• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1430
  • Last Modified:

Firewall / DMZ / IP theory question

Hello big brains of Experts Exchange! I'm trying to learn firewall/IP theory stuff and have a question that has me stopped.

Say I have a small network without a DMZ. If I want to add one, and assuming I have a firewall that allows for multiple ports and therefore network segments, and the setup is:

         internet
              |
              |
              | (WAN port)
   firewall/router
   | (x1 port)   | (LAN port)
   |                 |
   |                 |
  DMZ          LAN

Or I guess to put it in those ever useful words:

From the internet to firewall WAN port configured with a public IP, and a LAN port which nats to internal network of say 192.168.1.0/24.

Additionally, there is an X1 port which i decide will be my DMZ, so I configure it with which al network IP of 192.168.2.1, and the hosts behind this interface will be say 192.168.2.0/24

From what I understand, the firewall can allow hosts on the LAN to access in a filtered way (say only through RDP traffic) the DMZ hosts. Right? Well, dangit, I'm confused about how this works.

I know there are rules that say nothing initiated on the DMZ side can access the lan side, but how does the LAN side access the DMZ side w/ an ip scheme like the one above? How is this possible, since the 255.255.255.0 netmask keeps the LAN ips from even seeing the DMZ ips?

Is this done via some kind of port forwarding rules or what?

Thanks for clearing up something that's been bugging me!

OH and a BONUS question!! If i have the DMZ configured right, then for the DMZ machines  (say an FTP server or web server) to deliver their stuff to outside hosts, would there need to be some sort of individual routing rules in the firewall that map the servers public IP (and I guess port) to the private IP and port?
0
sdcox72
Asked:
sdcox72
2 Solutions
 
aresfxCommented:
You already got most of it right.

The Connection between LAN and DMZ works as follows:

The Router routes traffic between the two Subnets (in this case 192.168.1.0/24 and 192.168.2.0/24 ) in BOTH direction.
The Firewall running on the router limits the allowed connections to specific Protocols / Traffic initiated from the LAN but not DMZ /... as you wish to configure.

Bonus "Answer": Exactly! You will need NAT rules to map Public IP / Port to DMZ Server IP / Port.

Greetings
aresfx
0
 
unfragmentedCommented:
how does the LAN side access the DMZ side w/ an ip scheme like the one above? How is this possible, since the 255.255.255.0 netmask keeps the LAN ips from even seeing the DMZ ips?

This is just normal 'routing'.  The mask isn't a security concept.  Its a hierarchical networking concept.  If the LAN can't 'see' the DMZ, it forwards the packet to the default gateway (the firewall).  Guest what - the firewall has a leg in every network, so it can deliver the packet.

When a packet is forwarded through the firewall, being a security device, it may decide not to deliver a packet, based on its 'firewall rules'.

If i have the DMZ configured right, then for the DMZ machines  (say an FTP server or web server) to deliver their stuff to outside hosts, would there need to be some sort of individual routing rules in the firewall that map the servers public IP (and I guess port) to the private IP and port?

Yes you have it right.  That is a combination of
1. network address translation (NAT, sometimes called port forwarding) - effectively maps public address to a private address.
2. a rule that allows the traffic into the firewall to be mapped.
0
 
sdcox72Author Commented:
Ahhhh, I get it now that you say a subnet isn't for security. I thought it was!

So a subnet is simply for organization?  

And duh, of course a router would have to route between subnets. That is real simple now that I think about it.

Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now