DMZ with 2 NIC's

swingarm · Posted: Sun May 02, 2004 2:12 am Post subject: DMZ with 2 NIC's

Couple of months ago I was working on a computer and it had one of those Actiontec DSL Modem/Router appliances. I noticed in the Actiontec I could specify an IP address as being in the DMZ.

Fast Forward to today and I'm in a situation where I'd like to do that in my Linux Firewall but don't know how.

flybynite · l33t Joined: 06 Dec 2002 Posts: 620

DMZ is marketing speak on those router boxes. What it typically means is that the router will forward ports to those boxes in the DMZ. This allows a web server behind the router. Another firewall is between the servers and the rest of the lan.

See this howto for a picture and more info
http://www.tldp.org/HOWTO/Firewall-HOWTO-3.html#ss3.2

swingarm · Posted: Sun May 02, 2004 4:02 pm Post subject:

So I'm guessing from this that you probably could do it but it wouldn't be a good idea?

flybynite · l33t Joined: 06 Dec 2002 Posts: 620

A true DMZ is a good idea!!

It's just that what you need to set up a DMZ is two firewalls. You don't need to look for a "DMZ" function in linux or even your DSL modem/router.

Look at the picture in the link. Just set your router to forward port 80 to a separate server box. This could be called port forwarding, DMZ, or any other marketing speak by the router maker. Then have another linux firewall gateway protecting the rest of your lan.

If you have a DSL Modem/router with firewall capability, and a linux box with a firewall, the only thing you need for a DMZ is another box for the web server to put in between the modem and the linux firewall box.

Deebster · Tux's lil' helper Joined: 16 Nov 2003 Posts: 126

Well, the main point about a DMZ machine is that it doesn't have access to the machines on the LAN. This means that it can't be connected to the LAN.

For home users, I'd expect to see a NAT-router-firewall with three network cards - net, LAN, DMZ. Popular firewall distros like Smoothwall support this setup.

If you just want to put a server on the net, simply harden a machine, then forward the relevant ports to that machine from your firewall.

swingarm · Posted: Wed May 05, 2004 3:14 am Post subject:

The main reason I wanted to do it with just 2 NIC's is because of AIM, not a webserver. I've seen posts that say if you have a firewall you can't do file transfers no matter how you have it configured. I have a firewall but even with the proper port forwarding and/or incoming ports configured I couldn't transfer files thru AIM. My friend has one of those $40 router boxes and He can transfer files to me when He temporarly puts His computer in the "DMZ" on his router, so I figured why can't I try that with my Linux box? I didn't think it would be a big deal because this would only be out in the world for 15 minutes at a time at irregular intervals. Anyways it appears if I want this to happen I have to install another NIC, run another cable to my computer, and hand switch the cables when I want to do AIM file transfers.

flybynite · l33t Joined: 06 Dec 2002 Posts: 620

No, this is why I was cautious about the term DMZ. You could say DMZ has two meanings.

You don't want a "linux DMZ", you want to enable AIM to work in a NAT system. Your friend exposes his box WITHOUT A FIREWALL to the net.

You use linux and can have your firewall and AIM too :-)

Here is a proxy designed to do exactly what you want, make AIM file transfers behind a NAT router.

http://reaim.sourceforge.net/

swingarm · Posted: Sat May 08, 2004 4:22 am Post subject:

Cool! Thanks for the info...