Firewall / DMZ / IP theory question
Posted on 2012-08-29
Hello big brains of Experts Exchange! I'm trying to learn firewall/IP theory stuff and have a question that has me stopped.
Say I have a small network without a DMZ. If I want to add one, and assuming I have a firewall that allows for multiple ports and therefore network segments, and the setup is:
| (WAN port)
| (x1 port) | (LAN port)
Or I guess to put it in those ever useful words:
From the internet to firewall WAN port configured with a public IP, and a LAN port which nats to internal network of say 192.168.1.0/24.
Additionally, there is an X1 port which i decide will be my DMZ, so I configure it with which al network IP of 192.168.2.1, and the hosts behind this interface will be say 192.168.2.0/24
From what I understand, the firewall can allow hosts on the LAN to access in a filtered way (say only through RDP traffic) the DMZ hosts. Right? Well, dangit, I'm confused about how this works.
I know there are rules that say nothing initiated on the DMZ side can access the lan side, but how does the LAN side access the DMZ side w/ an ip scheme like the one above? How is this possible, since the 255.255.255.0 netmask keeps the LAN ips from even seeing the DMZ ips?
Is this done via some kind of port forwarding rules or what?
Thanks for clearing up something that's been bugging me!
OH and a BONUS question!! If i have the DMZ configured right, then for the DMZ machines (say an FTP server or web server) to deliver their stuff to outside hosts, would there need to be some sort of individual routing rules in the firewall that map the servers public IP (and I guess port) to the private IP and port?