[CentOS] Another Fedora decision

Tue Feb 3 02:41:08 UTC 2015
John R Pierce <pierce at hogranch.com>

On 2/2/2015 6:29 PM, Always Learning wrote:
> On Tue, 2015-02-03 at 13:16 +1100, Kahlil Hodgson wrote:
>
>> >A DMZ in this context is a network that has been isolated from the
>> >rest of your local network.  You can access it from your local
>> >network, it can access the rest of the world, but it can't access your
>> >network.  The idea is that, if a machine in the DMZ is compromised, it
>> >can only access other machines in the DMZ.
> Thanks. Now I know. That sort of operation can be done via the router
> and by selecting a wifi option on the same router (Asus RT-AC68U). Wifi
> is off by default.

An Asus RT-whatever is a home internet gateway, not a proper firewall 
router, and it has no provision for a proper DMZ as it doesn't have a 
port for it.   This has *nothing* to do with wifi.

implementing a proper DMZ requires a firewall router with multiple 
zones, at a minimum WAN (internet), LAN (your regular network), and DMZ, 
used for your public facing internet servers.   The DMZ uses its own 
network switch (or VLAN) separate from your LAN switch(es), so traffic 
from LAN<=>DMZ has to go through the firewall router.      You define 
firewall rules such that DMZ servers are blocked from accessing anything 
on your WAN except specific services they need (if any), but you usually 
allow systems on the LAN side access to everything on the DMZ side.   
I've seen configurations where even LAN to DMZ was tightly controlled, 
so for example only administrator workstations could ssh into the DMZ 
servers.



-- 
john r pierce                                      37N 122W
somewhere on the middle of the left coast