On 2/2/2015 6:29 PM, Always Learning wrote:> On Tue, 2015-02-03 at 13:16 +1100, Kahlil Hodgson wrote:
>
>> >A DMZ in this context is a network that has been isolated from the
>> >rest of your local network. You can access it from your local
>> >network, it can access the rest of the world, but it can't
access your
>> >network. The idea is that, if a machine in the DMZ is compromised,
it
>> >can only access other machines in the DMZ.
> Thanks. Now I know. That sort of operation can be done via the router
> and by selecting a wifi option on the same router (Asus RT-AC68U). Wifi
> is off by default.
An Asus RT-whatever is a home internet gateway, not a proper firewall
router, and it has no provision for a proper DMZ as it doesn't have a
port for it. This has *nothing* to do with wifi.
implementing a proper DMZ requires a firewall router with multiple
zones, at a minimum WAN (internet), LAN (your regular network), and DMZ,
used for your public facing internet servers. The DMZ uses its own
network switch (or VLAN) separate from your LAN switch(es), so traffic
from LAN<=>DMZ has to go through the firewall router. You define
firewall rules such that DMZ servers are blocked from accessing anything
on your WAN except specific services they need (if any), but you usually
allow systems on the LAN side access to everything on the DMZ side.
I've seen configurations where even LAN to DMZ was tightly controlled,
so for example only administrator workstations could ssh into the DMZ
servers.
--
john r pierce 37N 122W
somewhere on the middle of the left coast