Note: Although Intranet and DMZ may be already separated on a Ethernet level
by distinct interfaces, an appropriate Firewall rule must be set up in
any case so that the DMZ is being separated from the LAN on the IP level
as well.
Thereby, the server service shall be available from the Internet and from the Intranet, but any IP traffic from the DMZ towards the Intranet must be prohibited. For the above example, this reads as follows:
- With a ’Allow All’ strategy (default): Deny access from 123.45.67.2 to “All stations in local network“
- With a ’Deny All’ strategy : Allow access from "All stations in local network" to 123.45.67.2