A demilitarized zone or DMZ allows your servers to respond to public IP addresses. The difference between placing a server in a DMZ (orange) and placing directly on the public (red) network is that you can limit traffic into and out of the server. And you use the firewall to limit access so unwanted traffic never gets to your servers. You can use the built-in QOS to limit the amount of traffic overall for all machines; important where you pay for bandwidth.
Was an ORANGE network created for DMZ?
Check if the IPFire Network Configuration Type included an ORANGE network. Grab ORANGE network info:
[root@ipfire ~]# ifconfig orange0 | grep 'inet' | sed 's/^[ \t]*//'
inet 10.8.6.1 netmask 255.255.255.0 broadcast 0.0.0.0
If you get the error orange0: error fetching interface information: Device not found, return to setup and add the ORANGE network, or setup a virtual bridge as indicated below.
The inet addr is the DMZ router address. And the Mask is the subnet mask for the DMZ network.
Setup of simple web server
Access the web server and setup the Network similar to the table below.
Note: Below are examples for this article. Please set your web server addresses as you see fit.
| Description | Address | Note |
|---|---|---|
| IP address | 10.8.6.5 | Example web server |
| Subnet mask | 255.255.255.240 | Mask from ifconfig above (allows fourteen IP addresses in the DMZ) |
| Router address | 10.8.6.1 | IP address (inet addr) from ifconfig above |
| DNS server | 9.9.9.9 | External DNS server. Don't use IPFire box DNS server. |
Notes:
- There is no DHCP server available in the IPFire DMZ, however it is possible to assign a static IP to a dedicated DHCP server in the orange zone which can service the rest of the orange network.
- Every client device is configured with a static IP address.
- Make sure the client subnet mask matches the setting for the IPFire ORANGE network.
- There is no DNS server in the IPFire DMZ.
- The DNS for each client should be set to an external DNS server.
- Read this to make sure you understand what network has access to/from the DMZ.
Create DMZ firewall rule
There is one firewall rule needed for the DMZ network. This firewall rule will use NAT to translate the external IP address to the firewall IP address allowing the internal DMZ (orange) server to respond.
To create the rule go to menu Firewall > Firewall Rules and click New rule:
- Source
- Standard Networks: > Any
- NAT
- Use Network Address Translation (NAT) > Destination NAT (Port Forwarding)
- Destination
- Destination address (IP address or network) > [enter IP address of web server]
- Protocol
- Preset > Services > HTTP
Access
To access the DMZ web server:
http://10.8.6.5 # access orange via green or blue
-or-
http://81.3.27.38 # access via Internet using Internet IP address
-or-
http://myDDNShostname.org # access via Internet using Dynamic DNS hostname
TL;DR - Want to change external port from port 80 to 8180?
I see 100 to 200 attempts to access port 80 everyday. So I wanted to hide my web server behind port 8180. This DOES NOT make things more secure. It just hides them a little. Secure by obscurity does not work!
To edit the rule go to menu Firewall > Firewall Rules and click the Edit pencil. Then go to:
- Protocol
- TCP
- Destination port: > 80
- External port (NAT): > 8180
- TCP
Access via port 8180
To access the DMZ web server:
http://10.8.6.5 # access orange via green or blue
-or-
http://81.3.27.38:8180 # access via Internet using Internet IP address
-or-
http://myDDNShostname.org:8180 # access via Internet using Dynamic DNS hostname
Done!
Links
- Wikipedia - DMZ
- IPFire Wiki - Setting up a virtual bridged interface