Re: Another Fedora decision

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2/2/2015 6:29 PM, Always Learning wrote:
On Tue, 2015-02-03 at 13:16 +1100, Kahlil Hodgson wrote:

>A DMZ in this context is a network that has been isolated from the
>rest of your local network.  You can access it from your local
>network, it can access the rest of the world, but it can't access your
>network.  The idea is that, if a machine in the DMZ is compromised, it
>can only access other machines in the DMZ.
Thanks. Now I know. That sort of operation can be done via the router
and by selecting a wifi option on the same router (Asus RT-AC68U). Wifi
is off by default.

An Asus RT-whatever is a home internet gateway, not a proper firewall router, and it has no provision for a proper DMZ as it doesn't have a port for it. This has *nothing* to do with wifi.

implementing a proper DMZ requires a firewall router with multiple zones, at a minimum WAN (internet), LAN (your regular network), and DMZ, used for your public facing internet servers. The DMZ uses its own network switch (or VLAN) separate from your LAN switch(es), so traffic from LAN<=>DMZ has to go through the firewall router. You define firewall rules such that DMZ servers are blocked from accessing anything on your WAN except specific services they need (if any), but you usually allow systems on the LAN side access to everything on the DMZ side. I've seen configurations where even LAN to DMZ was tightly controlled, so for example only administrator workstations could ssh into the DMZ servers.



--
john r pierce                                      37N 122W
somewhere on the middle of the left coast

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux