Page 1 of 1

port forwarding or dmz ??

Posted: Sun Aug 27, 2017 7:17 pm
by raspi-owner
Hi, i want to make sure that i choose the correct one before starting my web server on the pi, so:

1)The port forwarding is more secure as said on many forums "BUT" if a hacker could do his job than all my local connection is in danger

2) The DMZ is less secure "BUT" i'm only going to open port 80 and 443 and block everything else..And as i have seen, the DMZ make the pi outside the LAN so even if it hacked,it can't affect the other devices connected to the router.

please confirme for me if the DMZ is the best choise for me because i dont care if i have a hacked pi as long as other devices are fine.

Re: port forwarding or dmz ??

Posted: Sun Aug 27, 2017 8:14 pm
by DougieLawson
Port forward and firewall is ALWAYS the better choice.

If you put any machine in a DMZ that opens ALL ports, your firewall rules need to be much more robust as you're relying on them to keep the baddies out.

Re: port forwarding or dmz ??

Posted: Sun Aug 27, 2017 8:49 pm
by raspi-owner
DougieLawson wrote:
Sun Aug 27, 2017 8:14 pm
Port forward and firewall is ALWAYS the better choice.

If you put any machine in a DMZ that opens ALL ports, your firewall rules need to be much more robust as you're relying on them to keep the baddies out.
but what if i got hacked with port forwarding...the hacker will be able to see the other devices on the LAN and get them ??

and is there a good tutorial to make my pi more secure to block hacker to get to my LAN ??

Re: port forwarding or dmz ??

Posted: Sun Aug 27, 2017 10:05 pm
by DougieLawson
No they won't if you apply some sensible security controls.

https://www.raspberrypi.org/documentati ... ecurity.md

Re: port forwarding or dmz ??

Posted: Sun Aug 27, 2017 10:15 pm
by raspi-owner
DougieLawson wrote:
Sun Aug 27, 2017 10:05 pm
No they won't if you apply some sensible security controls.

https://www.raspberrypi.org/documentati ... ecurity.md
i did almost everything in that tutorial expect ssh key login and customizing the ufw..plus my fail2ban jail.local doesn't match with the one in the website (i have sshd insted of ssh),but it match a little bit the one in the git repository.

so now do i let everything as it is in ufw and fail2ban or must i customize them ??

Re: port forwarding or dmz ??

Posted: Mon Aug 28, 2017 12:04 am
by DougieLawson
UFW starts inactive. Install gufw and you get a GUI to configure ufw.

Fail2ban needs the various jails enabling, depending on what services you're running and trying to protect.

RTFManPage for both, they have some useful details of what you need to do.

Re: port forwarding or dmz ??

Posted: Mon Aug 28, 2017 12:42 am
by raspi-owner
will do my best to learn more about all this stuff..thank's for the answers.