User Manual

ManualsBrandsD-Link ManualsComputer HardwareDFL-2500

211

212

213

214

215

216

217

218

219

220

configuration.

There is no definitive list of what protocols that can or cannot be address translated. A general rule

is that VPN protocols cannot usually be translated. In addition, protocols that open secondary

connections in addition to the initial connection can be difficult to translate.

Some protocols that are difficult to address translate may be handled by specially written algorithms

designed to read and/or alter application data. These are commonly referred to as Application Layer

Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer

Gateways and for more information please see Section 6.2, “Application Layer Gateways”.

7.3.6. Multiple SAT rule matches

NetDefendOS does not terminate the rule set lookup upon finding a matching SAT rule. Instead, it

continues to search for a matching Allow, NAT or FwdFast rule. Only when it has found such a

matching rule does the firewall execute the static address translation.

Despite this, the first matching SAT rule found for each address is the one that will be carried out.

"Each address" above means that two SAT rules can be in effect at the same time on the same

connection, provided that one is translating the sender address whilst the other is translating the

destination address.

# Action Src Iface Src Net Dest Iface Dest Net Parameters

1 SAT any all-nets core wwwsrv_pub TCP 80-85 SETDEST 192.168.0.50 1080

2 SAT lan lannet all-nets Standard SETSRC pubnet

The two above rules may both be carried out concurrently on the same connection. In this instance,

internal sender addresses will be translated to addresses in the "pubnet" in a 1:1 relation. In addition,

if anyone tries to connect to the public address of the web server, the destination address will be

changed to its private address.

# Action Src Iface Src Net Dest Iface Dest Net Parameters

1 SAT lan lannet wwwsrv_pub TCP 80-85 SETDEST intrasrv 1080

2 SAT any all-nets wwwsrv_pub TCP 80-85 SETDEST wwwsrv-priv 1080

In this instance, both rules are set to translate the destination address, meaning that only one of them

will be carried out. If an attempt is made internally to communicate with the web servers public

address, it will instead be redirected to an intranet server. If any other attempt is made to

communicate with the web servers public address, it will be redirected to the private address of the

publicly accessible web server.

Again, note that the above rules require a matching Allow rule at a later point in the rule set in order

to work.

7.3.7. SAT and FwdFast Rules

It is possible to employ static address translation in conjunction with FwdFast rules, although return

traffic must be explicitly granted and translated.

The following rules make up a working example of static address translation using FwdFast rules to

a web server located on an internal network:

# Action Src Iface Src Net Dest Iface Dest Net Parameters

1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80

2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80

3 FwdFast any all-nets core wan_ip http

4 FwdFast lan wwwsrv any all-nets 80 -> All

We add a NAT rule to allow connections from the internal network to the Internet:

7.3.6. Multiple SAT rule matches Chapter 7. Address Translation

217