User Guide
Example 1: Firewall
configuration without
NA(P)T
17 Network Security - Firewalling
217 / 288
3EC 36231 ABAA TCZZA Ed. 01
Dynamic NA(P)T is not applied on your local LAN for this DSL
connection. This means that the IP addresses are not hidden for
the remote side of the connection.
In the following table, the rules to apply are summarized:
Flow Source Dest. Prot. Source
port
Dest.
port
ACK
=1
Action
Out 10.0.0.0/8 200.20.20.1 TCP 1024
65535
23 - accept
In 200.20.20.1 10.0.0.0/8 TCP 23 1024
65535
Yes accept
Any External 10.0.0.0/8 Any Any Any - drop
For the STPro Firewall, this will result in the following CLI
configuration:
1. A chain must be created, e.g. 'Telnet':
firewall chain create chain=Telnet
2. Following rules must be created for that chain:
For the outgoing Telnet service packets:
firewall rule create chain=Telnet src=10.0.0.0/8
dst=200.20.20.1 srcintfgrp=lan prot=tcp
srcport=1024 srcportend=65535 dstport=23
action=accept
For incoming Telnet service reply packets:
firewall rule create chain=Telnet src=200.20.20.1
dst=10.0.0.0/8 srcintfgrp=wan prot=tcp srcport=23
dstport=1024 dstportend=65535 ack=yes
action=accept
For blocking all other services:
firewall rule create chain=Telnet action=drop
3. The chain 'Telnet' must be assigned to the input hook:
firewall assign hook=input chain=Telnet