userdoc:tt_dmz

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
userdoc:tt_dmz [2020/05/12 11:44] mkeuteruserdoc:tt_dmz [2020/05/13 20:01] (current) – removed abelbeck
Line 1: Line 1:
-====== DMZ ====== 
- 
-The default DMZ firewall rules are as follows: 
- 
-  - Drop all DMZ->Local traffic 
-  - Drop all DMZ->LAN traffic 
-  - Allow DMZ->EXT (internet) 
-  - Allow LAN->DMZ (includes WireGuard and OpenVPN virtual LANs) 
- 
-The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself. 
- 
-Given the DMZ defaults above, any DHCP, DNS, NTP requests to Local be dropped, so ... 
- 
-Personally I accept these: 
- 
-  Pass DMZ->Local UDP 0/0 53,67,68,123 
-  Pass DMZ->Local TCP 0/0 53 
- 
-You may also want mDNS (UDP 5353) 
- 
-To drop DMZ->Local logging, uncheck (I also do) 
- 
-Firewall sub-tab: 
- 
-  ___ Log Denied DMZ interface packets 
- 
- 
-For the Pi-Hole case, the DMZ is perfect.  The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS. 
  
  • userdoc/tt_dmz.1589283871.txt.gz
  • Last modified: 2020/05/12 11:44
  • by mkeuter