Re: [Fwbuilder-discussion] Nating DST
Brought to you by:
mikehorn
From: <va...@vk...> - 2007-03-28 17:49:06
|
On Mar 28, 2007, at 10:45 AM, John Gallagher wrote: > Newbie question? > > What is the order that the rules get applied? from top to bottom, the same order in which they appear in the GUI > Or does this depend on the interface that you apply the policy on? > > I was using the public IP addresses in the policy and had some of > the same issues. I dumped all of the traffic in and out and found > that the policy seems to be applied after the NAT. > yes, NAT happens first, just like the Users guide explains. > > Do you see issues with having a 1 to one nat fro all services and a > policy that only limits what traffic actually passes? > this should not be a problem. --vk > > John > > > > From: fwb...@li... > [mailto:fwb...@li...] On > Behalf Of Vadim Kurland ? > Sent: Wednesday, March 28, 2007 9:22 AM > To: Fwbuilder List (E-mail) > Subject: Re: [Fwbuilder-discussion] Nating DST > > > On Mar 28, 2007, at 9:09 AM, Charlie Silverman wrote: > >> You actually need to create two rules. The trick here is to NAT >> the incoming packets so that the internal machine thinks they came >> from the router. >> First, create a NAT rule like the following: >> Orig Src: Any >> Orig Dst: 213.211.410.50 >> Orig Svc: http >> Trans Src: (router internal IP) >> Trans Dst: 192.168.0.50 >> Trans Svc: http >> This rule takes anything that comes in on port 80 to >> 213.211.410.50 and sends it out to 192.168.0.50 and changes the >> source IP to the router's internal IP. > > > Translating source address should not be necessary in general case. > In fact, you may not want to do this if you need to see client's IP > address in your web server logs. Double translation of this kind is > used when you need to be able to access web server using its > translated address from machines inside your network and in some > other rare cases. > > It is hard to say why would packets headed for the public IP > sometimes get translated properly and sometimes not. Without seeing > log entries my best guess is that firewall purges state for the > connections before the last packet arrives, so this last packet > does not match the state and falls through to the catch all rule. > > --vk > >> Next, create a policy rule like the following: >> Source: Any >> Dest: 192.168.0.50 >> Service: http >> Interface: All >> Direction: both >> Action: Accept >> This rule allows any machine to connect to your internal server on >> port 80. This is required to allow the NAT rule to pass the >> packets through. >> The internal machine will think that all of the traffic is coming >> from the router. The router will, in turn, translate the incoming >> and outgoing packets out to the correct client on the internet. >> >> >>> >> From: Adam Cade <ad...@go...> >> To: <fwb...@li...> >> Date: 3/28/2007 2:04 AM >> Subject: [Fwbuilder-discussion] Nating DST >> Hello there, >> >> I have a NATing rule like: >> >> 213.211.410.50 - 192.168.0.50 >> >> With a rule to allow access from anywhere on port 80 to 192.168.0.50. >> >> In the logs for fwbuilder, i see lots of accepts on 192.168.0.50 port >> 80. That's all good. However, there are also a lot of denies on >> 213.211.410.50 port 80. Being denied from the last rule; block all. >> >> Is there a reason for this? >> >> Thanks for your help! >> >> -- >> Adam Cade >> >> >> >> --------------------------------------------------------------------- >> ---- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> --------------------------------------------------------------------- >> ---- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV_______________________________ >> ________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |