search

Ernillew / wl500g

Automatically exported from code.google.com/p/wl500g
0 stars 0 forks source link

incorrect realization of DMZ (Virtual DMZ function) #368

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Set up a Virtual DMZ

What is the expected output? What do you see instead?
Traffic to/from DMZ`ed workstation from/to other LAN clients should be blocked. 
This is the idea of DMZ. But rules to block access from DMZ`ed ws are not 
created.

What version of the product are you using?
last available build

Please provide any additional information below.
This behaviour is confirmed by ASUS tech support.
Ideas of how to correct this are: either set up iptables to block unneeded 
access or to make DMZ for physical port, not IP and move it to separate VLAN 
(it seems that openwrt has this implemented)

Original issue reported on code.google.com by golomi...@gmail.com on 22 Nov 2012 at 8:35

GoogleCodeExporter commented 9 years ago 
idea is quite clear, but many users use some client in LAN for simplifying 
port-forwards. suggested changes will break that configs.

Original comment by themiron.ru on 23 Nov 2012 at 1:05

GoogleCodeExporter commented 9 years ago 
themiron.ru,
You are right - breaking existing configs is bad. 
I am suggesting then add a setting under "Virtual DMZ" - "Create real DMZ" 
which will block unneeded access to LAN.
What do you think? Would you change the status?

Original comment by golomi...@gmail.com on 24 Nov 2012 at 4:34

GoogleCodeExporter commented 9 years ago 
probably it makes sense, please suggest all the traffic rules from/to WAN & LAN 
from DMZ host view

Original comment by themiron.ru on 24 Nov 2012 at 8:29

GoogleCodeExporter commented 9 years ago 
Suggested rules:
1. DMZ host is allowed to access Internet
2. incoming traffic on all ports and protocols, except those which are set up 
in "Virtual Server", is routed to DMZ host
3. Outgoing connections from DMZ host to LAN is PROHIBITED

First two rules are realized in current firmware, the third one isn't. So the 
main thing is to allow users configure "Real DMZ" prohibiting all outgoing 
connections from DMZ to LAN.

Original comment by golomi...@gmail.com on 26 Nov 2012 at 2:12

GoogleCodeExporter commented 9 years ago 
Up?

Original comment by golomi...@gmail.com on 22 Jan 2013 at 11:01