Virtual DMZ and WAN to LAN filter

[Derfel]

Hi!

If WAN to LAN filter enabled, and the not specified packets will be droped, then the Virtual DMZ doesn't work correctly.
In status page, i see all ports redirected to the definied IP address (Virtual DMZ), but not to gain... The WAN to LAN filter precedence is higher than the Virtual DMZ settings?

[Tamadite]

I do not know if DMZ is working properly or not on Asus WL-500g but I think of your question is mixing up some basic points on IP security. In the following link you can read a basic document that explains the foundations of DMZ. There you can read:

DMZ: This is a feature that is included on some routers but is not in Internet sharing software. A DMZ allows a single computer on your LAN to expose ALL of its ports to the Internet. When doing this, the exposed computer is no longer ‘behind’ the firewall.

Referred link: http://www.homenethelp.com/web/expla...arding-dmz.asp

[Derfel]

I do not know if DMZ is working properly or not on Asus WL-500g but I think of your question is mixing up some basic points on IP security. In the following link you can read a basic document that explains the foundations of DMZ. There you can read:

DMZ: This is a feature that is included on some routers but is not in Internet sharing software. A DMZ allows a single computer on your LAN to expose ALL of its ports to the Internet. When doing this, the exposed computer is no longer ‘behind’ the firewall.

Referred link: http://www.homenethelp.com/web/expla...arding-dmz.asp

It's ok. But it looks like doesn't work correctly in firmware v1.8.1.9. As though the WAN to LAN packet filter rules is to apply to DMZ.

[whao]

From the generated filter_rules, yes, the WAN-to-LAN default "DROP" will drop the packets before the rule of forwarding packets to the DMZ ip addr.

I've tried to set 192.168.1.200 as DMZ, forward port 80 to 192.168.1.201:

Code:

# cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A FORWARD  -i eth0 -o br0  -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o br0 -j logdrop
-A FORWARD -p udp --dport 6112 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen
ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --
log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

[Oleg]

This was fixed in the 1.8.1.7-3.

[Derfel]

This was fixed in the 1.8.1.7-3.

Whao, Oleg: Thanks for reply! But i use the official firmware v1.8.1.9. Maybe fix it leater... v1.8.2.4?

[Tamadite]

Whao, Oleg: Thanks for reply! But i use the official firmware v1.8.1.9. Maybe fix it leater... v1.8.2.4?

Good point Derfel! There is a misimplementation of the DMZ concept on the WL-500g that should be fixed by a new Asus official firmware release ASAP.

Thanks Oleg for your efforts!