User Tools

Site Tools


doc:howto:dmz

Setting up a DMZ

The DMZ is a security concept. It comprises the separation of your network into at least two networks: the internal LAN and the DMZ (demilitarized zone) and the application of a different set of firewall rules for traffic between the LAN and the DMZ and the Internet and the DMZ and the LAN and the Internet. Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections neither to the Internet nor to your LAN. That way, if a server inside of the DMZ is hacked, the potential damage that can be done, remains restricted! A DMZ is useless without this kind of firewall rules around it.

We simply assume that publicly accessible servers, remain the most vulnerable parts of any network, although they are

  • set up and hardened professionally
  • updated regularly
  • and also thoroughly monitored (mail Log files and read the mail)

Because of this, server tend to be very secure, whereas the hosts in the LAN aren't: http://events.ccc.de/congress/2009/Fahrplan/events/3596.de.html. This is a GNU/Linux example, where exploits are discussed openly and in general patched very swiftly. If you're using other OSes, well… probably the DMZ will protect the server from the lan-host instead of the other way around. Anyway, there is some kind of security win ;-) Yay.

For splitting up you network into more networks, you could read:

Adding a VLAN

Although it would be possible to set up firewall rules based simply on the IP addresses of the public servers, this may not be the most secure way—what if the attacker changes the MAC address of the server and gets a different IP? Instead, it's best to set up a VLAN, which will put hosts in the DMZ if they are connected to a certain port on the router.

You will first need to choose which port to use for the DMZ. I'm using port 0, which is actually labeled as Ethernet port 4 on my physical router. Now edit /etc/config/network to add the VLAN. Example:

config 'switch' 'eth0'
        # For this model of router,
        # - 0-3 are the ethernet ports
        # - 4 is the WAN port
        # - 5 is the internal connection
        option 'vlan0' '1 2 3 5*' # The default LAN, but port 0 has been removed
        option 'vlan1' '4 5' # The default WAN
        option 'vlan2' '0 5' # The DMZ
Note that there are two completely different formats for this, and you may need to use the other one. See the /etc/config/network for more details.

Next, add the interface for the DMZ:

config 'interface' dmz
        option 'ifname' eth0.2 # This corresponds to "vlan2" above
        # The rest is the same as for a typical LAN interface:
        option 'proto'   static
        option 'ipaddr'  192.168.2.1   # Remember, this is a separate network
        option 'netmask' 255.255.255.0

Services

Once you set up the firewall, DNS should automatically be available to the new network, DHCP will not. For DHCP, you need to add a new section to /etc/config/dhcp — just duplicate the lan section and change lan to dmz.

Setting up the Firewall

Now the most important thing, the reason why you split up you network: the filtering. You can put your rules into /etc/config/firewall, then you have to adhere to UCI syntax or you can put them in /etc/firewall.user, in which case it can but doesn't need to, see configuration. Example:

config 'zone'
       option 'name' 'dmz'
       option 'input' 'REJECT' # By default, stop anything coming from the DMZ
       option 'output' 'ACCEPT'
       option 'forward' 'REJECT'

# Allow the DMZ to use the router as a DNS server
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcpudp'
       option 'dest_port' '53'
       option 'target' 'ACCEPT'

# Allow the DMZ to use the router as a DHCP server
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'udp'
       option 'dest_port' '67'
       option 'target' 'ACCEPT'

# Allow the DMZ to access the Internet
config 'forwarding'
       option 'src' 'dmz'
       option 'dest' 'wan'

# Allow the LAN to access the DMZ
config 'forwarding'
       option 'src' 'lan'
       option 'dest' 'dmz'

# Make 192.168.2.2:80 publicly accessible
config 'redirect'
       option '_name' 'http'
       option 'src' 'wan'
       option 'proto' 'tcp'
       option 'src_dport' '80'
       option 'dest_ip' '192.168.2.2'

# Allow the DMZ to access 192.168.1.4:5432 (%%FIXME:%% UNTESTED)
config 'rule'
       option 'src' 'dmz'
       option 'proto' 'tcpudp'
       option 'dest_ip' '192.168.1.4'
       option 'dest_port' '5432'
       option 'target' 'ACCEPT'

Notes

  1. For the changes to take effect, you need to restart your router or restart the UCI services network, firewall, and dnsmasq.
  2. You're creating an entirely new network, which means your servers' IP addresses will be different. You may need to update /etc/ethers and configuration files on your servers.
  3. Make sure you allow DNS (TCP/UDP port 53) and DHCP (UDP port 67) connections from the DMZ to your router.
  4. This will give your router another IP address (192.168.2.1 in the example). If you're running certain services such as LuCI on the router, you will need to configure which IP address they serve.
  5. see the difference between a hub and a switch. And please take note:
On (most?/all?) Realtek and Atheros switches the ARL table, that is where the switch stores already learned MACs and the corresponding ports, uses only the MAC address for indexing. This has the effect that the switch tries to forward a frame to a port that isn't part of the current VLAN (since it learned that the destination is at that port), notes that the destination isn't part of the current VLAN, and drops the frame.

Broadcom switches do the indexing based on both, VID and MAC. Thus the same MAC can be at different ports for different VIDs at the same time. Therefore the switch forwards the frames correctly within the VLANs and bridging works.

* https://forum.openwrt.org/viewtopic.php?pid=125973#p125973

doc/howto/dmz.txt · Last modified: 2013/06/22 16:22 by lorema