address translation can take place if the connection has been permitted, and rule 2 permits the connection.
The SAT rule destination interface must be core because interface IPs are always routed on core.
A NAT rule may also be needed to allow internal computers access to the public Internet:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST 10.10.10.5 80
2
Allow
any
all-nets
core
wan_ip
http
3
NAT
lan
lannet
any
all-nets
All
The problem with this rule set is that it makes internal addresses visible to computers on the DMZ. When
computers connect to wan_ip port 80, they will be allowed to proceed by rule 2. From a security perspective,
hosts in the DMZ should be regarded as untrustworthy.
There are two possible solutions:
1.
Change rule 2 so that it only applies to external traffic.
2.
Swap rules 2 and 3 so that the NAT rule is carried out for internal traffic before the Allow rule triggers.
Which of these two options is best? For this configuration, it makes no difference and both work.
However, suppose that we use another interface, ext2, on the firewall and connect it to another network, perhaps
to that of a neighboring company so that they can communicate much faster with our servers.
If option 1 was selected, the rule set must be adjusted like this:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST 10.10.10.5 80
2
Allow
wan
all-nets
core
wan_ip
http
3
Allow
ext2
ext2net
core
wan_ip
http
4
NAT
lan
lannet
any
all-nets
all_services
This increases the number of rules for each interface allowed to communicate with the web server. However, the
rule ordering is unimportant, which may help avoid errors.
If option 2 was selected, the rule set must be adjusted like this:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST 10.10.10.5 80
2
NAT
lan
lannet
core
wan_ip
all_services
3
Allow
any
all-nets
core
wan_ip
http
This means that the number of rules does not need to be increased. This is good as long as all interfaces can be
trusted to communicate with the web server. If, however, at a later point we add an interface that cannot be
trusted to communicate with the web server, separate Drop rules would have to be placed before the rule granting
all machines access to the web server.
Determining the best course of action must be done on a case-by-case basis, taking all circumstances into
account.
Example 7.4. Enabling Traffic to a Web Server on an Internal Network
In this example, a web server with a private IPv4 address is located on an internal network. This example has
been chosen for its simplicity but this approach is inadvisable from a security standpoint as web servers are best
located in a DMZ.
In order for external users to access the web server, they must be able to contact it using a public address. In this
example, we have chosen to translate port 80 on the firewall's external address to port 80 on the web server:
7.4.1. Translation of a Single IP
Address (1:1)
Chapter 7. Address Translation
381
Summary of Contents for NetDefend DFL-1660
Page 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Page 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Page 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Page 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Page 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Page 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Page 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Page 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Page 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Page 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Page 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Page 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Page 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Page 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...