Any absolute MUST reason for a DMZ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Is there any absolute *must have it* reason for a DMZ?

Would the judicious use of port-forwarding be an alternative?  As long
as I know each app's port, I think I could use the router to block
unwanted ports.

Maybe the only reason is the router won't tell me if there's a DOS
attack going on.  And looking at the logs, I think the log filtering
is "natto-so-good-o".  (you need some Japanese to get that one).

But I can't think of another reason.  Any others?


Re: Any absolute MUST reason for a DMZ?

Rock wrote:

Quoted text here. Click to load it

For home use I think port forwarding is fine. Understand you can not have
redundant servers with this setup (port forwarding + NAT) as long as that
is not an issue it should be fine.

DMZ type setups are more for a medium and large network designs....for home
use, port forwarding should be fine.

"Trusted Computing" is a SCAM

Protect your rights

Re: Any absolute MUST reason for a DMZ?

Rock wrote:

Quoted text here. Click to load it

Depends. For some apps, they have to have the ability to connect on various
ports so a normal router/nat setup wont do it. For example, freenet
although it's supposed to only accept connections on the specified port,
will not work with only that port forwarded. This is because after
accepting the connection, it assigns an actual port to the connection in
order to keep track of that connection. Many applications function the same
way and have to be examined on an individual basis to determine a
sufficient number of ports to allow it to use. Otherwise the router will
automatically drop/block connection attempts since they aren't being

Re: Any absolute MUST reason for a DMZ? says...
Quoted text here. Click to load it

The reason to have a LAN and a DMZ network is to block access from one
side to the other. If you put a web server in the DMZ, and don't provide
DMZ to LAN access, if the Web server gets compromised it can't get to
the LAN to compromise the other computers.

If you use Port Forwarding you only have one network, so, if a system is
compromised and it has any accounts with the same user/password, that
machine can compromise the others easily - not to mention that if there
are unpatched exploits, the compromised machine can compromise the
others without a user/password.

Anything that provides public services should be on a DMZ.

If you want to create a DMZ you can this with two NAT routers:


The WAN port on Router 2 gets a fixed IP from the LAN of Router 1.
Router 2 has no port forwarding.

Router 1 has your DMZ network and all the port forwarding you want.
Router 1 has no means to get into the LAN on ROUTER 2.

(Remove 999 to reply to me)

Site Timeline