User Guide
Example 2: Firewall
configuration with
NA(P)T
More information
17 Network Security - Firewalling
218 / 288
3EC 36231 ABAA TCZZA Ed. 01
Dynamic NA(P)T is applied for this DSL connection; all outgoing
Net10" IP addressed packets are translated into the
192.6.11.10 IP address. So the complete local LAN is presented
towards the remote side as the single IP address 192.6.11.10.
In the following table, the rules to apply are summarized:
Flow Source Dest. Prot. Source
port
Dest.
port
ACK
=1
Action
Out 10.0.0.0/8 200.20.20.1 TCP 1024
65535
23 - accept
In 200.20.20.1 192.6.11.10 TCP 23 1024
65535
Yes accept
Any External Internal Any Any Any - drop
For the STPro Firewall, this will result in the following CLI
configuration:
1. A chain must be created, e.g. 'Telnet':
firewall chain create chain=Telnet
2. Following rules must be created for that chain:
For the outgoing Telnet service packets:
firewall rule create chain=Telnet src=10.0.0.0/8
dst=200.20.20.1 srcintfgrp=lan prot=tcp
srcport=1024 srcportend=65535 dstport=23
action=accept
For incoming Telnet service reply packets:
firewall rule create chain=Telnet src=200.20.20.1
dst=192.6.11.10 srcintfgrp=wan prot=tcp srcport=23
dstport=1024 dstportend=65535 ack=yes
action=accept
For blocking all other services:
firewall rule create chain=Telnet action=drop
3. The chain 'Telnet' must be assigned to the input hook:
firewall assign hook=input chain=Telnet
See chapter 22 for more information on STPro's Firewall CLI
configuration.