Sat And Fwdfast Rules - D-Link NetDefend DFL-210 User Manual
Network security firewall ver 2.26.01
Hide thumbs
Also See for NetDefend DFL-210:
- Log reference manual (476 pages) ,
- User manual (469 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
7.4.7. SAT and FwdFast Rules
The phrase "each address" above means that two SAT rules can be in effect at the same time on the
same connection, provided that one is translating the sender address whilst the other is translating
the destination address.
#
Action
1
SAT
2
SAT
The two above rules may both be carried out concurrently on the same connection. In this instance,
internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition,
if anyone tries to connect to the public address of the web server, the destination address will be
changed to its private address.
#
Action
1
SAT
2
SAT
In this instance, both rules are set to translate the destination address, meaning that only one of them
will be carried out. If an attempt is made internally to communicate with the web servers public
address, it will instead be redirected to an intranet server. If any other attempt is made to
communicate with the web servers public address, it will be redirected to the private address of the
publicly accessible web server.
Again, note that the above rules require a matching Allow rule at a later point in the rule set in order
to work.
7.4.7. SAT and FwdFast Rules
It is possible to employ static address translation in conjunction with FwdFast rules, although return
traffic must be explicitly granted and translated.
The following rules make up a working example of static address translation using FwdFast rules to
a web server located on an internal network:
#
Action
1
SAT
2
SAT
3
FwdFast
4
FwdFast
We now add a NAT rule to allow connections from the internal network to the Internet:
#
Action
5
NAT
What happens now is as follows:
•
External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct.
•
Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from
wan_ip:80. Correct.
•
Internal traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. This is amost
correct; the packets will arrive at wwwsrv, but:
•
Return traffic from wwwsrv:80 to internal machines will be sent directly to the machines
themselves. This will not work, as the packets will be interpreted as coming from the wrong
address.
Src Iface
Src Net
Dest Iface
any
all-nets
lan
lannet
Src Iface
Src Net
lan
lannet
wwwsrv_pub
any
all-nets
wwwsrv_pub
Src Iface
Src Net
any
all-nets
lan
wwwsrv
any
all-nets
lan
wwwsrv
Src Iface
Src Net
lan
lannet
Dest Net
core
wwwsrv_pub
all-nets
Standard
Dest Iface
Dest Net
TCP 80-85
TCP 80-85
Dest Iface
Dest Net
core
wan_ip
any
all-nets
core
wan_ip
any
all-nets
Dest Iface
Dest Net
any
all-nets
314
Chapter 7. Address Translation
Parameters
TCP 80-85 SETDEST 192.168.0.50 1080
SETSRC pubnet
Parameters
SETDEST intrasrv 1080
SETDEST wwwsrv-priv 1080
Parameters
http SETDEST wwwsrv 80
80 -> All SETSRC wan_ip 80
http
80 -> All
Parameters
All
Advertisement
Table of Contents
Troubleshooting
