Protocols Handled By Sat; Multiple Sat Rule Matches - D-Link DFL-260E User Manual
Network security firewall netdefendos version 2.27.03
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (589 pages)
Table of Contents
Advertisement
7.4.5. Protocols Handled by SAT
Port Translation (PAT) (also known as Port Address Translation) can be used to modify the source
or destination port.
#
Action
1
SAT
This rule produces a 1:1 translation of all ports in the range 80 - 85 to the range 1080 - 1085.
•
Attempts to communicate with the web servers public address - port 80, will result in a
connection to the web servers private address - port 1080.
•
Attempts to communicate with the web servers public address - port 84, will result in a
connection to the web servers private address - port 1084.
7.4.5. Protocols Handled by SAT
Generally, static address translation can handle all protocols that allow address translation to take
place. However, there are protocols that can only be translated in special cases, and other protocols
that simply cannot be translated at all.
Protocols that are impossible to translate using SAT are most likely also impossible to translate
using NAT. Reasons for this include:
•
The protocol cryptographically requires that the addresses are unaltered; this applies to many
VPN protocols.
•
The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently
requires that, in some way or another, the addresses visible on IP level are the same as those
embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS.
•
Either party is attempting to open new dynamic connections to the addresses visible to that
party. In some cases, this can be resolved by modifying the application or the firewall
configuration.
There is no definitive list of what protocols that can or cannot be address translated. A general rule
is that VPN protocols cannot usually be translated. In addition, protocols that open secondary
connections in addition to the initial connection can be difficult to translate.
7.4.6. Multiple SAT Rule Matches
NetDefendOS does not terminate the rule set lookup upon finding a matching SAT rule. Instead, it
continues to search for a matching Allow, NAT or FwdFast rule. Only when it has found such a
matching rule does NetDefendOS execute the static address translation.
Despite this, the first matching SAT rule found for each address is the one that will be carried out.
The phrase "each address" above means that two SAT rules can be in effect at the same time on the
same connection, provided that one is translating the sender address whilst the other is translating
the destination address.
#
Action
1
SAT
2
SAT
Src Iface
Src Net
Dest Iface
any
all-nets
Note: A custom service is needed for port translation
In order to create a SAT rule that allows port translation, a Custom Service object
must be used with the rule.
Src Iface
Src Net
Dest Iface
any
all-nets
lan
lannet
Dest Net
wan
wwwsrv_pub
Dest Net
core
wwwsrv_pub
all-nets
Standard
357
Chapter 7. Address Translation
Parameters
TCP 80-85 SETDEST 192.168.0.50 1000
Parameters
TCP 80-85 SETDEST 192.168.0.50 1080
SETSRC pubnet
- Quick Links:
- The Web Interface
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
