Manualshelf

Specifications

ManualsBrandsClavister ManualsComputer equipmentSG3200 Series
31323334353637383940
The rule Action is set to NAT (this is explained further below) and the Service is set to http-all
which is suitable for most web browsing (it allows both HTTP and HTTPS connections). The
interface and network for the source and destinations are defined in the Address Filter section of
the rule.
The destination network in the IP rule is specified as the predefined IP4 Address object all-nets.
This is used since we don't know to which IP address the web browsing will be done and this
allows browsing to any IP address. IP rules are processed in a top down fashion, with the first
matching rule being obeyed. An all-nets rule like this should be placed towards the bottom of
the rule set since other rules with narrower destination addresses should trigger before it does.
Only one rule is needed since any traffic controlled by a NAT rule will be controlled by the
CorePlus state engine. This means that the rule will allow connections that originate from the
source network/destination and also implicitly allow any returning traffic that results from those
connections.
In the above, we selected the service called http_all which is already defined in CorePlus. It is
advisable to make the service in an IP rule as restrictive as possible to provide the best security
possible. Custom service objects can be created and new service objects can be created which
are combinations of existing services.
We could have specified the rule Action to be Allow, but only if all the hosts on the protected
local network have public IP addresses. By using NAT, CorePlus will use the destination interface's
IP address as the source IP. This means that external hosts will send their responses back to the
interface IP and CorePlus will automatically direct the traffic back to the originating local host.
Only the outgoing interface therefore needs to have a public IP address and the internal network
topology is hidden.
To allow web browsing, DNS lookup also needs to be allowed in order to resolve URLs into IP
addresses. The service http_all does not include the DNS protocol so we need a similar IP rule
that allows this. This could be done with one IP rule that uses a custom service which combines
the HTTP and DNS protocols but the recommended method is to create an entirely new IP rule
that mirrors the above rule but specifies the service as dns-all. This method provides the most
clarity when the configuration is examined for any problems. The screenshot below shows a new
rule called lan_to_wan_dns being created to allow DNS.
Chapter 3: CorePlus Configuration
37