Setting up a router in front of my server

[blu at vl.com (Tom Metro)]

David Kramer wrote:
> I'm reading up on the whole DMZ concept, and it seems like a straight 
> pass-through, so what does that buy you over hooking up the machine 
> straight to the DSL modem?  It means I don't have to configure 
> individual ports to go to my server, but it adds no protection to my 
> server either.

As dsr pointed out in his post, most consumer routers, such as your 
WRT54G, stretch the meaning of DMZ such that it does what your wrote 
above (pass-through) rather than providing meaningful isolation. (In 
addition to isolation, a typical business-grade firewall would also 
provide filtering of fractured packets, ping of death, etc. for the 
hosts in the DMZ.)

What's strange is that devices like the WRT54G actually have the 
necessary hardware to support a real DMZ, and are just lacking the 
software. I guess because they feel a real DMZ is either not needed or 
too confusing for the typical home user?

My understanding is that although the WRT54G only has two physical 
interfaces - one for the wireless LAN and one for everything wired - 
internally the wired ports are attached to a switch that understands 
virtual LAN tagging, which allows you to link specific ports of the 
switch to virtual Ethernet devices in the operating system. Thus you can 
isolate the ports from each other at the hardware level.

So if you did want a real DMZ you could seek out one of the third party 
firmware packages (see BLU list archives) that run on the WRT54G. I plan 
to do this with my WRT54G one of these days. (Currently I'm using it 
just as a wireless access point behind another firewall.)


> I assume I should continue to run SuseFirewall on my server even if it's 
> protected by the router, right?

I agree with others that running a software firewall on each individual 
machine is a good idea.

  -Tom