Firewall Rules for Isolating Public Facing Servers

Networking & Firewalls
1

I have a Ubiquiti Dream Machine SE. I’m working on setting up a VLAN for my publicly exposed web and game servers. I’m calling this VLAN the “DMZ”. The DMZ will be isolated from my private VLAN. The web and game servers will have ports such as 443 and 25565 forwarded from the WAN to the servers in the DMZ. I have configured port 6 on the Dream Machine SE to be dedicated to the DMZ network.

So far I have followed this tutorial (Securing your Unifi network 2022 - YouTube) and made some modifications of my own. Here are all of the rules I’ve added:

  • LAN In - Accept - Established / Related
  • LAN In - Drop - Invalid State
  • LAN In - Drop - From RFC1918 to RFC1918
  • LAN Local - Accept - DMZ Network to DMZ Gateway DNS (192.168.3.1 port 53)
  • LAN Local - Drop - DMZ Network to All Gateways (192.168.1.1, 192.168.3.1)

With this setup, my servers can still connect to the internet and they can’t ping the NAS on my private VLAN. My DMZ network cannot navigate to the UniFi console webpage either. My PC cannot ping my servers. This is what I was hoping for and it appears to be working.

Now, I have a few questions:

  1. If one of the servers is compromised, are these rules enough to isolate the DMZ network and protect my private VLAN and UniFi gateway? Or is there something more advanced that I’m missing?

  2. Do I need to create any LAN v6 (IPv6) rules? As far as I know, all the rules I’ve created are IPv4. I’m not familiar with IPv6 so I’m not sure what I might be missing.

  3. (slightly unrelated) Does UniFi have a default DROP policy? Does any traffic not matching a rule in Internet or LAN get dropped?

Thanks!

2
  1. Looks good to me. Your rule #3 could be changed to two rules, Drop DMZ to RFC1918 and Drop RFC1918 to DMZ, that would allow you to have additional VLANs like IoT and manage their traffic restrictions separately.
  2. I avoid IPv6 so unsure for you.
  3. I believe Unifi is Default-Accept for sessions started from the LAN side and Default-Drop from WAN.

Normally with a DMZ you allow the LAN to initiate management protocols to the DMZ, like SSH and RDP. Otherwise how are you going to manage those servers? And in a more complicated business environment, you might do something like having a web server in the DMZ but the database server in the LAN, and making a firewall rule that allows the webserver to make database connections to the database server but nothing else. This way if the webserver is compromised (fairly likely) all it can do to the database is change data, if the database server is kept up to date it can’t itself be compromised.

3

Thank you for your suggestions!

I do plan on having LAN to DMZ allowed for management services (SSH) and for the game server ports. Splitting the rules out is a good suggestion too because I do plan on setting up an IoT network at some point in the future.

As far as IPv6 goes, I’ll probably need to keep doing research about 1) how it works and 2) how it works within UniFi. I don’t want to actively use IPv6. Really, I just want to make sure the DMZ network can’t utilize IPv6 to talk to other devices in LAN.

4

I prefer to manually disable IPv6 on each server I set up to be certain.