News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Stupid question about DMZ
Pages: [1]
Topic: Stupid question about DMZ  (Read 2547 times)
« on: December 13, 2009, 20:31:08 »
sawo *
Posts: 8
Hi, i'm new to m0n0wall and i still cant figure out few things... Do i actually need another NIC for DMZ? I just want to forward all ports to a specific ip in the LAN network like i did in my D-link router. I followed the guide which explain how to setup the dmz, but i dont have that [ + ] option to add another interface.
« Reply #1 on: December 13, 2009, 23:43:58 »
Fred Grayson *****
Posts: 994
A real DMZ is going to require another interface. And forwarding all ports is sloppy and a serious compromise to your security, no mater how you do it.
--
Google is your friend and Bob's your uncle.
« Reply #2 on: December 14, 2009, 09:38:13 »
sawo *
Posts: 8
Hmm ok, but if the only way to have DMZ is another interface, then how is the dmz implemented on the regular wireless routers like my old d-link?
« Last Edit: December 14, 2009, 09:43:30 by sawo »
« Reply #3 on: December 14, 2009, 14:33:25 »
Fred Grayson *****
Posts: 994
I said that a real DMZ is going to require another interface. This protects your other network segment(s) should a host on the DMZ become compromised because the firewall is sitting between all interfaces.

Those other routers don't isolate the DMZ host from the other machines because they are all on the same network segment. That's why I say it isn't a DMZ at all. It just does massive port forwardings which is dangerous.

Here are snips of text right out of one of these DLink routers from the DMZ setup page. A lot of users don't actually understand these warnings. Some don't even bother to read them.

The DMZ (Demilitarized Zone) option provides you with an option to set a single computer on your network outside of the router. If you have a computer that cannot run Internet applications successfully from behind the router, then you can place the computer into the DMZ for unrestricted Internet access.

Note: Putting a computer in the DMZ may expose that computer to a variety of security risks. Use of this option is only recommended as a last resort.

Only enable the DMZ option as a last resort. If you are having trouble using an application from a computer behind the router, first try opening ports associated with the application in the Virtual Server or Port Forwarding sections.
--
Google is your friend and Bob's your uncle.
« Reply #4 on: December 14, 2009, 17:32:49 »
sawo *
Posts: 8
Yes, i know the risks etc and i will probably stick with regular port forwarding instead of DMZ. Thanks alot for the info.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines