Ben-Nes Michael wrote: > > Hi All > > Small confusion. > > what exactly is DMZ ?
De-Militarized Zone. A typical topology is a 3-legs firewall, one goes to the Internet/FR- router/ADSL/whatever, the second to a hub with all the client computers (WIN machines etc.) connected to, and the third goes to a hub with the servers connected to (DMZ). > If it is an area between the Internet and the Firewall then its not under > protection of the firewall. It's not a direct translation of the term "De-Militarized Zone", and it isn't BETWEEN anything. It's usually a separate subnet, with weaker security. While computers from subnet(s) with the clients cannot be accessed from the Internet (but only initiate sessions, and be answered), computers from the DMZ can be also accessed (so they can be used for DNS, e-mail, web-serving, etc.). > If so what the firewall manage here ? A lot. For example, the firewall inspects the incoming packets, and doesn't let spoofing packets in. Also, it doesn't let packets with illegal destination (such as 127.0.0.1 or broadcast) in. It may block floods, SYN attacks, etc. If you know (for example) that one computer serves HTTP, while a second one serves e-mail, you may allow only packets with DPORT=80 to the 1st and DPORT=25 to the second. You may even DNAT the computers in the DMZ. If this is the case, you would also want to masquerade them even when they access each other, because when they use addresses as known by external machines, they will reach the firewall, and without masquerading the response will not reach anything. Another interesting thing that you may do is having only one IP for anything, but directing the packets according to the requested service (i.e. one computer will serve HTTP, another one e-mail, etc., all of them with the same IP). -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __________________________________________________________ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]