• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1030
  • Last Modified:

To DMZ or not DMZ ...

I'm running a network behind an RTP300 Linksys router.  I have an FTP server setup on 192.168.1.10
I do have tcp 20/21 forwarded to this device, however it seems that FTP will not work unless I also enable DMZ on this host.

Linksys's description says this removes hardware firewall from that device - I have a software firewall enabled.  So, is this system 'safe'?
Should I verify other ports/access are blocked on that device?

Is there a way to enable FTP to work with this router without enabling DMZ?  I had this working a year ago on a WRT54G with no problem...
0
sirbounty
Asked:
sirbounty
  • 5
  • 3
  • 2
  • +1
2 Solutions
 
ccomleyCommented:
Sorry if I'm being unhelpful but I really really REALLY hate this abuse of the term "DMZ".

OK, rant over.

Can you set up the firewall to allow inwards access to port 21 from either specific addresses or from "anyone" (depends what you want to permit!)? It's not just a case of forwarding those ports to the FTP server in the NAT mapping, you also have to create a "permit" firewall rule to "allow" the inbound traffic.

I note that it may be that on a class of firewall which uses this radically inaccurate definition of "DMZ" that you can't, except by opening *all* ports, (which appearas to be what they mean by "DMZ").  Which is potentially UNSAFE - it requires you to SPECIFICALLY know that the machine which is your FTP server *can* safely be fully exposed to the internet on all ports, and I would never make that assumption except on servers that have been designed and configured from the ground up to be internet-exposed. The whole POINT of a firewall is to protect machines which are NOT so hardened from being fully exposed.

If you can't configure the Linksys to do what you need here, then my recommendation would be that you replace it with a unit which DOES have a fully configurable firewall.  (I'm unfamiliar with the model - is it a DSL router or a "broadband" router with Ethernet WAN port? If the former, consider a Zyxel Prestige 600 series, a 660 will probably suffice, if the latter, consider a Sonicwall TZ150.)
0
 
sirbountyAuthor Commented:
I know it's possible with this router, just not sure why I can't get it working again...
There's an Applications & Gaming tab that provides setting pages for:

  -Port range forwarding (this is where I define port 20-21 forwarded to my 1.10 address and it is ticked as 'enabled')
 
  -Port triggering (Port triggering will forward port based on the incoming port specified.Check with your software application to find out what is necessary to enter in these fields.)

  -DMZ (which is 'defined' as:
     
The DMZ Host setting can allow one local PC to be exposed to the Internet. If a local user wishes to use some special-purpose service such as an Internet game or video-conferencing, Enable DMZ, fill in the IP address, and click the Save Settings button. Select Disable for DMZ, deactivates this feature. When enabling this setting, the Router firewall protection of the local DMZ host will be disabled.

And yes, it's a broadband router provided by Vonage - I don't have the option to switch to another router...
0
 
ccomleyCommented:
That is NOT what a DMZ is - but sadly several "consumer" routers pretend that that IS the definition of a DMZ then they can claim to offer a DMZ in their advertising. Coz this sort of wide open security hole is easy to configure in a firewall, and a real DMZ takes quite a bit more work.


I don't know why if you have put the ports you want open in the allowed range, it isn't working. Does it not work at all or does it let you log in but die when you try to send a file? The former suggests no ports are open, the latter suggests the main port is open but the back-channel taht FTP uses to send actual files is not being permitted. (In the latter case, see if your client will switch to Passive Mode.)

If you can't get it working via speicific ports, then using their "DMZ" feature may be your only option, but if you go that way make sure the target machine has a very reliable and tightly defined software firewall running on it or - better still - obtain and install between that target server and the Linksys router a *proper* firewall which can re-impose the security that the Linksys is failing to offer.  As it stands (and this is WHY this isn't a real DMZ) if you open up their "DMZ" to a server and someone has a way of hacking into that server via any of the open ports, then they can use your server to access any other machine on the LAN (a real DMZ has the open server on a completely separate network specifically so that if someone does manage to hack into it, they can't then use it to see the rest ofyour LAN. Moreover, a real "DMZ" does Not imply all ports are open, even with a proper seperate-network DMZ you STILL only open the actual ports required by your system.

0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
sirbountyAuthor Commented:
I believe with it disabled, the users gets a 'connection failure'
With it enabled, it works fine.

20 & 21 are forwarded, isn't that all that's needed?
0
 
KvChaosCommented:
Is your FTP server accepting FTP traffic? XD
0
 
sirbountyAuthor Commented:
With it (DMZ) enabled, it works fine.
0
 
KvChaosCommented:
Well, is there a firewall feature on the router itself?
0
 
sirbountyAuthor Commented:
As with most Linksys models, I can enable or disable the combined "Firewall & NAT" feature...
0
 
KvChaosCommented:
For one, I am not too sure if port-forwarding means that it can pass through the firewall as well.
Also, is FTP working within the network? Is it's not, perhaps the issues lie in the FTP server.
0
 
Mansoor NathaniCommented:
If you put the Ftp server in the so called DMZ you might not be able to access it from machines within the same network and this is normal.

The ftp client being used to access from outside, is it using a Passive or Active mode?  Try both options when the machine is not in DMZ, and only 20 and 21 forwarded to that specific machine.
0
 
sirbountyAuthor Commented:
FTP works fine internally - that is to say from my PC to the external (DYNDNS) address connects easily to the FTP server.
The router has a DDNS feature that updates the IP address periodically through the dyndns server.

Since the router's dmz feature is still enabled at this point, I would presume the last statement is inaccurate against the router's definition of "DMZ".  I can access it fine with it enabled or disabled.  My machine is actually behind another router, but with NAT disabled.

I'm not sure on the active/passive mode - how would I configure this on the router?  Or are you presuming that it defaults to one and we don't know which?  Wouldn't it be the same though DMZ or not?
0
 
Mansoor NathaniCommented:
The active and passive is usually an option on the FTP Client software
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now