D-Link NetDefend DFL-210 User Manual page 178
Network security firewall ver. 1.05
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
7.2.1. Translation of a Single IP Ad-
dress (1:1)
1.
Go to Rules > IP Rules > Add > IPRule
2.
Specify a suitable name for the rule, for instance Allow_HTTP_To_DMZ.
3.
Now enter:
•
Action: Allow
•
Service: http
•
Source Interface: any
•
Source Network: all-nets
•
Destination Interface: core
•
Destination Network: wan_ip
4.
Under the Service tab, select http in the Pre-defined dropdown list.
5.
Click OK.
The example results in the following two rules in the rule-set:
#
1
2
These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that
address translation can take place if the connection has been permitted, and rule 2 permits the connection.
Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet.
In this example, we use a rule that permits everything from the internal network to access the Internet via NAT
hide:
#
3
Now, what is wrong with this rule-set?
Well, if we assume that we want to implement address translation for reasons of security as well as functionality,
we discover that this rule-set makes our internal addresses visible to machines in the DMZ. When internal ma-
chines connect to wan_ip port 80, they will be allowed to proceed by rule 2 as it matches that communication.
From an internal perspective, all machines in the DMZ should be regarded as any other Internet-connected serv-
ers; we do not trust them, which is the reason for locating them in a DMZ in the first place.
There are two possible solutions:
1.
You can change rule 2 so that it only applies to external traffic.
2.
You can swap rules 2 and 3 so that the NAT rule is carried out for internal traffic before the Allow rule
matches.
Which of these two options is the best?
For this configuration, it makes no difference whatsoever. Both solutions work just as well.
However, suppose that we use another interface, ext2, in the D-Link Firewall and connect it to another network,
perhaps to that of a neighboring company so that they can communicate much faster with our servers.
If option 1 was selected, the rule-set must be adjusted thus:
#
1
2
3
4
Action
Src Iface
SAT
any
Allow
any
Action
Src Iface
NAT
lan
Action
Src Iface
SAT
any
Allow
wan
Allow
ext2
NAT
lan
Src Net
Dest Iface
all-nets
core
all-nets
core
Src Net
Dest Iface
lannet
any
Src Net
Dest Iface
all-nets
core
all-nets
core
ext2net
core
lannet
any
165
Chapter 7. Address Translation
Dest Net
Parameters
wan_ip
http SETDEST
10.10.10.5 80
wan_ip
http
Dest Net
Parameters
all-nets
All
Dest Net
Parameters
wan_ip
http SETDEST
10.10.10.5 80
wan_ip
http
wan_ip
http
all-nets
All
Advertisement
Table of Contents
