Bbox DMZ
Douglassounet
-
Douglassounet -
Douglassounet -
Hello,
I would like to know more specifically what the DMZ parameter of my Internet BOX is for. I have read on the web that it is not exactly the same thing as a DMZ in the strict sense (a firewall with a LAN network on one side and a network with machines accessible via the Internet on the other).
On my BBOX, I can choose a single host to place in the DMZ. If I understand correctly, by doing this, all ports on my box will be redirected to this host? If my public IP = X.X.X.X and my DMZ host has a private IP of Y.Y.Y.Y., when I connect from the Internet to IP X.X.X.X and port 500 for example, the connection is redirected to Y.Y.Y.Y port 500, is that correct?
Thank you.
I would like to know more specifically what the DMZ parameter of my Internet BOX is for. I have read on the web that it is not exactly the same thing as a DMZ in the strict sense (a firewall with a LAN network on one side and a network with machines accessible via the Internet on the other).
On my BBOX, I can choose a single host to place in the DMZ. If I understand correctly, by doing this, all ports on my box will be redirected to this host? If my public IP = X.X.X.X and my DMZ host has a private IP of Y.Y.Y.Y., when I connect from the Internet to IP X.X.X.X and port 500 for example, the connection is redirected to Y.Y.Y.Y port 500, is that correct?
Thank you.
5 réponses
Hello,
The DMZ is a twisted idea if you don't have a local network of multiple machines, where it is meant for only one to receive Internet connections (which continues to make no sense if the local network remains accessible from the machine receiving the connections).
On a single machine, it does not redirect or allow a specific request on a certain port, but instead opens it to all (unless filtered by a downstream firewall).
It is therefore healthier not to set up a DMZ, but to establish NAT rules for the relevant applications and ports.
The temptation of the DMZ often arises from dealing with applications that use a wide range of dynamic ports, which can often pose a security risk when everything is allowed indiscriminately.
The DMZ is a twisted idea if you don't have a local network of multiple machines, where it is meant for only one to receive Internet connections (which continues to make no sense if the local network remains accessible from the machine receiving the connections).
On a single machine, it does not redirect or allow a specific request on a certain port, but instead opens it to all (unless filtered by a downstream firewall).
It is therefore healthier not to set up a DMZ, but to establish NAT rules for the relevant applications and ports.
The temptation of the DMZ often arises from dealing with applications that use a wide range of dynamic ports, which can often pose a security risk when everything is allowed indiscriminately.
Thank you for the response,
So far, I understood the NAT/PAT rules that I had already been able to use on my BOX.
For the DMZ of the BOX, I more or less grasp the idea but I remain perplexed about certain points:
Knowing that if I put a machine from my LAN in the DMZ, it will be open to all winds as you say (what does this technically represent?). But since this machine is behind my BOX and has a private IP, won't it change anything concretely from an external point of view?
Can I say that a machine placed in the DMZ is not subject to the BOX's firewall processing, simply? Is this correct to say?
Thank you.
So far, I understood the NAT/PAT rules that I had already been able to use on my BOX.
For the DMZ of the BOX, I more or less grasp the idea but I remain perplexed about certain points:
Knowing that if I put a machine from my LAN in the DMZ, it will be open to all winds as you say (what does this technically represent?). But since this machine is behind my BOX and has a private IP, won't it change anything concretely from an external point of view?
Can I say that a machine placed in the DMZ is not subject to the BOX's firewall processing, simply? Is this correct to say?
Thank you.
It was a topic that generated a lot of ink at a time when people were using, for example, Emule or other similar junk.
The software communicates with the PC over dynamic ports (which are never the same) resulting in opening the machine in a DMZ (which is indeed not filtered by the Box) to all possible ports unless the target PC itself is equipped with a firewall capable of filtering the desired ports.
In the event that an intrusion results, the DMZ serves no purpose other than bypassing NAT rules (for example, to facilitate remote control of a machine without having to search for it on the network), and it is also of no security use if rules on the local network do not prevent access via the DMZ to one of the machines from providing access to others by bouncing.
The software communicates with the PC over dynamic ports (which are never the same) resulting in opening the machine in a DMZ (which is indeed not filtered by the Box) to all possible ports unless the target PC itself is equipped with a firewall capable of filtering the desired ports.
In the event that an intrusion results, the DMZ serves no purpose other than bypassing NAT rules (for example, to facilitate remote control of a machine without having to search for it on the network), and it is also of no security use if rules on the local network do not prevent access via the DMZ to one of the machines from providing access to others by bouncing.
Once again, thank you, I understand better now.
I would like to ask another question that strays a little from the original one:
Context: I would like to place a router/firewall (e.g., pfsense) behind my BOX (on the LAN side) but my BOX does not have bridge mode.
Is it okay from a functionality and security standpoint to place pfsense in the DMZ of my box in order to manage all port filtering on pfsense?
I assume that if I don't do this, then my box will serve as a first filter for traffic and then pfsense as a second filter, which may also work but doesn't give me total control over filtering if I'm not mistaken.
I would like to ask another question that strays a little from the original one:
Context: I would like to place a router/firewall (e.g., pfsense) behind my BOX (on the LAN side) but my BOX does not have bridge mode.
Is it okay from a functionality and security standpoint to place pfsense in the DMZ of my box in order to manage all port filtering on pfsense?
I assume that if I don't do this, then my box will serve as a first filter for traffic and then pfsense as a second filter, which may also work but doesn't give me total control over filtering if I'm not mistaken.
I am not familiar with pfsense; I assume it is the software and not the firewall installed in a dedicated router, and I don't quite see how, without a router, to administer it from the Box.
It is not very easy to configure, if we are talking about Windows and if you are not satisfied with Windows Defender, there are other solutions (I personally use Comodo).
But without breaking the bank, to my knowledge, there is no real network solution; in fact, you then have to install the same security software on all machines and, after creating appropriate LAN and WAN rules on one machine, copy them to the others.
It is not very easy to configure, if we are talking about Windows and if you are not satisfied with Windows Defender, there are other solutions (I personally use Comodo).
But without breaking the bank, to my knowledge, there is no real network solution; in fact, you then have to install the same security software on all machines and, after creating appropriate LAN and WAN rules on one machine, copy them to the others.
Hello,
the dynamic NAT has never been a firewall despite what some ISPs or router sellers try to claim; it's just to adapt to the fact that they provide only one IPv4 address, and they even end up sharing it among multiple customers.
It's true that the DMZ of a box has nothing to do with the DMZ of a firewall; it's just a local IP address designated to receive all incoming IP connections.
It is sometimes essential because not all IP protocols consist of ports like UDP and TCP to identify connections, for example, a GRE tunnel, an IPSEC tunnel, etc.
If you use a real firewall like PFsense, indeed, you must set it to DMZ address if your box does not bridge, provided that it is configured as a router.
Also, remember that you now have IPv6, which offers billions of IP addresses and allows direct addressing of a machine without address translation or NAT.
However, boxes often have a firewall that blocks all incoming IPv6 connections by default.
--
and ... There you go!
the dynamic NAT has never been a firewall despite what some ISPs or router sellers try to claim; it's just to adapt to the fact that they provide only one IPv4 address, and they even end up sharing it among multiple customers.
It's true that the DMZ of a box has nothing to do with the DMZ of a firewall; it's just a local IP address designated to receive all incoming IP connections.
It is sometimes essential because not all IP protocols consist of ports like UDP and TCP to identify connections, for example, a GRE tunnel, an IPSEC tunnel, etc.
If you use a real firewall like PFsense, indeed, you must set it to DMZ address if your box does not bridge, provided that it is configured as a router.
Also, remember that you now have IPv6, which offers billions of IP addresses and allows direct addressing of a machine without address translation or NAT.
However, boxes often have a firewall that blocks all incoming IPv6 connections by default.
--
and ... There you go!
You say: "it's just a local IP address that is designated to receive all incoming IP connections".
But in my case, if my DMZ host has a private IP, I don't understand how it can receive connections initiated from the Internet...
If I decide to set my PC 192.168.1.x as a DMZ host, does that mean that a connection from the Internet can be directly made to this host?
I'm still slightly confused. The rules for PAT/NAT redirection are not an issue for me in terms of understanding, but this infamous DMZ...
But in my case, if my DMZ host has a private IP, I don't understand how it can receive connections initiated from the Internet...
If I decide to set my PC 192.168.1.x as a DMZ host, does that mean that a connection from the Internet can be directly made to this host?
I'm still slightly confused. The rules for PAT/NAT redirection are not an issue for me in terms of understanding, but this infamous DMZ...
Yes,
absolutely, every IPv4 connection coming from the internet and destined for the public address of the box (WAN address) will be redirected to this machine by the box. Since it's a private address, the box will NAT (change) the destination address to this address, but it will only modify something else (protocol, ports, etc.) the checksum of the IP header, which will change of course since an address is modified.
In short, it's a more global and static NAT, without PAT, thus without a means to differentiate the destination as in NAT+PAT.
Also,
since the connection is primarily destined for the box (it's its address that is the destination), if the box is listening on the port or protocol in question, it will handle it directly, which is normal; it will only return what it does not manage.
Of course,
the machine in the DMZ must be well protected at the firewall level.
While a true DMZ in the sense of a real firewall is a range of local or public addresses accessible from the internet and the local network, the LAN being inaccessible from the internet and from the DMZ.
This is where we will place the public servers of the company if they are hosted locally, which is happening less and less.
absolutely, every IPv4 connection coming from the internet and destined for the public address of the box (WAN address) will be redirected to this machine by the box. Since it's a private address, the box will NAT (change) the destination address to this address, but it will only modify something else (protocol, ports, etc.) the checksum of the IP header, which will change of course since an address is modified.
In short, it's a more global and static NAT, without PAT, thus without a means to differentiate the destination as in NAT+PAT.
Also,
since the connection is primarily destined for the box (it's its address that is the destination), if the box is listening on the port or protocol in question, it will handle it directly, which is normal; it will only return what it does not manage.
Of course,
the machine in the DMZ must be well protected at the firewall level.
While a true DMZ in the sense of a real firewall is a range of local or public addresses accessible from the internet and the local network, the LAN being inaccessible from the internet and from the DMZ.
This is where we will place the public servers of the company if they are hosted locally, which is happening less and less.