Setting up a Simple DMZ host



  • I am trying to set up a simple DMZ host, like the one found in standard consumer routers (Linksys, Netgear, Dlink ,etc).  I been searching the forums here and at monowall trying to find the correct proecedure.  All of them seem pretty complicated and I do not quite understand how to set it up.  I basically want one of the computer in my LAN to have DMZ (full access to the internet).  According to the guides, I need to create another interface, which I do not have the option to, since I only have two NICs in my computer.  So I believe in my case, I just have to create a firewall rule that will allow all traffic and ports (excluding a couple that are forwarded to two other machines on my LAN) that points to my DMZ machine.  Attached in the firewall rule I set up.  I am not sure if this is the correct way of doing this, but any input would be helpful.  Thanks.
    ![pfsense dmz.PNG](/public/imported_attachments/1/pfsense dmz.PNG)
    ![pfsense dmz.PNG_thumb](/public/imported_attachments/1/pfsense dmz.PNG_thumb)



  • Only a firewall-rule is not enough.
    You have to forward the ports themself as well.
    You can do that under firewall–>NAT



  • @GruensFroeschli:

    Only a firewall-rule is not enough.
    You have to forward the ports themself as well.
    You can do that under firewall–>NAT

    Then the ports that were asked when I set up this firewall rule means what?  I thought the ports, if I select any, means all ports from WAN incoming/outgoing would be put to this DMZ IP.  If you would be so kind as to outline the steps I would need to take to set up a simple DMZ to a single computer, I would be very grateful.  Thanks!



  • There are 2 sets of rules: The "NAT-rules" and the "firewall-rules".

    With NAT you have only on public IP.
    i.e.
    Your setup:
                            [WAN:x.x.x.x]
    internet–-------------pfSense---------------client
                                   [LAN:192.168.1.1]        [192.168.1.2]

    1: The client wants to access google.com he sends his traffic to the pfSense.
    The souce of the traffic is now 192.168.1.2.

    2: The pfSense now rewrites the source to x.x.x.x, makes dynamically an entry in a list and sends the traffic to google.com.

    3: google.com now sees as source: x.x.x.x and sends the response to the request to x.x.x.x.
    The destination of the paket sent back is x.x.x.x

    4: The pfSense receives the answer, looks in it's list and sees that 192.168.1.2 made the querry to google.com.
    pfSense now rewrites the destination of the received paket so the destination is 192.168.1.2 and sends the answer to the client.

    5: After the connection gets closed, pfSense removes the dynamically added entry in the NAT-list.

    Now imagine no client makes a querry. –> No entry in the list, what should happen with traffic comming from the outside exists.
    If you have a server on your LAN and someone from the outside tries to access it, he sends his request to the public IP of the pfSense and the pfSense has no idea what to do with the received traffic and drops it.

    This is what you need NAT-rules for.
    You can think of NAT-rules as static entries in the NAT-list what should happen with certain traffic.
    i.e: if traffic on port 80 gets received, forward it always to the IP of the server.

    With the firewall rules you define who can access what.
    Think of it as guardsmen at a door.
    They control who can enter and who will be turned away.

    So what you did: You told the guardsmen that everyone can enter if their destination is the server, but your forgot to put up a sign where the server is.

    Another thing:
    in your firewall rule you have as source: WAN-address. this means exactly that. The traffic has to originate from your WAN.
    But traffic from the outside doesnt originate from your own WAN.
    Set here any.
    OR: just delete the firewall rule.
    When you create a NAT-rule there is an option to automatically create the appropriate firewall rule to the NAT-rule.



  • Take care!
    What routers like the afore mentioned do with one of the hosts on a switch port is far from being a DMZ!
    This is called an "Exposed host". Only SOHO marketing calls it a DMZ…

    Once you have a host exposed to the untrusted network (internet) completely, this machine can be compromised. Since it resides within the other machine's subnet it can easily spread malware or access other resources on your LAN. Make sure this host is really safe and locked down…

    An option you could choose is to get a VLAN capable switch and define virtual subnets. This way you can setup a real DMZ and filter or block traffic between your subnets.

    Wikipedia has an article about it:
    http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

    but the german article describes the "exposed host" way better (it isn't mentioned in the english version at all...).
    http://de.wikipedia.org/wiki/Demilitarized_Zone


Log in to reply