DMZ Setup Question

Derick Anderson danderson at
Wed Nov 30 19:32:16 CET 2005


> -----Original Message-----
> From: netfilter-bounces at 
> [mailto:netfilter-bounces at] On Behalf Of Jay Zorzi
> Sent: Wednesday, November 30, 2005 11:22 AM
> To: netfilter at
> Subject: DMZ Setup Question
> My colleague and i are having a disagreement about our 
> network firewall and routing policies.  First the setup information.
> We have a Bridge Router running iptables and ebtables as our 
> external firewall.  Behind that we have a DMZ that contains 
> machines with valid external addresses.  Between the DMZ and 
> our internal network there is another firewall.  Our choke 
> firewall.  The choke firewall is doing NAT in order for our 
> internal network to surf the Internet but for our DMZ 
> machines to talk to our internal machines we are just using 
> routing, no NAT.

When you say DMZ machines are talking to internal machines, do you mean
that you've set up routes to the choke firewall for your private subnet
on the DMZ machines?

> Now here is the disagreement.  Because the internal machines 
> are using a private network address my colleague is concerned 
> that we are violating Internet rules/etiquette by having this 
> internal private ip's routing to our DMZ machines that have 
> valid Internet IP's.  He is also suggesting that using nat is 
> more secure.
> Can someone help us settle this disagreement?

I can't speak to Internet etiquette, but clearly you are following the
rules else things wouldn't be working. It is not as though what you are
doing will "break the Internet." NAT does not make anything more
"secure", it just simplifies routing. You can have a wide-open system
with NAT or a closed system using routing.

My inclination would be to use NAT (MASQUERADE) for your internal hosts
just because it makes things simpler (not necessarily more secure) and
your DMZ doesn't need routes to your internal network. Some may say then
that simpler is more secure and I agree, but I still say that NAT is a
routing tool and not a security tool.

Derick Anderson

More information about the netfilter mailing list