Firewall
137
Configuring the CyberGuard SG appliance’s firewall via the Incoming Access and
Outgoing Access and Packet Filtering configuration pages is adequate for most
applications.
Refer to Appendix C – System Log for details on creating custom log rules using iptables.
Network Address Translation (NAT)
Network address translation (NAT) modifies the IP address and/or port of traffic
traversing the CyberGuard SG appliance. The CyberGuard SG appliance supports
several types of network address translation.
The most common of these is Port Forwarding (also known as port address translation,
PAT or destination NAT, DNAT). This is typically used to alter the destination address
(and possibly port) of matched packets arriving on the CyberGuard SG appliance Internet
interface to the address of a host on the LAN. This is the most common way for internal,
masqueraded servers to offer services to the outside world.
Source NAT rules are useful for masquerading one or more IP addresses behind a
single other IP address. This is the type of NAT used by the CyberGuard SG appliance
to masquerade your private network behind its public IP address.
To a server on the Internet, requests originating from the hosts behind masqueraded
interface appear to originate from the CyberGuard SG appliance, as matched packets
have their source address altered. You may enable or disable source NAT between
interfaces under Masquerading, and fine tune source NAT rules under Source NAT.
1-to-1 NAT is a combination of destination NAT and source NAT. Both destination NAT
and source NAT rules are created for full IP address translation in both directions. This
can be useful if you have a range of IP addresses that have been added as interface
aliases on the CyberGuard SG appliance’s WAN interface, and want to associate one of
these external alias IP addresses with a single internal, masqueraded computer. This
effectively allocates the internal computer its own real world IP address, also known as a
virtual DMZ.
Port forwarding
Port forwarding rules alter the destination address and optionally the destination port of
packets received by the CyberGuard SG appliance.
Port forwarding allows controlled access to services provided by machines on your
private network to users on the Internet by forwarding requests for a specific service
coming into one of the CyberGuard SG appliance’s interfaces (typically the WAN
interface) to a machine on your LAN, which services the request.
To Next Page
Loading...
Need help?
General
