[ previous ] [ next ] [ threads ]
 From:  "Brian Z" <mono at ricerage dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Mail Server Behind 1.0
 Date:  Tue, 17 Feb 2004 17:57:23 -0500 (EST)
> ----- Original Message -----
> From: "Hilton Travis" <Hilton at QuarkAV dot com>
> Sent: Tuesday, February 17, 2004 5:23 PM
>> Hi John,
>> DMX?  You been doing some stage lighting lately?  :)
> How'd you guess?  :-)
>> OK, why is placing a server (that is often serving Internet users) in
>> the DMZ a bad idea.  The DMZ is designed for exactly this sort of
>> things - servers used for Internet users.
> Well, it leaves your server to fend for itself, attack-wise.  Isn't that
> really what the firewall is for?  I mean you still need to worry about
> what's behind the ports you're forwarding but you no longer have to be
> as concerned about other open ports on the server.
> John

Sorry to just jump right in, but what the hell, its a public forum.

I'm not sure what you mean by "fend for itself". Rulesets can be applied
on the DMZ interface to limit the access to the specific daemons running
on it, no? (disclaimer: I've only used a wan/lan setup with m0n0)

Per my understanding, the firewall will filtering all but (hopefully)
legitimate traffic, and in the unfortunate event of a compromise, its
completely quarantined from the private hosts. Thats the definition of a
DMZ anyway. Am I missing something?