Filter
Top Products
ZyWALL 2WG User’s Guide
201
CHAPTER 9
DMZ Screens
This chapter describes how to configure the ZyWALL’s DMZ.
9.1 DMZ
The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to
be visible to the outside world (while still being protected from DoS (Denial of Service)
attacks such as SYN flooding and Ping of Death). These public servers can also still be
accessed from the secure LAN.
By default the firewall allows traffic between the WAN and the DMZ, traffic from the DMZ to
the LAN is denied, and traffic from the LAN to the DMZ is allowed. Internet users can have
access to host servers on the DMZ but no access to the LAN, unless special filter rules
allowing access were configured by the administrator or the user is an authorized remote user.
It is highly recommended that you connect all of your public servers to the DMZ port(s).
It is also highly recommended that you keep all sensitive information off of the public servers
connected to the DMZ port. Store sensitive information on LAN computers.
9.2 Configuring DMZ
The DMZ and the connected computers can have private or public IP addresses.
When the DMZ uses public IP addresses, the WAN and DMZ ports must use public IP
addresses that are on separate subnets. See Appendix C on page 729 for information on IP
subnetting. If you do not configure SUA NAT or any full feature NAT mapping rules for the
public IP addresses on the DMZ, the ZyWALL will route traffic to the public IP addresses on
the DMZ without performing NAT. This may be useful for hosting servers for NAT unfriendly
applications (see Chapter 17 on page 385 for more information).
If the DMZ computers use private IP addresses, use NAT if you want to make them publicly
accessible.
Like the LAN, the ZyWALL can also assign TCP/IP configuration via DHCP to computers
connected to the DMZ ports.
From the main menu, click NETWORK > DMZ to open the DMZ screen. The screen appears
as shown next.