Setting up DMZ

Psychedelik

I got connected to UTV Clicksilver ADSL recently. They gave me a Voyager 205 modem and it seems to be working fine. Now I want to set up a De-Militarized Zone, which will put me in total control of the connection.

Has anyone any experience setting up a DMZ with UTV/this modem? If anyone could fill me in on the basics of ADSL networking in relation to DMZ, it'd be much appreciated.

Thanks.

Mutant_Fruit

Sure...
Principle 1) DMZ's are a bad idea.
Principle 2) You should only use a DMZ if there is a damn good reason to do it.

A DMZ basically redirects ALL traffic to the designated computer (unless there is a specific nat rule for that traffic). This makes the firewalling feature of any NAT router completely useless. Why do you want to use a DMZ? If you want traffic to be allowed access your computer, you'd be MUCH better off just making a NAT rule for the specific ports in question.

Psychedelik

Mutant_Fruit wrote:

Why do you want to use a DMZ?

One reason is because I have a software firewall - Kerio PF - and I'm familiar with its interface. I'm not connected to a LAN (i.e. other computers), and also I don't have a static IP. Correct me if I'm wrong, but would it not be fine to leave IP/port filtering to the software firewall?

Mutant_Fruit

Aye it would be fine... but why? Why disable a perfectly good firewall? Leave the NAT on, and if you do need to accept incoming connections (for Bittorrent or VNC or an FTP server you run) just set up the connection in the NAT settings. Its really easy.

Even though you dont have a lan, i wouldn't recommend you disable the NAT features on your firewall unless you have a much better reason than you have a software firewall. But by all means keep the software firewall... routers can't block outgoing connections, software firewalls can, which can be quite useful.

Theres no benefit to disabling NAT and enabling a DMZ in your situation.

The only time you'd need a DMZ (that i've ever heard of) is if you wanted to use Voice/Video chat in MSN Messenger and your router didnt support UPnP, as MSN messenger uses a random port from 6000 to 60000 or something rediculous like that.

A dynamic IP only protects you from a hacker zero'ing in on you and repeatedly attacking you. It doesn't make a difference for spyware/adware/virus's etc. The odds of a hacker bothering to attack a home computer are rediculously slim :P

Psychedelik

I'd prefer to live dangerously and go with a DMZ . It would mean I only have to deal with one firewall, and don't have to worry about setting up Port Forwarding, NAT rules, etc.

The problem I'm having at the moment is that 'Remote' connections won't show up in BitTorrent. Any ideas on how to remedy this (e.g. by opening ports)? 'Local' connections work.

Mutant_Fruit

Thats a simple fix. Whatever port you have chosen in your Bittorrent client as your "listening" or "remote" port, set that port to forward to your PC. There are tons of guides on how to do this. Just google for your router model and "port forwarding" and you should get a guide.

If your router supports it, use "port triggering" as opposed to "port forwarding". That way once your computer starts sending torrent data, your router should automatically forward the port to your PC to recieve remote connections. This has the benefit that once you stop torrenting, the port stops being forwarded, thus makign your system a tiny bit more secure.

Psychedelik

Mutant_Fruit wrote:

Whatever port you have chosen in your Bittorrent client as your "listening" or "remote" port, set that port to forward to your PC.

What IP address is "my PC"? 127.0.0.1?

Sparky

it would be usually 192.168.1.xxx

the only way to find out is click the dtatus on your netork connection and click on the support tab, it will have your pc's IP address


your router is usually your gateway so that will be 192.168.1.1

Psychedelik

I'm a newbie with this subject; I got this from the modem's software:

IP Address Netmask IF Name
127.0.0.1 255.0.0.0 lo-0
192.168.1.1 255.255.255.0 eth-0
192.168.1.2 255.255.255.0 usb-0
194.46.xxx.xxx 255.255.255.255 ppp-1

JNive

ok, go to start->run->cmd->ipconfig /all

gateway is the router
ip is your computer

azzeretti

Why is it again you want to setup a DMZ? DMZ's are a really good idea for any body wanting to share their resource or service i.e HTTP, FTP, Telnet etc. The idea is to create another subnet, usually Class A, and then setup a firewall rule to route these requests into the DMZ. For example, if you have a website or game server you wanted to allow access to you might put in the DMZ and setup the external interface of your firewall to direct all traffic to the box in the DMZ. The firewall would look after the NAT'ing from external to internal address. The idea is to segment public access from you LAN hence protecting you internal service i.e your PC, mailserver etc. There are most certainly not a bad idea and many organisation would (not all) implement a DMZ of some sort. You will still need to configure access rules with or without a DMZ and leaving the NAT feature on might be just as good in this instance.

BTW, you could configure your firewall/router to use DDNS it you don't have a static IP address.

Mutant_Fruit

If you replaced all instances of "DMZ" with "NAT" in that post, and dropped the last line of the first paragraph you'd have just given a perfect description of what NAT does... nearly.

A DMZ works by transferring ALL traffic to the DMZ'ed comptuter. This isn't a good idea for 99% of home users. Like i said, the MSN messenger is the ONLY example i've come across that would require a DMZ, and that situation only happens on old routers not supporting UPnP.

azzeretti

Mutant_Fruit wrote:

If you replaced all instances of "DMZ" with "NAT" in that post, and dropped the last line of the first paragraph you'd have just given a perfect description of what NAT does... nearly.

Eh ..... no.

NAT will translate an external IP address to an internal LAN address (or visa versa) full stop. Hence Network Address Translation (NAT). The firewall is reponsible for any port redirection and/or packet or application filtering. NAT and DMZ's are as different as apples and grapes, in fact they bear no realationship at all.
A DMZ is simply another subnet, where hosts are placed to allow untrusted users ususally websites etc. A DMZ can contain many PC's or servers and is segmented from a LAN and WAN connection. If any home user is considering allowing access to their machine from an outside source it is possible to allow NAT (or one to one NAT) to the resource. But that simply translates the external address to the internal address. It is the firewall the will look after and service redirection or port publishing (if using reverse proxy etc)

A DMZ works by transferring ALL traffic to the DMZ'ed comptuter

This is not true.
A DMZ is a location on the network, it has nothing to do with traffic, IP or other. A device, either a router of firewall, is responsible for dealing with traffic and routing to its destination either on the LAN or DMZ or simply dropping the request.
I have a DMZ and a LAN segement, all http and https requests for my public site get redirected to my box in the DMZ, all SMTP requests get routed into my SMTP server on my LAN. Same external address but listening on different ports, 80 and 25. One goes to DMZ the other to LAN. I also have SSH allowed to an internal box. A DMZ is a not anything like NAT.

http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

BTW, I did agree with what you said, a home user may not need this config, but your explanation is wrong.

Mutant_Fruit

But if i were to set up a DMZ on my router pointing to one of my computers, wouldn't all traffic not covered by any existing NAT rules not get transferred over to that computer?

As quoted from my Linksys WRT54G wireless router...

The DMZ hosting feature allows one local user to be exposed to the Internet for use of a special-purpose service such as Internet gaming or videoconferencing. DMZ hosting forwards all the ports at the same time to one PC. The Port Forwarding feature is more secure because it only opens the ports you want to have opened, while DMZ hosting opens all the ports of one computer, exposing the computer so the Internet can see it.



Any PC whose port is being forwarded must have its DHCP client function disabled and should have a new static IP address assigned to it because its IP address may change when using the DHCP function.



1. To expose one PC, select Enable.

2. Enter the computer's IP address in the DMZ Host IP Address field.

3. Click the Save Settings button.

Now how can you tell me that a DMZ is a good idea in this case? I'd highly recommend a DMZ is not created, and instead he spends the few mins it would take to create the NAT rules to find out what ports need to accept incoming connections (usually not many for a home user) and create the neccessary rules.

I have a DMZ and a LAN segement, all http and https requests for my public site get redirected to my box in the DMZ, all SMTP requests get routed into my SMTP server on my LAN. Same external address but listening on different ports, 80 and 25..

I have a PC which all incoming connections on port 1452 get redirected to, and i have a laptop which all incoming HTTP connections and connections on port 5525 get redirected too.

Both computers have the same external IP address. But the incoming connections on the various ports get redirected to different computers. I use NAT to do that, a DMZ would not do this.

NAT will translate an external IP address to an internal LAN address (or visa versa) full stop. Hence Network Address Translation (NAT). The firewall is reponsible for any port redirection and/or packet or application filtering.

Unless i'm really really confused, i think what i just said completely contradicted that statement. NAT is exactly what is used for port redirection...

ntlbell

Both of you for the most part are talking through your bottoms.

azzeretti wrote:

Eh ..... no.

NAT will translate an external IP address to an internal LAN address (or visa versa) full stop. Hence Network Address Translation (NAT). The firewall is reponsible for any port redirection and/or packet or application

Your talking about NAT like it's just NAT there are lots of different software implimentations of NAT e.g. cisco VS Juniper etc etc that all work in completley different ways. so to say NAT just translates external to internal is complete poo.

The majority of NAT Software (Keep in mind that's what it is) is very well capable of doing port re-direction, so again it comes down to the implimentation of NAT.

Sure...
Principle 1) DMZ's are a bad idea.

Where on earth did you read that garbage?

Again, DMZ'S in the sense of a home user are really not needed, correct, but there's more to the world of networking than your tomy toy network at home.

If DMZ's are a bad idea then the majority of security profesionals I know would be long out of a job.

Going back to the OP, read the manual of your routing device and look into port forwarding this should solve your BT issues.

Mutant_Fruit

ntlbell wrote:

Both of you for the most part are talking through your bottoms.

The only DMZ implementation i've evert heard of forwards all ports to the specified computer, just like what i quoted earlier from my own router. I've never heard of a DMZ doing differently. So when i said "DMZ's are a bad idea", i was right in that context. No home user should have the need to forward all ports to their computer (except for possibly the MSN situation).

As for IT professionals use DMZ's... i have no idea what their version of a DMZ does, so i can't comment on that.

azzeretti

ntlbell wrote:

Both of you for the most part are talking through your bottoms.

Your talking about NAT like it's just NAT there are lots of different software implimentations of NAT e.g. cisco VS Juniper etc etc that all work in completley different ways. so to say NAT just translates external to internal is complete poo.

The majority of NAT Software (Keep in mind that's what it is) is very well capable of doing port re-direction, so again it comes down to the implimentation of NAT.

Dude, this is tosh!
NAT is NAT full stop - Network Address Translation. Primarily it is used to allow multiple hosts in OR out of the same IP address. Implemented to overcome the issue of the IP4 address resource limit. It is an industry standard. NAT is stupid, it has no idea how to port redirect, the firewall and packet filtering application/harware looks after the port redirection. The fact that in some devices the NAT feature may be listed in the same place as redirection is for convience. NAT translates, firewalls filter and redirect.
As for Juniper V Cisco???? Not sure what you are on about, Cisco what? Pix? Router? Doesn't matter, NAT is NAT.

In response to the other post, A DMZ is a DMZ, just cause you only heard of it one way doesn't mean it right. A DMZ is not a device, it is a subnet on a network. Besides, you just cut and paste the definition of DMZ hosting, not a DMZ.

ntlbell

azzeretti wrote:

Dude, this is tosh!
NAT is NAT full stop - Network Address Translation. Primarily it is used to allow multiple hosts in OR out of the same IP address. Implemented to overcome the issue of the IP4 address resource limit. It is an industry standard. NAT is stupid, it has no idea how to port redirect, the firewall and packet filtering application/harware looks after the port redirection. The fact that in some devices the NAT feature may be listed in the same place as redirection is for convience. NAT translates, firewalls filter and redirect.
As for Juniper V Cisco???? Not sure what you are on about, Cisco what? Pix? Router? Doesn't matter, NAT is NAT.

So lets take a standard enterpise cisco say a 2600.

this has no firewalling capability how does it handle port redirction?

azzeretti

I would probably use the "ip nat inside" command in the config. This doesn't mean anything, the Cisco ISO will look after the port redirection.
In it's trueist form NAT is for mapping one address to another. Like I said there are some hardware configs that use a "NAT" feature to enable port redirection but this is not a true definition of NAT.

I think we are getting a bit pedantic here. My inital response was as to the definition of a DMZ, which I think you know what it is. The port redirection and or service redirection is not, in the strictest sense, part of NAT. It is similar to people who used to call ISDN adaptors, modems, they aren't in the strictest sense "Modems" as there is no analogue to digital conversion. This analagy can be used for NAT, it just translates addresses.

ntlbell

azzeretti wrote:

I would probably use the "ip nat inside" command in the config. This doesn't mean anything, the Cisco ISO will look after the port redirection.
In it's trueist form NAT is for mapping one address to another. Like I said there are some hardware configs that use a "NAT" feature to enable port redirection but this is not a true definition of NAT.

I think we are getting a bit pedantic here. My inital response was as to the definition of a DMZ, which I think you know what it is. The port redirection and or service redirection is not, in the strictest sense, part of NAT. It is similar to people who used to call ISDN adaptors, modems, they aren't in the strictest sense "Modems" as there is no analogue to digital conversion. This analagy can be used for NAT, it just translates addresses.

But what's the point using "ip nat inside" if nat is not capable of port forwarding?

what happened to the firewall looking after it?

a 2600 is not a firewall.

It's not about being pedantic, it's about giving out correct information.

Yes NAT is a standard, but how it's implimented in software is completley different from one company to the next, "features"

so in the instance of how cisco impliment NAT in software, it IS capable of port forwarding.

so the point is, you don't need a "firewall" to perfom port forwarding.

Mutant_Fruit

Two kinds of network address translation exist. The type often popularly called simply "NAT" (also sometimes named "Network Address Port Translation" or "NAPT") refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address.

Thats the type of NAT (meaning NAPT in this case) that is in 95%+ of modern NAT capable routers. This is what he should be using to forward ports, so he can have his game server on one computer, his mail server on a second, and his FTP on a third etc.

The type of DMZ found in 95%+ of modern routers is the kind that just forwards either all ports, or all ports that don't have NAT rules to the specified computer. This isn't a good way to use a router unless there is a reason for it.

Basic NAT (a.k.a. Static NAT) is stupid. It just translates IP addresses from external to interal ones. Very little uses basic NAT nowadays. While implementations of NAT may differ, they all basically translate IP addresses and forward ports in consumer level equipment.

EDIT: Is a "proper" DMZ basically like taking a computer in the local network and putting it in its own "virtual" network, where it is the only computer on that "virtual" network. So if anyone were to hack into that DMZ'ed computer, all they could access would be the DMZ'ed computer, and none of the other computers on the local network?

azzeretti

ntlbell wrote:

But what's the point using "ip nat inside" if nat is not capable of port forwarding?

what happened to the firewall looking after it?

a 2600 is not a firewall.

It's not about being pedantic, it's about giving out correct information.

Yes NAT is a standard, but how it's implimented in software is completley different from one company to the next, "features"

so in the instance of how cisco impliment NAT in software, it IS capable of port forwarding.

so the point is, you don't need a "firewall" to perfom port forwarding.

I am very familiar with what a 2600 is. NAT does not look after port forwarding, the IOS code does. This is pointless arguing this any further, NAT is a translation from one ADDRESS to another. The port redirection is not controlled by NAT.

azzeretti

Mutant_Fruit wrote:

Thats the type of NAT (meaning NAPT in this case) that is in 95%+ of modern NAT capable routers. This is what he should be using to forward ports, so he can have his game server on one computer, his mail server on a second, and his FTP on a third etc.

The type of DMZ found in 95%+ of modern routers is the kind that just forwards either all ports, or all ports that don't have NAT rules to the specified computer. This isn't a good way to use a router unless there is a reason for it.

Basic NAT (a.k.a. Static NAT) is stupid. It just translates IP addresses from external to interal ones. Very little uses basic NAT nowadays. While implementations of NAT may differ, they all basically translate IP addresses and forward ports in consumer level equipment.

EDIT: Is a "proper" DMZ basically like taking a computer in the local network and putting it in its own "virtual" network, where it is the only computer on that "virtual" network. So if anyone were to hack into that DMZ'ed computer, all they could access would be the DMZ'ed computer, and none of the other computers on the local network?

Your edited part is pretty much what I have been saying all along. You statistics about 95% of modern routers is total rubbish. Any end high router I have configrued uses the same type of NAT I talk about - pretty much 100%.

Mutant_Fruit

azzeretti wrote:

Your edited part is pretty much what I have been saying all along. You statistics about 95% of modern routers is total rubbish. Any end high router I have configrued uses the same type of NAT I talk about - pretty much 100%.

What kind of routers do you deal with that only use basic NAT (i.e. not the NAPT style NAT that i've seen in quite a few different consumer routers)?

Also, what consumer routers use your kind of DMZ, as opposed to the kind i was describing (the stupid DMZ)?

azzeretti

Mutant_Fruit wrote:

What kind of routers do you deal with that only use basic NAT (i.e. not the NAPT style NAT that i've seen in quite a few different consumer routers)?

Also, what consumer routers use your kind of DMZ, as opposed to the kind i was describing (the stupid DMZ)?

All Cisco routers. When connecting differnet subnets, for whatever reason, thats requires NAT some people could utilise the NATing feature of the router and also use ACL's on the router to deny or allow traffic. The port redirection on most Cisco routers can not handle all TCP/UDP traffic hence the need for a firewall (usually) to deal with packet filtering and inspections (basic ports are handled such as DNS etc but not all).
To answer you question, any network connecting to the interet, in the enterprise, would never have just a router protecting it. The usual setup might be a router with an ehternet or serial connection (to ISP or LL) then a firewall. The router handles the routing issues (obviously) and then passes the traffic to the firewall for analysis, this were the rules and redirection might come in. On an internal network with serperate VLANs and interanl WAN links there router might play a part in denying or allowing certain protocol access. On the whole, firewalls look after port redirection and/or access rules.

Mutant_Fruit

To answer you question, any network connecting to the interet, in the enterprise, would never have just a router protecting it.

And theres where the difference is coming in. You're dealing with enterprise level equipment, i'm talking about consumer/residential level equipment. I'd expect there to be a big difference in functionality between the two. my 95%+ statement was with regard to residential level equipment. They nearly always have the stupid DMZ and NAPT as their NAT implementation.

ntlbell

azzeretti wrote:

I am very familiar with what a 2600 is. NAT does not look after port forwarding, the IOS code does. This is pointless arguing this any further, NAT is a translation from one ADDRESS to another. The port redirection is not controlled by NAT.

The IOS code does everything, so obviously without it, you couldn't do much.

but it's the NAT implimentation on cisco's that CAN.

Cisco IOS NAT <---THIS CAN PREFORM PORT FORWARDING.

hows that pedantic pants?

azzeretti

I can see where you are coming from alright. There are many other entry level consumer prodcuts would be similar, one Netopia product and Zyxel prestige that I know of.
The Linksys boxes talk about DMZ hosting which is different from "A DMZ". I think this is what you are refering to.

azzeretti

ntlbell wrote:

The IOS code does everything, so obviously without it, you couldn't do much.

but it's the NAT implimentation on cisco's that CAN.

Cisco IOS NAT <---THIS CAN PREFORM PORT FORWARDING.

hows that pedantic pants?

What is you point? The IOS looks after routing tables, serial connections, timeouts, debugging - everything. By your reason then, adding route statement looks after port forwarding???

NAT is one element of the IOS. This looks after translation.......oh forget it.
See the link and note the part where it explains the difference between the router and the PIX firewall

http://www.cisco.com/warp/public/556/nat-faq.html

ntlbell

azzeretti wrote:

What is you point? The IOS looks after routing tables, serial connections, timeouts, debugging - everything. By your reason then, adding route statement looks after port forwarding???

NAT is one element of the IOS. This looks after translation.......oh forget it.
See the link and note the part where it explains the difference between the router and the PIX firewall

http://www.cisco.com/warp/public/556/nat-faq.html

I think you're getting confused with your own garbage, you were stating that the IOS looks after port forwarding not I, I'm stating that's obvious, the IOS controls everything no IOS no port forwarding no nothing.

Exactly and the NAT implimentaion in CISCO IOS knows as CISCO IOS NAT looks after port forwarding so IN THE INSTANCE OF A CISCO ROUTER CISCO'S IMPLIMENTATION OF NAT SUPPORTS PORT FORWARDING.

not the ios, not the routing tables, not the nat tables.

I don't need to look at the difference between a Router and a firewall.

lets take a look at another OS FreeBSD/OpenBSD

So here their implimentation of NAT uses what's called NATD.

Which the source code is freely available and if your capable of reading you will see how their implimentation of NAT supports port forwarding through the SOFTWARE implimentation of NATD.

yes, it's run in userland code so does that mean the kernel looks after nat? well without the kernel obviously you don't have anything.

so when you compare it to cisco IOS yes of course the IOS looks after everything, but it's the SOFTWARE implimentation of NAT IN cisco IOS NAT that looks after port forwarding.


your point orignally was port forwarding should be done at the firewall level, or you need a firewall to do port forwarding and that point is well and throughly squashed so lets stop picking at straws.

azzeretti

I know, how about we start a thread and I just post no and then you post yes, then we'll keep doing this about 1000 time

I agree that this is a pointless discussion. My inital point was regarding the definition of a DMZ, I then pointed out that NATing (by definition) is simply address translation. It is possible, as we know, to do (very limited) port redirection on Cisco routers, this port redirection is exactly that PORT REDIRECTION i.e listening on one port and redirecting it to another PORT on a different subnet, the fact that the command can be issued with an ip nat command means that the NAT ing takes places on the IP address and then the PORT REDIRECTION takes place after.
My simple point is NAT is Network Address Translation, NOT network port redirection or anything else to do with ports.

your point orignally was port forwarding should be done at the firewall level,

Yes, and it should, I can't think of any reason, in the enterprise, that you would allow a perimeter router to handle any sort of port redirection. A firewall SHOULD also be used in this setup.

We can ramble on here for ages, the facts are there in the linked pages I provided you with.
I think what we are really disagreeing about here is the EXACT definition of NAT.
Obviously you have first hand experience in this, as do I. I can't see any reason for this to proceed, with have both presented our evidence and I suppose its up to anyone reading the post to investigate the points we have outlined and make their conclusion.

Fancy going Heads Up to settle it???