1.
Go to: Objects > Services > Add > TCP/UDP Service
2.
Now enter:
•
Name: pop3_client_service
•
Type: TCP
•
Destination: 110
•
ALG: pop3_client_alg
3.
Click OK
C. Create an IP Rule for email traffic from the mail server:
1.
Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule
2.
Now enter:
•
Name: pop3_mail
•
Action: Allow
•
Service: pop3_client_service
•
Source Interface: lan
•
Source Network: lan_net
•
Destination Interface: dmz
•
Destination Network: mail_server_ip
3.
Click OK
Note that clients initiates the POP3 connection so they are the source for the IP rule.
6.2.8. The PPTP ALG
The PPTP ALG is provided to deal with a specific issue when PPTP tunnels are used with NAT.
Let us suppose we have two clients A and B on a protected inner network behind a NetDefend
Firewall. The firewall is connected to the external Internet and a NAT rule is defined to allow
traffic from the clients to flow to the Internet. Both clients will therefore appear to have from the
same IP address as they make connections to servers across the Internet.
One client A now establishes a PPTP tunnel to an external host C across the Internet. The tunnel
endpoints are the client and the external server. Because of the NAT IP rule, the tunnel
connection will appear to be coming from the external IP address on the firewall.
This first connection will be successful but when the second client B also tries to connect to the
same server C at the same endpoint IP address, the first connection for A will be lost. The reason
is that both clients are trying to establish a PPTP tunnel from the same external IP address to the
same endpoint.
461
Chapter 6: Security Mechanisms