Table of Contents
Advertisement
Reject: Disallow the rate limited packet, but also send an ICMP protocol
unreachable message to the source IP address.
Drop: Silently disallow the rate limited packet.
If Log if Limited is checked, then first packet of any rate limited connection will generate
a log message.
Log Prefix specifies the text to be placed at the start of the log message. This can be
used to make it easier to identify which rules are being matched when inspecting the
system log.
Custom firewall rules
The Custom Firewall Rules and Custom IPv6 Firewall Rules tabs allow firewall
experts to view the current firewall rules and add custom iptables firewall rules.
Note
Only experts on firewalls and iptables are able to add effective custom firewall rules
(further reading can be found at http://www.netfilter.org/documentation/).
Configuring the SG unit's firewall via the Incoming Access and Outgoing Access and
Packet Filtering configuration pages is adequate for most applications.
Refer to Appendix C – System Log for details on creating custom log rules using iptables.
Network Address Translation (NAT)
Network address translation (NAT) modifies the IP address and/or port of traffic
traversing the SG unit. The SG unit supports several types of network address
translation.
The most common of these is Port Forwarding (also known as port address translation,
PAT or destination NAT, DNAT). This is typically used to alter the destination address
(and possibly port) of matched packets arriving on the SG unit Internet interface to the
address of a host on the LAN. This is the most common way for internal, masqueraded
servers to offer services to the outside world.
Firewall
139
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
