Setting up a DMZ

A demilitarized zone or DMZ allows your servers to respond to public IP addresses. The difference between placing a server in a DMZ (orange) and placing directly on the public (red) network is that you can limit traffic into and out of the server. And you use the firewall to limit access so unwanted traffic never gets to your servers. You can use the built-in QOS to limit the amount of traffic overall for all machines; important where you pay for bandwidth.

Was an ORANGE network created for DMZ?

Check if the IPFire Network Configuration Type included an ORANGE network. Grab ORANGE network info:

[root@ipfire ~]# ifconfig orange0 | grep 'inet' | sed 's/^[ \t]*//'
inet 10.8.6.1  netmask 255.255.255.0  broadcast 0.0.0.0

If you get the error orange0: error fetching interface information: Device not found, return to setup and add the ORANGE network.

The inet addr is the DMZ router address. And the Mask is the subnet mask for the DMZ network.

Setup of simple web server

Access the web server and setup the Network similar to the table below.

Note: Below are examples for this article. Please set your web server addresses as you see fit.

Description Address Note
IP address 10.8.6.5 Example web server
Subnet mask 255.255.255.240 Mask from ifconfig above (allows fourteen IP addresses in the DMZ)
Router address 10.8.6.1 IP address (inet addr) from ifconfig above
DNS server 9.9.9.9 External DNS server. Don't use IPFire box DNS server.

Simple web server in DMZ

Notes:

• There is no DHCP server available in the IPFire DMZ.
• Every client device is configured with a static IP address.
• Make sure the client subnet mask matches the setting for the IPFire ORANGE network.
• There is no DNS server in the IPFire DMZ.
• The DNS for each client should be set to an external DNS server.
Read this to make sure you understand what network has access to/from the DMZ.

Create DMZ firewall rule

There is one firewall rule needed for the DMZ network. This firewall rule will use NAT to translate the external IP address to the firewall IP address allowing the internal DMZ (orange) server to respond.

To create the rule go to menu Firewall > Firewall Rules and click New rule:

  1. Source
    • Standard Networks: > Any
  2. NAT
    • Use Network Address Translation (NAT) > Destination NAT (Port Forwarding)
  3. Destination
    • Destination address (IP address or network) > [enter IP address of web server]
  4. Protocol
    • Preset > Services > HTTP

Access

To access the DMZ web server:

http://10.8.6.5             # access orange via green or blue
-or-
http://81.3.27.38           # access via Internet using Internet IP address
-or-
http://myDDNShostname.org   # access via Internet using Dynamic DNS hostname

 


TL;DR - Want to change external port from port 80 to 8180?

I see 100 to 200 attempts to access port 80 everyday. So I wanted to hide my web server behind port 8180. This DOES NOT make things more secure. It just hides them a little. Secure by obscurity does not work!

To edit the rule go to menu Firewall > Firewall Rules and click the Edit pencil. Then go to:

  1. Protocol
    • TCP
      • Destination port: > 80
      • External port (NAT): > 8180

Access via port 8180

To access the DMZ web server:

http://10.8.6.5                  # access orange via green or blue
-or-
http://81.3.27.38:8180           # access via Internet using Internet IP address
-or-
http://myDDNShostname.org:8180   # access via Internet using Dynamic DNS hostname

Done!

Edit Page ‐ Yes, you can edit!

Older Revisions • September 17 at 8:16 pm • Jon