Definition
DMZ (demilitarized zone) is an isolated network segment, also called a perimeter network or screened subnet, that sits between the untrusted internet and your trusted internal network. Its job is to host the services that must be reachable from outside while keeping them logically separated from everything you actually care about. If an exposed server is compromised, the attacker lands in the DMZ rather than directly inside the LAN, which sharply limits how far the breach can spread.
The name comes from the military term for a buffer strip between two opposing sides. In networking the metaphor holds up well: the DMZ is territory you expect to be contested, so you place only expendable, hardened services there and assume anything in it could fall. The trusted network behind it is defended by a second, much stricter boundary.
What lives in a DMZ
Typical DMZ residents are exactly the public-facing services a self-hoster runs: web servers, mail servers, a reverse proxy terminating inbound connections, public DNS, and VPN or file-transfer endpoints. Internal resources such as databases, file shares, wallets, and workstations stay on the private network and are never directly exposed. The standard pattern is a firewall enforcing two rule sets: a relatively permissive one for internet-to-DMZ traffic (only the published ports, forwarded via port forwarding), and a far stricter one for DMZ-to-internal traffic, so a captured web server cannot freely reach the database it talks to. Ideally DMZ hosts can initiate almost nothing toward the LAN; connections are opened from the inside out.
Building one at home
You do not need enterprise gear. Most prosumer routers and any firewall distribution can carve a DMZ out of a VLAN with its own subnet, then police traffic between segments with firewall rules. A common sovereign-operator layout is three zones: LAN for workstations, DMZ for anything that answers the internet (a public node, a web server, a Nostr relay), and a third segment for machines that are noisy or untrusted in their own way, such as IoT devices and mining hardware. ASIC miners in particular run vendor firmware you cannot fully audit on embedded Linux that rarely receives security updates, so giving the mining fleet its own segment with no route to your wallets or file server is basic hygiene, the same logic as a DMZ even when the miners accept no inbound traffic at all.
One warning: the "DMZ host" checkbox on many consumer routers is not a real DMZ. It simply forwards every unsolicited port to one internal machine, placing that device fully exposed inside your LAN, the opposite of containment. A genuine DMZ requires separate segments and explicit inter-zone rules.
Why it matters for sovereignty
A DMZ is the practical embodiment of the principle that exposed and trusted systems should never share a security boundary. Running your own node, relay, or storefront from home means accepting inbound connections from strangers; segmentation is what makes that acceptable risk instead of an open door. The blast radius of any single compromise stops at the zone boundary, and the whole arrangement is enforced by rules you wrote on hardware you own, no cloud provider's security team required. Combined with least-privilege firewall policy and keeping exposed services patched, a modest DMZ gives a home operator most of the structural defense a corporate network gets, at the cost of an afternoon of VLAN configuration.
A useful discipline is to treat the DMZ as presumed-hostile ground and design accordingly: log traffic crossing the zone boundary, alert on any DMZ host initiating unexpected connections toward the LAN, and rebuild exposed services from clean images rather than patching them in place after an incident. Keep DMZ hosts minimal — every package installed on an exposed server is attack surface — and test the containment occasionally by asking, from a shell on a DMZ machine, what you can actually reach. If the answer includes your NAS or your node's RPC port, the zone exists on the diagram but not in reality, and the diagram is not what attackers negotiate with.
In Simple Terms
DMZ (demilitarized zone) is an isolated network segment, also called a perimeter network or screened subnet, that sits between the untrusted internet and your trusted…
