Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The concept of the DMZ is to separate publicly accessible machines (servers) from the internal network. The machines inside the DMZ have their own firewalls and protection.
The theory is, that if anyone breaks into your server, they will still be constrained in the confines of the DMZ, and not be able to access the client machines inside the LAN. This also allows the setup of different rules and policies for connections to and from the Internet by both client and server machines, independently.
For example, you could allow UDP to the DMZ for the servers to use, but block UDP from the clients.
The whole idea of setting up a DMZ is to implement different policies for different servers.
Not neccessarily like you have been thinking. Yes, its open to public but that doesnot means it doesn't have protections like firewalls and such..
Think of it this way, if you didn't maintained a DMZ, your network firewall will have the rules to accept any incoming connection to your publicly accessible server. On the other hand this server may have unlimited access to your internal lan servers and machines. now if the pa server was compromised, your other machines inside the LAN would be pretty much risk being compromised. On the other hand, if you separate your pa and internal LAN with DMZ and restrict pa's from DMZ from accessing your LAN, even if ithe pa's are compromised, it would be a harder try to get inside your LAN.
for the same reason described above.
DMZ are usually setup for networks that has some servers that should be made publicly available like web servers etc.
the above is true AFAIK, maybe i am missing some facts, i am sure you can find them out yourself with a little more try.
The concept of the DMZ is to separate publicly accessible machines (servers) from the internal network. The machines inside the DMZ have their own firewalls and protection.
The theory is, that if anyone breaks into your server, they will still be constrained in the confines of the DMZ, and not be able to access the client machines inside the LAN. This also allows the setup of different rules and policies for connections to and from the Internet by both client and server machines, independently.
For example, you could allow UDP to the DMZ for the servers to use, but block UDP from the clients.
I get it now!!
So on my 4 NIC IPCop router, I take the DMZ computers and put some sort of security system between them!
if possible, it's also smart to have host-based firewalls running on each server in the DMZ... this adds a layer of protection between the servers themselves (which the dedicated firewall can't do without additional zones) in case of a crack, or a worm infection or something like that...
another recommended thing to do, if possible, is have your DMZ configured so that it can't *initiate* any connections to the WAN/Internet (not just the LAN)... of course if you need a box on the DMZ to be able to, for example, send mail or something, you could add a rule allowing that particular box to do that... but generally speaking, you wanna keep things as tight as possible...
if possible, it's also smart to have host-based firewalls running on each server in the DMZ... this adds a layer of protection between the servers themselves (which the dedicated firewall can't do without additional zones) in case of a crack, or a worm infection or something like that...
another recommended thing to do, if possible, is have your DMZ configured so that it can't *initiate* any connections to the WAN/Internet (not just the LAN)... of course if you need a box on the DMZ to be able to, for example, send mail or something, you could add a rule allowing that particular box to do that... but generally speaking, you wanna keep things as tight as possible...
just my ...
All I need is a VPN at the moment. I will enable VNC ports and a couple of others that will allow for a successful forwarding of the information.
Cool... I do have plans to setup an FTP for public usage, an email server once our parent company chops us off of their email system, a dynamic domain name server so that I can have a very "dynamic" hompage, and a host of other cool things as well.
I eve plan to operate my camera system on the DMZ so that I can watch my employees from home.
My plan guys is to be able to work from home and be with my kids. I will do anything in the world for that. I created a now successful business... Instead of working for it, I want it to work for me! I recently purchased $300,000 worth of shares, and that makes me the sole owner and president of this company. I am no longer incorporated... I am now full shareholder, and all the profit belongs to me now.
Basically, I am doing a CAD drawing of my network, down to EACH cable. This is so I can do a proper iptable and keep it consistant across the board. I will make it managable via SNMPv3, and that will make life for me just a little bit better (it allows me to see all the activity in/out done by my employees)
My question is:
For the DMZ Host setup. IPCop will be granted the IP # 10.25.5.0, and that is the first computer my AdTran T1 modem touches. From there it will be orange as DMZ host... Do I set it to demilitarize the IP # of my firewall that protect my servers. The firewall's IP# that comes off of the orange NIC is 10.25.10.0, and it is what protects my valuable information... Do I set the DMZ Host to direct at that IP #?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.