Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
David Kramer wrote: > I'm reading up on the whole DMZ concept, and it seems like a straight > pass-through, so what does that buy you over hooking up the machine > straight to the DSL modem? It means I don't have to configure > individual ports to go to my server, but it adds no protection to my > server either. As dsr pointed out in his post, most consumer routers, such as your WRT54G, stretch the meaning of DMZ such that it does what your wrote above (pass-through) rather than providing meaningful isolation. (In addition to isolation, a typical business-grade firewall would also provide filtering of fractured packets, ping of death, etc. for the hosts in the DMZ.) What's strange is that devices like the WRT54G actually have the necessary hardware to support a real DMZ, and are just lacking the software. I guess because they feel a real DMZ is either not needed or too confusing for the typical home user? My understanding is that although the WRT54G only has two physical interfaces - one for the wireless LAN and one for everything wired - internally the wired ports are attached to a switch that understands virtual LAN tagging, which allows you to link specific ports of the switch to virtual Ethernet devices in the operating system. Thus you can isolate the ports from each other at the hardware level. So if you did want a real DMZ you could seek out one of the third party firmware packages (see BLU list archives) that run on the WRT54G. I plan to do this with my WRT54G one of these days. (Currently I'm using it just as a wireless access point behind another firewall.) > I assume I should continue to run SuseFirewall on my server even if it's > protected by the router, right? I agree with others that running a software firewall on each individual machine is a good idea. -Tom
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |