I would like to get information about setting up a dmz on my computer. I have a Buffalo wbr-g54 router/ap with one pc hardwired and the other wireless. At times I have a fair amount of traffic on the network (ftp) and I trust nothing. I've been reading about dmz's but I can't find information about the theory and a guide to set it up. Can anyone point me in the right direction? any help is appreciated.

DMZ=DeMilitarizedZone
Most broadband routers work by using NAT, Network Address Translation. That takes your WAN IP address (the public IP that your ISP gives to the WAN port of your router), and translates to the private class C IP address of your internal network. Usually that's something like 192.168.1.1-254

Your computer has over 65,000 ports which various services run on. By default, NAT has the door closed on all of them. But sometimes you want to have a server that is on your network, provide a service to the outside world, such as SMTP mail, web server, FTP, or perhaps a game server. In those cases, the smart move is to open/forward only those ports which you need, to the LAN IP address of the server. You'd forward port 25 for a mail server, port 80 for a web server, 27960 for a Quake 3 server, etc. Opening/forwarding ports will expose only those ports....all the other ports remain closed, so your computer is relatively safe, assuming your properly secured those exposed services.

What DMZ does, is takes the LAN IP address, and basically "hangs that outside the firewall" by forwarding all 65,000 plus ports to that IP address. If you're putting a computer in the DMZ, you're fully exposing that computer as if it were not behind any firewall...its butt is hanging out there wiiiiiide open. Not only is that computer itself exposed, but because it's also on the same IP range as the rest of your network...now the rest of your network is somewhat compromised too. DMZ is not a good thing to do.

I would have to say a TRUE DMZ is great from a security standpoint. The problem is SOHO manufaturers have taken the term and twisted it.

I'll try and explain using the "three network" analogy. Basically you take the network and split it up into three seperate networks:


Outside --> Modem --> Router
|
|
DMZ Hub or Switch
| |
| |
+------Firewall-----+ +-----Outside DMZ Server
|Internal External
|
|
Internal Switch
| | | |
| | | |
Internal Systems


Sorry my ASCII skills are terrible :)


Hopefully you can make out what i'm trying to show here, with the proper filters and setups your network will be split with the untrusted network kept outside. With the firewall in place you can connect to your DMZ host if need be and with the proper firewall configurations, servers in the DMZ will in no way be able to access the internal network.

oops. I think I don't need a DMZ. Thanks for the input though. I thought that's what I needed because I have potentially untrusted activity on my network but it seems that a dmz will make things worse. In another forum I was advised to get a firewall with stateful packet inspection as my router doesn't provide that. If I am paranoid about security will this help me. Understand that I'm a noob when it comes to setting up networks but I'm willing to put in a lot of time reading so that I can understand what I'm doing.Does anyone have any thoughts on that? Thanks for the feedback.