Check wiki for answer
by
tg2
·
about 16 years, 5 months ago
In reply to DMZ
http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
Check out wiki for the answer, very good, concise explanation.
Pay particular attention to the “DMZ host” paragraph, and know the following:
With a SOHO router, having a DMZ ip address setup, means that any traffic that was not initiated by the router going out to the internet, is directed at the DMZ Ip (unprotected).
SOHO Firewall/routers work by getting a piece of traffic from your machine. The fw then nat’s the external ip address, and adds a source port to send the traffic out with.
The fw/rtr sends the traffic out to the internet as being from a specified port number, so that when a machine on the internet responds, that machine responds to the external IP address, *and* to the port that was sending.
The traffic comes into the router/firewall, it sees the destination port, looks this up in its nat table and then re-writes the packet to the internal IP address that originally sent the packet.
With a DMZ setting on a SOHO firewall, any traffic inbound, to any port that is not currently listed inside the router/firewall as something **it** sent, will by default go to the address you list as the DMZ machine, meaning that DMZ machine is unprotected. As it would be unprotected, it would be the machine that could then attack the other machines in your network, should someone compromise it (hence why you would need a good software firewall on that DMZ host / machine).
Only if there is a seperate DMZ port, and you have instructions (the manual) that say the DMZ machine can not reach the rest of your network, should you consider using the DMZ setting without a firewall to protect other machines in your network.