Table of Contents
Advertisement
Example 1: Firewall
configuration without
NA(P)T
3EC 17766 AAAA TCZZA Ed. 04
Dynamic NA(P)T is not applied on your local (W)LAN for this DSL
connection. This means that the IP addresses are not hidden for
the remote side of the connection.
In the following table, the rules to apply are summarized:
Flow
Source
Out
10.0.0.0/8
In
200.20.20.1
Any
External
For the AST570 Firewall, this will result in the following CLI
configuration:
1. A chain must be created, e.g. 'Telnet':
firewall chain create chain=Telnet
2. Following rules must be created for that chain:
For the outgoing Telnet service packets:
D
firewall rule create chain=Telnet src=10.0.0.0/8
dst=200.20.20.1 srcintfgrp=lan prot=tcp
srcport=1024 srcportend=65535 dstport=23
action=accept
For incoming Telnet service reply packets:
D
firewall rule create chain=Telnet src=200.20.20.1
dst=10.0.0.0/8 srcintfgrp=wan prot=tcp srcport=23
dstport=1024 dstportend=65535 ack=yes
action=accept
For blocking all other services:
D
firewall rule create chain=Telnet action=drop
3. The chain 'Telnet' must be assigned to the input hook:
firewall assign hook=input chain=Telnet
17 Security Services - Firewalling
Dest.
Prot. Source
200.20.20.1
TCP
10.0.0.0/8
TCP
10.0.0.0/8
Any
Dest.
ACK
port
port
=1
1024
23
-
65535
23
1024
Yes
65535
Any
Any
-
227 / 300
Action
accept
accept
drop
Advertisement
Table of Contents
