A DMZ tutorial using Brazil Firewall & Router
DMZ is a military term designating a buffer zone without the military presence of the opposing sides in a conflict. In computer talk it is a network that is open to traffic but is not in the Internet nor in the private LAN of an organization.
In this tutorial I will build such a DMZ server using Brazil Firewall and Router. For this implementation a separate NIC is used. The WAN or LAN NIC could be shared (multi-homed) but this is not as secure.
The DMZ network will have not have access to the LAN nor the Internet and the DMZ servers in the network will not see each other unless necessary. The Internet will have access to the DMZ via port forwarding. The LAN does will have access but this can be changed so that it is via rules as will be shown below. It is, after all, a trusted zone.Thus, if compromised, a DMZ host cannot initiate a conversation outside itself in an attempt to spread or spew spam or other.
As of BrazilFW 2.31, the configuration is done in Webadmin. In previous releases you define the configuration when you create the floppy during the BrazilFW install.
In the DMZ Network Device field enter the interface name. In this tutorial I use eth2. Enter a Primary IP Address and Netmask. You must have one. The two optional fields are to add other IP addresses to the interface. I will use this to enter two different networks to the interface for two other DMZ servers. By subnetting 10.0.0.0 in this way, the servers do not see each other.You need to submit this, backup, and re-boot.
Now DMZ traffic to the LAN interface(s) and Wireless LAN is blocked but the DMZ network still has access to the Internet.
This is fixed by adding a command to the Firewall Custom Rules using the Configuration Files menu from Webadmin. It will open a file. Add the following line at the end.
iptables -A if-filter -i $IF_DMZ -o $IF_NET -j log-and-drop
DMZ servers still have access to DNS, if DNS is on BrazilFW (the default), and return traffic to the Internet or LANs is assured by the state RELATED,ESTABLISHED rule in the FORWARD chain. To understand this concept see my Firewall primer.
Use Port Forwarding to allow Internet traffic to the DMZ hosts.
In the case where you want nothing in or out of the DMZ network without permission, you need to add another rule to the Firewall Custom Rules. This will block traffic from the LAN to the DMZ.
iptables -A if-filter -i $IF_LOCAL -o $IF_DMZ -j log-and-drop
Now to allow traffic to the DMZ from the LAN you must use Access rules in the Advanced Firewall Configuration and NOT port forwarding because port forwarding is hardwired to use the WAN interface as the source of traffic.
The Advanced Firewall Configuration has greater flexibility in its option and has higher precedence in the FORWARD chain as explained in my Firewall primer. You need to be careful not to open holes by mixing up the source and destination IPs and/or interfaces and/or ports.
DISCLAIMER: The following instructions come with no warranty. Use at your discretion and risks. I am not responsible for its misuse, damages, or losses that can be caused directly or indirectly. It is assumed that you practice safe computing and take backups before making changes.
Stuff is written here for the uninitiated and no prior knowledge on the subject is presumed.
For support use the Brazil Firewall forums so everyone can share the information.
copyright for the writing. The ideas and code are free. Robert Bonomo