[ale] Netgear wireless router as hub

H. A. Story adrin at bellsouth.net
Sun Mar 5 22:33:20 EST 2006 


Geoffrey wrote:

>H. A. Story wrote:
>  
>
>>Sounds like you are trying to over work this.  First you can have a DMZ 
>>on the LAN if you want and it can be on the same subnet. You just 
>>forward all ports to that machine.  You truly don't have a DMZ unless 
>>your ISP is providing you with more than one WAN IP address.
>>    
>>
>
>I don't believe that's correct.  You can have a dmz by having multiple 
>firewalls with different sets of rules.  Or, multiple nics in a firewall 
>with different rules for each.  Simply, servers that provide services to 
>the outside world (http, ftp..) sit in the dmz, whereas your internal 
>network sits behind it, either on a different nic or behind another 
>firewall.  The idea of the dmz is that the machines are protected, but 
>they do provide services to the outside world.
>
>Pictures:
>
>internet <-> bastion firewall <-> dmz <-> internal network
>                                    \_ webserver
>
>  
>
Sorry, My understanding of a DMZ is  public route able IP.  Not 
forwarded ports from a firewall.  Found a few web pages that also 
correct my thinking on this.  It had to have come form my Sonic Wall 
days.  On the pro-units there is a DMZ port. When you have a T1 with 
more than one WAN IP, you can plug into that port and have access to 
those WAN IP addresses.  Needed when you have VPN protocols of 
incompatible nature and you can't have those NATed.  Unlike older 
Linksys that had a 5th port labeled DMZ that pretty much passed 
everything to that port, if I remember correctly.  The device on that 
port was still on the same LAN.

>>Next I 
>>wouldn't put anything in the DMZ unless I was wanting to watch log files 
>>grow, since I don't' have a green thumb.
>>You should read Bob's box. :)  I really would NEVER suggest anyone 
>>putting a server in the DMZ.
>>    
>>
>
>I don't quite understand that statement.  The DMZ does sit behind a 
>firewall of some type.  A typical network would have a bastion firewall 
>between the internet and the dmz.  It would then have a choke firewall 
>between the dmz and the internal network.
>  
>
I was referring to the http,ssh,ftp,etc....  logs from all the port 
scans.  Maybe I should pull the book out and re-read this part.

>What is the purpose of a dmz if nothing is there???
>
>Typically, I have a firewall that leads to a dmz.  In that dmz you might 
>have a webserver.  The dmz subnet does not contain any routable ips. 
>Web requests are simply forwarded to the webserver from the firewall.
>
>That firewall is then connected to another firewall that sits between 
>the dmz and the local network.  The dmz and local network have different 
>subnets, neither that are routable.  It's a perfectly workable solution.
>
>  
>
Doesn't that mean next too not between, Logically?

                                     /> (eth1)internal network
Internet <-> (eth0) bastion firewall 
                                     \> (eth2)DMZ "webserver"

Sorry, re-reading this I see you could have it either way.   I am not a 
fan of double NATing myself.  But it appears that the dual firewall 
method preferred. Again, I would rather let some one else do the 
web/email hosting if I was a large enough organization. 

More reading.  :)  All this RAID and Firewall reading..  I thought it 
was a weekend.

http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci906407,00.html

More information about the Ale mailing list