matching rule does NetDefendOS execute the static address translation.
Despite this, the first matching SAT rule found for each address is the one that will be carried out.
The phrase "each address" above means that two SAT rules can be in effect at the same time on the
same connection, provided that one is translating the sender address whilst the other is translating
the destination address.
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT any all-nets core wwwsrv_pub TCP 80-85 SETDEST 192.168.0.50 1080
2 SAT lan lannet any Standard SETSRC pubnet
The two above rules may both be carried out concurrently on the same connection. In this instance,
internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition,
if anyone tries to connect to the public address of the web server, the destination address will be
changed to its private address.
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT lan lannet wwwsrv_pub TCP 80-85 SETDEST intrasrv 1080
2 SAT any all-nets wwwsrv_pub TCP 80-85 SETDEST wwwsrv-priv 1080
In this instance, both rules are set to translate the destination address, meaning that only one of them
will be carried out. If an attempt is made internally to communicate with the web server's public
address, it will instead be redirected to an intranet server. If any other attempt is made to
communicate with the web server's public address, it will be redirected to the private address of the
publicly accessible web server.
Again, note that the above rules require a matching Allow rule at a later point in the rule set in order
to work.
7.4.7. SAT and FwdFast Rules
It is possible to employ static address translation in conjunction with FwdFast rules, although return
traffic must be explicitly granted and translated.
The following rules make up a working example of static address translation using FwdFast rules to
a web server located on an internal network:
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 FwdFast any all-nets core wan_ip http
4 FwdFast lan wwwsrv any all-nets 80 -> All
We now add a NAT rule to allow connections from the internal network to the Internet:
# Action Src Iface Src Net Dest Iface Dest Net Parameters
5 NAT lan lannet any all-nets all_services
What happens now is as follows:
• External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct.
• Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from
wan_ip:80. Correct.
• Internal traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. This is almost
correct; the packets will arrive at wwwsrv, but:
• Return traffic from wwwsrv:80 to internal machines will be sent directly to the machines
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation
388
To Next Page
Loading...
