Frankly, DMZ is a solution in search of a problem. Why would someone forward every port/protocol for a fucking web server? Anyone with half a brain these days would only forward the necessary ports.
2 Likes
Hehe, indeed. This is what I was reading earlier - see the bit under ‘Rationale’ (https://en.wikipedia.org/wiki/DMZ_(computing)).
While that may have been the intended implementation for DMZs, I completely agree with you.
Having a DMZ in the sense that everything is allowed to hosts in that network segment is dumb, IMHO. Having a DMZ with servers that need to interact with incoming requests from the internet and sandwiching these hosts between 2 firewalls is best practice. Even if you only have one physical firewall, usually a software firewall will be running on these exposed hosts.
1 Like
That’s what i did because my ISP stopped offering gateway units to consumers.
Term DMZ has been misappropriated by the home router manufacturers to mean DNAT all the incoming traffic to such-an-such an IP. (Doesn’t even track connections or look at protocols in most cases)
In most home routers and modems it’s all about NAT, it’s not a separate VLAN or anything, it has nothing to do with any kind of security, other than the obvious thing of you’ll be getting traffic now.
1 Like