Hello. Before I start, I feel like I have a fairly good idea of what I'm doing but this has me completely stumped. I'm running a dedicated web server and a machine that needs to do video conferencing from behind the same router. Not a good combo, I know. I've tried several arrangements but keep running into barriers. I just tried a little test and I need some feedback just to make sure I'm not going crazy. The web server is running Gentoo Linux and I've just configured iptables to block out everything that isn't necessary. It's not 100% secure but it'll do for me. That part is fine. I've been using VNC as a test program to see if I can connect to the Windows XP machine. The router I'm using is the BT Voyager 2000. It seems that unless I specify a virtual server or put the machine in the DMZ, I am unable to connect to the VNC server. I think this makes sense because the router doesn't know which machine to forward the request to. The machine will be used for far more than VNC so I keep it in the DMZ. Now according to this page here, the firewall should protect the DMZ host. But I didn't think this was the case. The router's manual doesn't seem to think so either. I ran a test to make sure. I set the firewall to custom, allowed all the ports, but blocked the port for VNC. I was still able to connect. A conclusive result? Apparently not. I had earlier tried to use a web cam through Yahoo chat. The firewall was turned on. It didn't work at all. I turned the firewall off. It worked just fine. And it was in the DMZ all that time. So what the hell is going on?

"I've been using VNC as a test program to see if I can connect to the Windows XP machine" That's original. "the firewall should protect the DMZ host" Never heard of that. It sort of negates the value of having a DMZ feature. "I had earlier tried to use a web cam through Yahoo chat." But, is that not different than trying VNC? VNC was local traffic. Yahoo involved outbound traffic over the WAN. Routers and networking become strange when you go over the WAN. My theory: This is a Stateful Packet Inspection (SPI) firewall. It understands outbound vs. inbound traffic (outbound being defined here as traffic going out the WAN port). Outbound traffic is always regulated, inbound is not regulated for DMZ. So, your DMZ has no restriction on inbound traffic, but you tell your router to block outbound traffic, and it will block DMZ outbound traffic. I do not believe this is behavior is standard. Now this is a telling quote that made me think of this: "The main task of the firewall is really to control outbound traffic..."

This is actually a network I'm managing remotely so I was connecting with VNC from the outside. But that does make sense, thanks a lot. It's only the security of the Linux machine that's really important, I'm willing to take a risk with the others. Let's hope iptables holds up!