RE: Webserver, DMZ, ports questions

From: Wagner Martini (
Date: 07/20/01

From: "Wagner Martini" <>
Subject: RE: Webserver, DMZ, ports questions
Date: Fri, 20 Jul 2001 10:25:38 +0100
Message-ID: <002c01c110fd$f11f3890$>

Internet --- Router(W/ Firewall) ---------------------- Firewall
------------ intranet(Your Network)
                  Outside -> TCP80 (WWW) DMZ1(80%)|
                  Outside -> TCP established | |

| |
                                    DataBase(DMZ2 -> PORT(SQL?))
WWW(Outside -> 80)

Use Cisco System,
Firewall= PIX 515UR
Router= 1720 + IP/FW/IDS (deny: pings, netbios-session, telnet, and

Think this....


-----Original Message-----
From: Bartel, Matt []
Sent: terça-feira, 17 de Julho de 2001 20:12
Subject: Webserver, DMZ, ports questions

I have two questions that I feel rather dumb about asking:

If I am running a setup as follows:
Internet<->Firewall<->DMZ<->Firewall<->Internal Network

and I am running webservers in the DMZ that need to pull info out of
databases (that hold confidential information), where is the best place
to put the db's??? If I put them in the internal network, I would have
to make a rule to allow the webservers to access the db's through the FW
(which defeats the point of the FW)...if I do not allow the webservers
to go through the FW, then they cannot access the db's, unless I would
put them in the DMZ...What is the safest way to do this? What would
basic, sample rules look like that would be optimal in this type of a
setup be?

Also, one other really dumb question, while I'm on a roll:
I know that I should *only* allow port 80 into the DMZ, but do you allow
*ALL* ports to go out??? Doesn't the webserver use all different local
ports to talk out onto the Internet? If I wanted to do the following
(assuming there is no internal network): Internet<->Firewall<->Webserver

Can I allow *only* port 80 to run through the FW to the Internet (both
ways)? I am using IIS 5, and I am under the belief that IIS opens ports
(source ports???) on the local machine to talk out to the world...If I
only allowed 80 to go out, wouldn't that effectively block the webserver
from talking onto the net, since it picks high ports (like 5000, or

Thank you.