Re: [m0n0wall] Embedded PC: 2 vs 3 Ethernet Ports

From:	sylikc <sylikc at gmail dot com>
To:	RP Smith <rpsmith at hotmail dot com>, Adriano Castro <m0n0wall at adrianocastro dot net>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Embedded PC: 2 vs 3 Ethernet Ports
Date:	Fri, 29 Oct 2004 10:21:39 -0700
Adriano,

Hehe, it looks like this topic was beat dead, but here's a few more
comments on the "Virtual DMZ" vs "real DMZ via interface".

Adriano Castro wrote:
>      In the meantime, I've been reading about the latter ones and don't
> fully understand the need or use of a 3rd Ethernet port (as in Soekris'
> net4501-30 model). 2 ports make sense to me: WAN + LAN. I believe the
> 3rd port is commonly used for DMZ, correct?
> 
>      If this is the case it kind of confuses me because I'm used to
> having DMZs set-up virtually.

Usually the 3rd interface on a firewall is used for the DMZ
(DeMilitarized Zone - some Korean term).  However, you could use the
3rd interface for just about anything else in m0n0.  Because the rules
are so flexible, you could even tweak it out so that this OPT1
interface can't talk with the LAN and then LAN can't talk to it, but
both can get out to the internet thru the WAN.

The idea of a "real" DMZ is like a buffer that sits between the WAN
and then LAN.  With a typical setup, the WAN is permitted limited
access to the DMZ.  Neither the WAN or DMZ may access the LAN.  This
allows you to run public services like a web server, etc that has
limited protection from a WAN-facing firewall, without compromising
the security on your LAN.

The "Virtual DMZ" you're used to seeing in the manual of a SOHO
firewall product is totally different.  I see it as an industry's
misinterpretation of a technical concept (or rather "overloading" the
term).  The virtual-DMZ that you're referring to is basically port
fowarding.  The virtual-DMZ sends all IP traffic destined for the WAN
IP directly to the one internal host, basically saving you from trying
to figure out which individual ports to forward in (or for apps that
use dynamic ports [MSN/NetMeeting/etc]).

This isn't a "true DMZ" but it sort of gives a SOHO user the
impression that they can run a server in the "virtual-DMZ" (because
techy's say you should run servers in the 'DMZ') and at least it'll be
accessible by the world without much configuration.  Of course this
doesn't offer much LAN security because, afterall, the server will be
on the LAN.

Hence, you can run m0n0wall with any # of interfaces your PC /
hardware can support.  The more interfaces, pretty much the more
flexible you can be with securing parts of your network.  I have 4
interfaces on my m0n0, but if I had more PCI slots on the board I'd
probably have more (just for fun!).  This gives you a plethora of
options in how to control your network.




Along the lines of that.....

RP Smith <rpsmith at hotmail dot com> wrote:
> >
> >The "trusted" network can connect to the untrusted network,
> >but the untrusted network can't talk to the trusted network.
> >
> 
> Dave,
> 
> What rules do you have to accomplish the above?  Also, if you VPN to the
> m0n0wal,
> can you get to both networks thru the VPN?  If so, how do you make that
> work?

Roy, block rules are implicit in m0n0wall.  If you don't set up any
permit-access rules, the interface is blocked by default (except for
being able to hit the m0n0wall).  Hence in that setup that Dave is
referring to, you can set up 2 rules to do the job:

1 permit any from-LAN to-any
2 permit any from-DMZ to-(NOT LAN)   [there's a NOT checkbox]



/sylikc