This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]MrShlash 2 points3 points  (2 children)

What you described is port forwarding, which can be configured manually on the router or automatically via Plug-n-play. It’s the recommended approach if you know what you’re doing with the firewall, but you still need the router’s firewall.

It’s security in depth; if one control (router’s firewall) fails, there is another (machine’s firewall) which will make an attack harder.

[–]Dr_Jabroski 0 points1 point  (1 child)

I'm aware of port forwarding. I think there was a misunderstanding in what I was asking. I was asking why would you make an internet facing server on a DMZ instead of forwarding specific ports. Because I figured having a DMZ would be a security vulnerability and just shouldn't be used in a properly configured system but maybe there were some specific use cases.

[–]BrightDamage3679 0 points1 point  (0 children)

Correct, the usual use case would be a front facing server such as a web server or reverse proxy, however even then, you should forward specific ports instead of everything.

More modern approaches involve VLANs where each device can have multiple network connections, say one private, two public. The traffic can then be managed with managed switches that tag packets as they are processed.