A small question regarding DMZ.

[P4Power]

Hello, everyone. I have decided to set myself up a public web server just to play around with. I know that I need to place it in the DMZ for security reasons, but how I do that is my little question. Once I add my new NIC (Intel PRO), how do I tell Untangle that it is a DMZ interface? Also, once I do that do I just need to plug in my new web server it will be available to the outside world? I am not a complete newbie, I have been using Untangle happily for quite some time now.

Thank you.

[mrunkel]

Well, first off, there is nothing really special about the "DMZ" interface except the name. Untangle will name the third interface it finds as DMZ, so there is nothing special required there.

To answer your other questions, I have some of my own.

• What sort of setup are you running today?
• Is your internal interface bridged to the external? Or does it have it's own private IP address?
• Do you have more than one publicly routable IP address?

[P4Power]

Thank you for such a quick response!

• I have just a standard x64 install with the basic modules enabled. I have a few special ports open to allow external access to my FTP server and Subsonic music service on the internal network. I also have it handling DHCP.
• I have many computers on the internal network that are transparent to the outside. I am not sure of the exact term, but I don't think it is bridged.
• No, I have only one external IP.

Forgive my lack of knowledge here. Maybe I am more of a novice than I thought. If I didn't answer one of your questions completely, I apologize.

Thank you.

[mrunkel]

If you have ports open and are serving DHCP, it sounds like you're not bridging. The easiest way to answer that question is to look at your internal interface. If it has an IP assigned, it's not bridged.

I don't understand what you mean "...many computers on the internal network that are transparent to the outside.".

If you are already port forwarding to an FTP and music server, why do you think you need to put the web server into a DMZ? Is your plan to move all of the publicly accessible servers there?

In any case, you will need to assign a new subnet range to the dmz interface and create a NAT rule on it.

You will want to create packet filters to control connections from the dmz into your main network.

You will want to create port forwards for any services that you are making available in the DMZ network.

[P4Power]

Do you think it would just be easier to keep the web server on the internal network and forward the correct ports to it?

Thanks again for all the help!