4 Replies Latest reply: Nov 6, 2013 8:44 AM by Spielo
Spielo Level 1 Level 1 (5 points)

Hi all,

I have a couple of networks in my workplace, one is on a DMZ and is isolated from the rest of the network, the other is on a general office LAN. I'm looking to set up a server that needs to be accessible to other devices on the DMZ (to access content) and to devices on the LAN (for configuration/set-up).


If I connect a Mac with two NICs to both the DMZ and the LAN, is there a way to guarantee that devices that connect through the DMZ won't have access to any devices/content on the LAN.


The server will be a Mac mini running Lion, if anyone can suggest a way to achieve what I need to do I'd really appreciate it!

  • Linc Davis Level 10 Level 10 (173,865 points)

    The server will not automatically forward traffic between networks, so you don't have to do anything special.

  • Spielo Level 1 Level 1 (5 points)

    Great, thanks!

  • MrHoffman Level 6 Level 6 (13,305 points)

    Even easier: get rid of the DMZ. 


    If you're allowing connections from the DMZ into the private LAN, that may well result in an "escape path" from the DMZ into the LAN, whether through the data access path or due to some other weakness in the security of that computer.  


    While Linc is entirely correct as far as the default behavior goes, attackers very seldom keep servers at the default settings.   Minimally, run a port scan from somewhere within the DMZ and see what TCP and UDP ports open on the bridging computer.

  • Spielo Level 1 Level 1 (5 points)

    Thanks for the further info. I spoke to our network admins and they said the same as you, but we're going to do the opposite thing :-)


    We're going to only connect it to the DMZ and then just forward select ports for HTTP and SSH through to the LAN.


    Thanks again.