Multiple Sat Rule Matches; Sat And Fwdfast Rules - D-Link NetDefend DFL-210 User Manual

7.3.6. Multiple SAT rule matches

configuration.
There is no definitive list of what protocols that can or cannot be address translated. A general rule
is that VPN protocols cannot usually be translated. In addition, protocols that open secondary
connections in addition to the initial connection can be difficult to translate.
Some protocols that are difficult to address translate may be handled by specially written algorithms
designed to read and/or alter application data. These are commonly referred to as Application Layer
Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer
Gateways and for more information please see Section 6.2, "Application Layer Gateways".
7.3.6. Multiple SAT rule matches
NetDefendOS does not terminate the rule set lookup upon finding a matching SAT rule. Instead, it
continues to search for a matching Allow, NAT or FwdFast rule. Only when it has found such a
matching rule does the firewall execute the static address translation.
Despite this, the first matching SAT rule found for each address is the one that will be carried out.
"Each address" above means that two SAT rules can be in effect at the same time on the same
connection, provided that one is translating the sender address whilst the other is translating the
destination address.
# Action Src Iface
1 SAT any
2 SAT lan
The two above rules may both be carried out concurrently on the same connection. In this instance,
internal sender addresses will be translated to addresses in the "pubnet" in a 1:1 relation. In addition,
if anyone tries to connect to the public address of the web server, the destination address will be
changed to its private address.
# Action Src Iface
1 SAT lan
2 SAT any
In this instance, both rules are set to translate the destination address, meaning that only one of them
will be carried out. If an attempt is made internally to communicate with the web servers public
address, it will instead be redirected to an intranet server. If any other attempt is made to
communicate with the web servers public address, it will be redirected to the private address of the
publicly accessible web server.
Again, note that the above rules require a matching Allow rule at a later point in the rule set in order
to work.

7.3.7. SAT and FwdFast Rules

It is possible to employ static address translation in conjunction with FwdFast rules, although return
traffic must be explicitly granted and translated.
The following rules make up a working example of static address translation using FwdFast rules to
a web server located on an internal network:
# Action
1 SAT
2 SAT
3 FwdFast
4 FwdFast
We add a NAT rule to allow connections from the internal network to the Internet:
Src Net Dest Iface
all-nets core
lannet all-nets
Src Net Dest Iface
lannet wwwsrv_pub
all-nets wwwsrv_pub
Src Iface Src Net Dest Iface
any all-nets core
lan wwwsrv any
any all-nets core
lan wwwsrv any
Dest Net Parameters
wwwsrv_pub TCP 80-85 SETDEST 192.168.0.50 1080
Standard SETSRC pubnet
Dest Net Parameters
TCP 80-85 SETDEST intrasrv 1080
TCP 80-85 SETDEST wwwsrv-priv 1080
Dest Net
wan_ip
all-nets
wan_ip
all-nets
217
Chapter 7. Address Translation
Parameters
http SETDEST wwwsrv 80
80 -> All SETSRC wan_ip 80
http
80 -> All