View Full Version : Virtual DMZ and WAN to LAN filter
Hi!
If WAN to LAN filter enabled, and the not specified packets will be droped, then the Virtual DMZ doesn't work correctly.
In status page, i see all ports redirected to the definied IP address (Virtual DMZ), but not to gain... The WAN to LAN filter precedence is higher than the Virtual DMZ settings?
Tamadite
23-11-2004, 23:03
I do not know if DMZ is working properly or not on Asus WL-500g but I think of your question is mixing up some basic points on IP security. In the following link you can read a basic document that explains the foundations of DMZ. There you can read:
DMZ: This is a feature that is included on some routers but is not in Internet sharing software. A DMZ allows a single computer on your LAN to expose ALL of its ports to the Internet. When doing this, the exposed computer is no longer ‘behind’ the firewall.
Referred link: http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp
I do not know if DMZ is working properly or not on Asus WL-500g but I think of your question is mixing up some basic points on IP security. In the following link you can read a basic document that explains the foundations of DMZ. There you can read:
DMZ: This is a feature that is included on some routers but is not in Internet sharing software. A DMZ allows a single computer on your LAN to expose ALL of its ports to the Internet. When doing this, the exposed computer is no longer ‘behind’ the firewall.
Referred link: http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp
It's ok. But it looks like doesn't work correctly in firmware v1.8.1.9. As though the WAN to LAN packet filter rules is to apply to DMZ.
From the generated filter_rules, yes, the WAN-to-LAN default "DROP" will drop the packets before the rule of forwarding packets to the DMZ ip addr.
I've tried to set 192.168.1.200 as DMZ, forward port 80 to 192.168.1.201:
# cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth0 -o br0 -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o br0 -j logdrop
-A FORWARD -p udp --dport 6112 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen
ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --
log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
This was fixed in the 1.8.1.7-3. :)
This was fixed in the 1.8.1.7-3. :)
Whao, Oleg: Thanks for reply! But i use the official firmware v1.8.1.9. Maybe fix it leater... :rolleyes: v1.8.2.4? :confused:
Tamadite
05-12-2004, 11:25
Whao, Oleg: Thanks for reply! But i use the official firmware v1.8.1.9. Maybe fix it leater... :rolleyes: v1.8.2.4? :confused:
Good point Derfel! There is a misimplementation of the DMZ concept on the WL-500g that should be fixed by a new Asus official firmware release ASAP.
Thanks Oleg for your efforts!