Solved

To DMZ or not DMZ ...

Posted on 2009-04-13
12
928 Views
Last Modified: 2012-05-06
I'm running a network behind an RTP300 Linksys router.  I have an FTP server setup on 192.168.1.10
I do have tcp 20/21 forwarded to this device, however it seems that FTP will not work unless I also enable DMZ on this host.

Linksys's description says this removes hardware firewall from that device - I have a software firewall enabled.  So, is this system 'safe'?
Should I verify other ports/access are blocked on that device?

Is there a way to enable FTP to work with this router without enabling DMZ?  I had this working a year ago on a WRT54G with no problem...
0
Comment
Question by:sirbounty
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 16

Accepted Solution

by:
ccomley earned 300 total points
ID: 24136634
Sorry if I'm being unhelpful but I really really REALLY hate this abuse of the term "DMZ".

OK, rant over.

Can you set up the firewall to allow inwards access to port 21 from either specific addresses or from "anyone" (depends what you want to permit!)? It's not just a case of forwarding those ports to the FTP server in the NAT mapping, you also have to create a "permit" firewall rule to "allow" the inbound traffic.

I note that it may be that on a class of firewall which uses this radically inaccurate definition of "DMZ" that you can't, except by opening *all* ports, (which appearas to be what they mean by "DMZ").  Which is potentially UNSAFE - it requires you to SPECIFICALLY know that the machine which is your FTP server *can* safely be fully exposed to the internet on all ports, and I would never make that assumption except on servers that have been designed and configured from the ground up to be internet-exposed. The whole POINT of a firewall is to protect machines which are NOT so hardened from being fully exposed.

If you can't configure the Linksys to do what you need here, then my recommendation would be that you replace it with a unit which DOES have a fully configurable firewall.  (I'm unfamiliar with the model - is it a DSL router or a "broadband" router with Ethernet WAN port? If the former, consider a Zyxel Prestige 600 series, a 660 will probably suffice, if the latter, consider a Sonicwall TZ150.)
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24137228
I know it's possible with this router, just not sure why I can't get it working again...
There's an Applications & Gaming tab that provides setting pages for:

  -Port range forwarding (this is where I define port 20-21 forwarded to my 1.10 address and it is ticked as 'enabled')
 
  -Port triggering (Port triggering will forward port based on the incoming port specified.Check with your software application to find out what is necessary to enter in these fields.)

  -DMZ (which is 'defined' as:
     
The DMZ Host setting can allow one local PC to be exposed to the Internet. If a local user wishes to use some special-purpose service such as an Internet game or video-conferencing, Enable DMZ, fill in the IP address, and click the Save Settings button. Select Disable for DMZ, deactivates this feature. When enabling this setting, the Router firewall protection of the local DMZ host will be disabled.

And yes, it's a broadband router provided by Vonage - I don't have the option to switch to another router...
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 300 total points
ID: 24145973
That is NOT what a DMZ is - but sadly several "consumer" routers pretend that that IS the definition of a DMZ then they can claim to offer a DMZ in their advertising. Coz this sort of wide open security hole is easy to configure in a firewall, and a real DMZ takes quite a bit more work.


I don't know why if you have put the ports you want open in the allowed range, it isn't working. Does it not work at all or does it let you log in but die when you try to send a file? The former suggests no ports are open, the latter suggests the main port is open but the back-channel taht FTP uses to send actual files is not being permitted. (In the latter case, see if your client will switch to Passive Mode.)

If you can't get it working via speicific ports, then using their "DMZ" feature may be your only option, but if you go that way make sure the target machine has a very reliable and tightly defined software firewall running on it or - better still - obtain and install between that target server and the Linksys router a *proper* firewall which can re-impose the security that the Linksys is failing to offer.  As it stands (and this is WHY this isn't a real DMZ) if you open up their "DMZ" to a server and someone has a way of hacking into that server via any of the open ports, then they can use your server to access any other machine on the LAN (a real DMZ has the open server on a completely separate network specifically so that if someone does manage to hack into it, they can't then use it to see the rest ofyour LAN. Moreover, a real "DMZ" does Not imply all ports are open, even with a proper seperate-network DMZ you STILL only open the actual ports required by your system.

0
 
LVL 67

Author Comment

by:sirbounty
ID: 24147267
I believe with it disabled, the users gets a 'connection failure'
With it enabled, it works fine.

20 & 21 are forwarded, isn't that all that's needed?
0
 
LVL 3

Expert Comment

by:KvChaos
ID: 24154023
Is your FTP server accepting FTP traffic? XD
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24154027
With it (DMZ) enabled, it works fine.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 3

Expert Comment

by:KvChaos
ID: 24154061
Well, is there a firewall feature on the router itself?
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24154174
As with most Linksys models, I can enable or disable the combined "Firewall & NAT" feature...
0
 
LVL 3

Expert Comment

by:KvChaos
ID: 24165677
For one, I am not too sure if port-forwarding means that it can pass through the firewall as well.
Also, is FTP working within the network? Is it's not, perhaps the issues lie in the FTP server.
0
 
LVL 4

Expert Comment

by:mnathani
ID: 24165766
If you put the Ftp server in the so called DMZ you might not be able to access it from machines within the same network and this is normal.

The ftp client being used to access from outside, is it using a Passive or Active mode?  Try both options when the machine is not in DMZ, and only 20 and 21 forwarded to that specific machine.
0
 
LVL 67

Author Comment

by:sirbounty
ID: 24166293
FTP works fine internally - that is to say from my PC to the external (DYNDNS) address connects easily to the FTP server.
The router has a DDNS feature that updates the IP address periodically through the dyndns server.

Since the router's dmz feature is still enabled at this point, I would presume the last statement is inaccurate against the router's definition of "DMZ".  I can access it fine with it enabled or disabled.  My machine is actually behind another router, but with NAT disabled.

I'm not sure on the active/passive mode - how would I configure this on the router?  Or are you presuming that it defaults to one and we don't know which?  Wouldn't it be the same though DMZ or not?
0
 
LVL 4

Expert Comment

by:mnathani
ID: 24174031
The active and passive is usually an option on the FTP Client software
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now