Solved

To DMZ or not DMZ ...

Posted on 2009-04-13
12
937 Views
Last Modified: 2012-05-06
I'm running a network behind an RTP300 Linksys router.  I have an FTP server setup on 192.168.1.10
I do have tcp 20/21 forwarded to this device, however it seems that FTP will not work unless I also enable DMZ on this host.

Linksys's description says this removes hardware firewall from that device - I have a software firewall enabled.  So, is this system 'safe'?
Should I verify other ports/access are blocked on that device?

Is there a way to enable FTP to work with this router without enabling DMZ?  I had this working a year ago on a WRT54G with no problem...
0
Comment
Question by:sirbounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 17

Accepted Solution

by:
ccomley earned 300 total points
ID: 24136634
Sorry if I'm being unhelpful but I really really REALLY hate this abuse of the term "DMZ".

OK, rant over.

Can you set up the firewall to allow inwards access to port 21 from either specific addresses or from "anyone" (depends what you want to permit!)? It's not just a case of forwarding those ports to the FTP server in the NAT mapping, you also have to create a "permit" firewall rule to "allow" the inbound traffic.

I note that it may be that on a class of firewall which uses this radically inaccurate definition of "DMZ" that you can't, except by opening *all* ports, (which appearas to be what they mean by "DMZ").  Which is potentially UNSAFE - it requires you to SPECIFICALLY know that the machine which is your FTP server *can* safely be fully exposed to the internet on all ports, and I would never make that assumption except on servers that have been designed and configured from the ground up to be internet-exposed. The whole POINT of a firewall is to protect machines which are NOT so hardened from being fully exposed.

If you can't configure the Linksys to do what you need here, then my recommendation would be that you replace it with a unit which DOES have a fully configurable firewall.  (I'm unfamiliar with the model - is it a DSL router or a "broadband" router with Ethernet WAN port? If the former, consider a Zyxel Prestige 600 series, a 660 will probably suffice, if the latter, consider a Sonicwall TZ150.)
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24137228
I know it's possible with this router, just not sure why I can't get it working again...
There's an Applications & Gaming tab that provides setting pages for:

  -Port range forwarding (this is where I define port 20-21 forwarded to my 1.10 address and it is ticked as 'enabled')
 
  -Port triggering (Port triggering will forward port based on the incoming port specified.Check with your software application to find out what is necessary to enter in these fields.)

  -DMZ (which is 'defined' as:
     
The DMZ Host setting can allow one local PC to be exposed to the Internet. If a local user wishes to use some special-purpose service such as an Internet game or video-conferencing, Enable DMZ, fill in the IP address, and click the Save Settings button. Select Disable for DMZ, deactivates this feature. When enabling this setting, the Router firewall protection of the local DMZ host will be disabled.

And yes, it's a broadband router provided by Vonage - I don't have the option to switch to another router...
0
 
LVL 17

Assisted Solution

by:ccomley
ccomley earned 300 total points
ID: 24145973
That is NOT what a DMZ is - but sadly several "consumer" routers pretend that that IS the definition of a DMZ then they can claim to offer a DMZ in their advertising. Coz this sort of wide open security hole is easy to configure in a firewall, and a real DMZ takes quite a bit more work.


I don't know why if you have put the ports you want open in the allowed range, it isn't working. Does it not work at all or does it let you log in but die when you try to send a file? The former suggests no ports are open, the latter suggests the main port is open but the back-channel taht FTP uses to send actual files is not being permitted. (In the latter case, see if your client will switch to Passive Mode.)

If you can't get it working via speicific ports, then using their "DMZ" feature may be your only option, but if you go that way make sure the target machine has a very reliable and tightly defined software firewall running on it or - better still - obtain and install between that target server and the Linksys router a *proper* firewall which can re-impose the security that the Linksys is failing to offer.  As it stands (and this is WHY this isn't a real DMZ) if you open up their "DMZ" to a server and someone has a way of hacking into that server via any of the open ports, then they can use your server to access any other machine on the LAN (a real DMZ has the open server on a completely separate network specifically so that if someone does manage to hack into it, they can't then use it to see the rest ofyour LAN. Moreover, a real "DMZ" does Not imply all ports are open, even with a proper seperate-network DMZ you STILL only open the actual ports required by your system.

0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 67

Author Comment

by:sirbounty
ID: 24147267
I believe with it disabled, the users gets a 'connection failure'
With it enabled, it works fine.

20 & 21 are forwarded, isn't that all that's needed?
0
 
LVL 3

Expert Comment

by:KvChaos
ID: 24154023
Is your FTP server accepting FTP traffic? XD
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24154027
With it (DMZ) enabled, it works fine.
0
 
LVL 3

Expert Comment

by:KvChaos
ID: 24154061
Well, is there a firewall feature on the router itself?
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24154174
As with most Linksys models, I can enable or disable the combined "Firewall & NAT" feature...
0
 
LVL 3

Expert Comment

by:KvChaos
ID: 24165677
For one, I am not too sure if port-forwarding means that it can pass through the firewall as well.
Also, is FTP working within the network? Is it's not, perhaps the issues lie in the FTP server.
0
 
LVL 4

Expert Comment

by:Mansoor Nathani
ID: 24165766
If you put the Ftp server in the so called DMZ you might not be able to access it from machines within the same network and this is normal.

The ftp client being used to access from outside, is it using a Passive or Active mode?  Try both options when the machine is not in DMZ, and only 20 and 21 forwarded to that specific machine.
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24166293
FTP works fine internally - that is to say from my PC to the external (DYNDNS) address connects easily to the FTP server.
The router has a DDNS feature that updates the IP address periodically through the dyndns server.

Since the router's dmz feature is still enabled at this point, I would presume the last statement is inaccurate against the router's definition of "DMZ".  I can access it fine with it enabled or disabled.  My machine is actually behind another router, but with NAT disabled.

I'm not sure on the active/passive mode - how would I configure this on the router?  Or are you presuming that it defaults to one and we don't know which?  Wouldn't it be the same though DMZ or not?
0
 
LVL 4

Expert Comment

by:Mansoor Nathani
ID: 24174031
The active and passive is usually an option on the FTP Client software
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ACL deny / Permit 10 47
Legal Discovery - Export Keywords to PST 2 55
Visio Crashes when Running from a Share 6 45
X.509 Cert Upload to Cisco WAP 6 14
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question