[Wolves] Same machine : 2 Nic's -- 1 DMZ 1 LAN
Stuart Langridge
sil at kryogenix.org
Sat Jan 8 12:20:04 GMT 2005
Kevanf1 wrote:
> Well to show my ignorance yet again.... could somebody please tell me
> what a DMZ is? I know it stands for De Militarized Zone but that's
> all I know. Oh, please give me an explanation in lay terms :-)))
As you know, the idea of a firewall is to separate the world into two
bits: the safe bit, behind the firewall, and the unsafe bit, which is
all the rest of the internet. Generally, a firewall will allow all
network traffic to pass from safe into unsafe, and allow nothing to pass
from unsafe into safe. A DMZ is a *third* bit of the world, which you
can optionally set up; it's a halfway house between the two. If you want
to offer services to the world (for example, to run a web server), then
you put the webserver in the DMZ: the firewall allows *some* traffic
into the DMZ. The idea here is that you might have two ports open on the
webserver: port 80 for HTTP, and port 22 for SSH. The firewall allows
connections from the unsafe world to port 80, but only allows the safe
inside world to connect to port 22 on the webserver.
The principle here is that you set up a third bit of the world which is
open to your safe behind-the-firewall part and is *partially* open to
the unsafe world. That way, if someone from the unsafe world compromises
the webserver, they haven't got a foothold into your safe internal
network; instead, they've only got a foothold into the DMZ, which
doesn't help them get at internal safe-world machines.
People (especially people here) will occasionally refer to these things
with colours:
GREEN is the safe internal world
RED is the unsafe internet
ORANGE is the DMZ
after the colour designations that the Smothwall firewall gives to these
concepts.
Hope that was understandable!
Aq.
More information about the Wolves
mailing list