DMZ Server

DMZ 服务

DMZ is an abbreviation for “demilitarized zone” in English, and its Chinese name is “quarantine zone”, also known as “demilitarized zone”.
DMZ 是英文“demilitarized zone”的缩写,中文名称为“隔离区”,也称“非军事化区”。
It is a buffer zone between the non security system and the security system to solve the problem that the external network access users cannot access the internal network server after the firewall is installed. This buffer is located in the small network area between the enterprise internal network and the external network. In this small network area, some server facilities that must be publicly available can be placed, such as enterprise web servers, FTP servers, and forums. On the other hand, through such a DMZ area, the internal network is more effectively protected. Because of this network deployment, compared to general firewall solutions, it adds another level for attackers from external networks.
它是为了解决安装防火墙后外部网络的访问用户不能访问内部网络服务器的问题,而设立的一个非安全系统与安全系统之间的缓冲区。该缓冲区位于企业内部网络和外部网络之间的小网络区域内。在这个小网络区域内可以放置一些必须公开的服务器设施,如企业 Web 服务器、FTP 服务器和论坛等。另一方面,通过这样一个 DMZ 区域,更加有效地保护了内部网络。因为这种网络部署,比起一般的防火墙方案,对来自外网的攻击者来说又多了一道关卡。

Similar to port mapping, host mapping can be implemented.
类似于端口映射,可以实现主机映射。

  • Status: Enable or Disabled.
  • 状态:启用或停用
  • Interface: Choose WAN or ANY(All).
  • 接口:选择所要使用的外网接口或者 ANY(全部)
  • External IP Address: The external IP address that needs to be excluded.
  • 外网地址:需要排除的外网 IP 地址
  • Internal IP Address: The internal IP address that needs to be used for DMZ.
  • 内网地址:需要做 DMZ 的内部 IP 地址
  • Exclusion Protocol: Select protocol (TCP, UCP, TCP plus UDP).
  • 排除协议:选择协议(TCP、UCP、TCP+UDP)
  • Exclude Port: The port number or range of port numbers that need to be excluded.
  • 排除端口:需要排除的端口号或端口号范围

The above configuration maps packets from WAN interfaces with ports other than TCP (1024 65535) to intranet hosts 192.168.5.184.
上面的配置将来自 WAN 接口,端口不是 TCP(1024-65535)的报文映射到内网主机192.168.5.184.
At this point, if the 800 port of 192.168.5.184 is providing web services, and the address of the WAN interface is 183.157.116.161, then the web services of 192.168.5.184:800 can be accessed through 183.157.116.161:800.
此时如果192.168.5.184的800端口在提供WEB服务,而WAN接口的地址为183.157.116.161,则可以通过183.157.116.161:800 来访问 192.168.5.184:800 的 WEB 服务。

作者:todaair01  创建时间:2023-05-22 15:20
最后编辑:todaair01  更新时间:2023-12-13 10:18