#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
3
NAT
lan
lannet
wan
all-nets
All
Now, what is wrong with this rule set?
If we assume that we want to implement address translation for reasons of security as well as functionality, we
discover that this rule set makes our internal addresses visible to machines in the DMZ. When internal machines
connect to wan_ip port 80, they will be allowed to proceed by rule 2 as it matches that communication. From an
internal perspective, all machines in the DMZ should be regarded as any other Internet-connected servers; we do
not trust them, which is the reason for locating them in a DMZ in the first place.
There are two possible solutions:
1.
Rule 2 can be changed so that it only applies to external traffic.
2.
Rules 2 and 3 can be swapped so that the NAT rule is carried out for internal traffic before the Allow rule
matches.
Which of these two options is the best? For this configuration, it makes no difference. Both solutions work just as
well.
However, suppose that we use another interface, ext2, in the NetDefend Firewall and connect it to another
network, perhaps to that of a neighboring company so that they can communicate much faster with our servers.
If option 1 was selected, the rule set must be adjusted like this:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST 10.10.10.5 80
2
Allow
wan
all-nets
core
wan_ip
http
3
Allow
ext2
ext2net
core
wan_ip
http
4
NAT
lan
lannet
any
all-nets
All
This increases the number of rules for each interface allowed to communicate with the web server. However, the
rule ordering is unimportant, which may help avoid errors.
If option 2 was selected, the rule set must be adjusted like this:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST 10.10.10.5 80
2
NAT
lan
lannet
core
wan_ip
All
3
Allow
any
all-nets
core
wan_ip
http
This means that the number of rules does not need to be increased. This is good as long as all interfaces can be
trusted to communicate with the web server. If, however, at a later point we add an interface that cannot be
trusted to communicate with the web server, separate Drop rules would have to be placed before the rule granting
all machines access to the web server.
Determining the best course of action must be done on a case-by-case basis, taking all circumstances into
account.
Example 7.4. Enabling Traffic to a Web Server on an Internal Network
The example we have decided to use is that of a web server with a private address located on an internal
network. From a security standpoint, this approach is wrong, as web servers are very vulnerable to attack and
should therefore be located in a DMZ. However, due to its simplicity, we have chosen to use this model in our
example.
In order for external users to access the web server, they must be able to contact it using a public address. In this
example, we have chosen to translate port 80 on the NetDefend Firewall's external address to port 80 on the web
server:
#
Action
Src Iface
Src Net
Dest Iface
Dest Net
Parameters
1
SAT
any
all-nets
core
wan_ip
http SETDEST wwwsrv 80
7.4.1. Translation of a Single IP
Address (1:1)
Chapter 7. Address Translation
352
Summary of Contents for NetDefend DFL-260E
Page 27: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 27...
Page 79: ...2 7 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 79...
Page 146: ...3 9 DNS Chapter 3 Fundamentals 146...
Page 227: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 227...
Page 241: ...5 4 IP Pools Chapter 5 DHCP Services 241...
Page 339: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 339...
Page 360: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 360...
Page 382: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 382...
Page 386: ...The TLS ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 386...
Page 439: ...Figure 9 3 PPTP Client Usage 9 5 4 PPTP L2TP Clients Chapter 9 VPN 439...
Page 450: ...9 7 6 Specific Symptoms Chapter 9 VPN 450...
Page 488: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 488...
Page 503: ...11 6 HA Advanced Settings Chapter 11 High Availability 503...
Page 510: ...12 3 5 Limitations Chapter 12 ZoneDefense 510...
Page 533: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 533...