maybe could put the webserver (even though its running chrooted apache on OpenBSD) on the other interface like some DMZ (if it counts as DMZ when only port 22 and 80 are open), having no connection DMZ->LAN and using PAT LAN->DMZ (just as LAN->WAN uses PAT).

Will that work? Can I ssh and ftp from my LAN to the DMZ by just using PAT, or does ssh or ftp need ports open "the other way"?
Would be cool to have it isolated, even if its maybe no huge security gain....if someone hacks that server they might as well hack my router and everything

Thanks

What you want is a very typical configuration and well described in the m0n0wall Handbook, section 13.1.

What you want is a very typical configuration and well described in the m0n0wall Handbook, section 13.1.

Thanks, but doesn't say anything about Port Address Translation between LAN->OPT1.

Is it enabled by default between all interfaces, or is only LAN->WAN running PAT, so I'll need to disable outgoing NAT and enter rules on the appropriate interfaces?

Also, ssh/ftp will of course work through the PAT, without opening ports for some two-way server-communication?
Dont remember how ftp work really......I think my ssh-program I use to log in and upload files has some build in ftp-browser so its very easy to graphically upload files to the server through it (tunnelier its called, nice freeware). Would be cool to have all ports closed so its really isolated, even though it probably wont matter a bit

Thanks, but doesn't say anything about Port Address Translation between LAN->OPT1.

Is it enabled by default between all interfaces, or is only LAN->WAN running PAT, so I'll need to disable outgoing NAT and enter rules on the appropriate interfaces?

By default (i.e. without "Advanced Outbound NAT"), IP addresses from all interfaces (LAN/OPT) are automatically NATed when traffic goes through the WAN interface. This default should work fine for you, as it means that you will have no NAT/PAT between LAN and OPT1, and standard NAT/PAT for traffic from LAN -> WAN and OPT1 -> WAN.

Thanks, but doesn't say anything about Port Address Translation between LAN->OPT1.

Is it enabled by default between all interfaces, or is only LAN->WAN running PAT, so I'll need to disable outgoing NAT and enter rules on the appropriate interfaces?

By default (i.e. without "Advanced Outbound NAT"), IP addresses from all interfaces (LAN/OPT) are automatically NATed when traffic goes through the WAN interface. This default should work fine for you, as it means that you will have no NAT/PAT between LAN and OPT1, and standard NAT/PAT for traffic from LAN -> WAN and OPT1 -> WAN.

Ok, thanks. I would like PAT from LAN->OPT1 though so I can upload files to my webserver, but nothing open the other way of course or it wont be much of a DMZ
But ok, thats very good to know then....PAT only from every interface out through WAN, but not between the other interfaces themselves. Need to enable outbound NAT for that and enter rules for every interface.