Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold <NotMe@xxxxxxxxx>
- Date: Mon, 20 Mar 2006 18:16:53 GMT
rick@xxxxxxxxxxx wrote:
Duane Arnold wrote:
The purpose of the DMZ is to take a single IP/machine behind the NAT
router and completely expose the computer/its ports to the public
Internet. That means all ports 65,535 TCP and 65,535 UDP ports are
exposed to the public Internet opening all the inbound ports for that
computer to the public Internet, instead of using port forwarding to
selectively open inbound ports.
No....the purpose of a DMZ is to create a security zone that can exist
to be more
open than the internal network. You would place hosts into the DMZ that
you would
expose to the internet. You would then have rules in place that define
the traffic that
can pass from those hosts to your internal network. You should never
open a host to
all ports but only those ports that it needs to have open. The goal of
the DMZ zone is
to provide some protection to the internal LAN when the host in the DMZ
is compromised
People still need to follow the same methdology in deciding what ports
need to be opened. This is a decision that depends on the requirements
of the user.
I think that anyone who knows about FW(s) and a NAT router would know what was being said. Of course, ports are open on the computer in the DMZ based on what applications that are running on the machine that had the ports open and are listening. That's a given. If an application is not running listening on the port it's not open to begin with.
Of course, the user has to make a determination as to the applications or services running on a machine in the DMZ that will have ports open and applications or services exposed.
If the OP wanted to know more about the DMZ and how it can be used and what it's used for, then he can use Google.
The OP with that NAT router for home usage with its so called DMZ can only do one of two things:
1) Expose the entire machine to the Internet
2) Not expose the entire machine to the Internet
Then it's up to the user to expose or not expose what is needed.
There are no rules that can be set on the typical NAT router for home usage that I know about that's going to allow routing of traffic from a machine in the DMZ to the internal LAN.
Sometimes, there is a need to just stick the whole computer into the DMZ
so that it can be accessed by the public. But that would be done by
someone that knew what he or she was doing to protect the O/S and other
software running on the computer that was being put into the DMZ. You
can use Google to further understand why a computer would be setting in
the DMZ of any FW solution. But I suggest that you not do it or not use
the DMZ. You should keep your computer out of the DMZ at all costs, if
you ever get a solution that has a DMZ.
If you have only one computer it does not matter, the exposure is the
same. A DMZ only
makes sense if you have more than one computer and you have a
requirement to open
one of those systems to the internet for selected types of access.
Agreed. However, most home users don't know that and will stick the entire machine into the DMZ of the NAT router to avoid complications.
Please bear in mind that this applies to a solution that allows full
configuration of the firewall device and the ability to define a
coherent policy for all zones.
The typical NAT router for home usage doesn't have the ability and either the entire machine is or is not being exposed.
The bottom line to me is to make the post geared to the intended recipient.
Duane :)
.
- Follow-Ups:
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Νίκος
- Re: Port Scanning onWAN IP of Speedtouch 530
- References:
- Port Scanning onWAN IP of Speedtouch 530
- From: Nikos
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Νίκος
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Νίκος
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Νίκος
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Νίκος
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Νίκος
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: Duane Arnold
- Re: Port Scanning onWAN IP of Speedtouch 530
- From: rick
- Port Scanning onWAN IP of Speedtouch 530
- Prev by Date: Re: Kids bypassing firewall via web proxy sites
- Next by Date: Re: Kerio PF
- Previous by thread: Re: Port Scanning onWAN IP of Speedtouch 530
- Next by thread: Re: Port Scanning onWAN IP of Speedtouch 530
- Index(es):
Relevant Pages
|
