The DMZ is a security concept. It comprises the separation of your network into at least two networks: the internal lan and the DMZ (demilitarized zone) and the application of a different set of firewall rules for traffic between the LAN and the DMZ and the Internet and the DMZ and the LAN and the Internet! A DMZ is useless without the filtering. You only put the exposed hosts (the servers) into an own network, so that you can more conveniently filter the traffic!
We simply assume that publicly accessible servers, remain the most vulnerable parts of any network, although they are
- set up and hardened professionally
- updated regularly
- and also thoroughly monitored (mail Log files and read the mail)
Because of this, server tend to be very secure, whereas the hosts in the LAN aren't: http://events.ccc.de/congress/2009/Fahrplan/events/3596.de.html. This is a GNU/Linux example, where exploits are discussed openly and in general patched very swiftly. If you're using other OSes, well… probably the DMZ will protect the server from the lan-host instead of the other way around. Anyway, there is some kind of security win Yay.
For splitting up you network into more networks, you could read:
Although it would be possible to set up firewall rules based simply on the IP addresses of the public servers, this may not be the most secure way—what if the attacker changes the MAC address of the server and gets a different IP? Instead, it's best to set up a VLAN, which will put hosts in the DMZ if they are connected to a certain port on the router.
You will first need to choose which port to use for the DMZ. I'm using port 0, which is actually labeled as Ethernet port 4 on my physical router. Now edit
/etc/config/network to add the VLAN. Example:
config 'switch' 'eth0' # For this model of router, # - 0-3 are the ethernet ports # - 4 is the WAN port # - 5 is the internal connection option 'vlan0' '1 2 3 5*' # The default LAN, but port 0 has been removed option 'vlan1' '4 5' # The default WAN option 'vlan2' '0 5' # The DMZNote that there are two completely different formats for this, and you may need to use the other one. See the
/etc/config/networkfor more details.
Next, add the interface for the DMZ:
config 'interface' dmz option 'ifname' eth0.2 # This corresponds to "vlan2" above # The rest is the same as for a typical LAN interface: option 'proto' static option 'ipaddr' 192.168.2.1 # Remember, this is a separate network option 'netmask' 255.255.255.0
Once you set up the firewall, DNS should automatically be available to the new network, DHCP will not. For DHCP, you need to add a new section to
/etc/config/dhcp — just duplicate the
lan section and change
Now the most important thing, the reason why you split up you network: the filtering. You can put your rules into
/etc/config/firewall, then you have to adhere to UCI syntax or you can put them in
/etc/firewall.user, in which case it can but doesn't need to, see configuration. Example:
config 'zone' option 'name' 'dmz' option 'input' 'REJECT' # By default, stop anything coming from the DMZ option 'output' 'ACCEPT' option 'forward' 'REJECT' # Allow the DMZ to use the router as a DNS server config 'rule' option 'src' 'dmz' option 'proto' 'tcpudp' option 'dest_port' '53' option 'target' 'ACCEPT' # Allow the DMZ to use the router as a DHCP server config 'rule' option 'src' 'dmz' option 'proto' 'udp' option 'dest_port' '67' option 'target' 'ACCEPT' # Allow the DMZ to access the Internet config 'forwarding' option 'src' 'dmz' option 'dest' 'wan' # Allow the LAN to access the DMZ config 'forwarding' option 'src' 'lan' option 'dest' 'dmz' # Make 192.168.2.2:80 publicly accessible config 'redirect' option '_name' 'http' option 'src' 'wan' option 'proto' 'tcp' option 'src_dport' '80' option 'dest_ip' '192.168.2.2' # Allow the DMZ to access 192.168.1.4:5432 (%%FIXME:%% UNTESTED) config 'rule' option 'src' 'dmz' option 'proto' 'tcpudp' option 'dest_ip' '192.168.1.4' option 'dest_port' '5432' option 'target' 'ACCEPT'
- For the changes to take effect, you need to restart your router or restart the UCI services
- You're creating an entirely new network, which means your servers' IP addresses will be different. You may need to update
/etc/ethersand configuration files on your servers.
- Make sure you allow DNS (TCP/UDP port 53) and DHCP (UDP port 67) connections from the DMZ to your router.
- This will give your router another IP address (192.168.2.1 in the example). If you're running certain services such as LuCI on the router, you will need to configure which IP address they serve.
|On (most?/all?) Realtek and Atheros switches the ARL table, that is where the switch stores already learned MACs and the corresponding ports, uses only the MAC address for indexing. This has the effect that the switch tries to forward a frame to a port that isn't part of the current VLAN (since it learned that the destination is at that port), notes that the destination isn't part of the current VLAN, and drops the frame.
Broadcom switches do the indexing based on both, VID and MAC. Thus the same MAC can be at different ports for different VIDs at the same time. Therefore the switch forwards the frames correctly within the VLANs and bridging works.
doc/howto/dmz.txt · Last modified: 2011/08/13 16:13 by orca