Changes between Version 3 and Version 4 of RulesNAT


Ignore:
Timestamp:
04/08/09 10:18:21 (11 years ago)
Author:
Victor Julien
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • RulesNAT

    v3 v4  
    1414What does this mean? It basicly says: all connections of type http (webbrowsing) from you local network to the internet will be natted. Simple heh!?
    1515
    16 Please note: the snat action in Vuurmuur does not create ACCEPT rules in iptables. This means that you have to create ACCEPT rules as well. In the above example this means:
     16Please note: the SNAT action in Vuurmuur does not create ACCEPT rules in iptables. This means that you have to create ACCEPT rules as well. In the above example this means:
    1717{{{
    1818accept service http from local.lan to world.inet
     
    3434If you use Vuurmuur in a NAT environment, hosts on the internet by default can't reach the machines in the lan behind the firewall. The solution to enable this is called portforwarding. What happens is the following. A client is connecting to a port on the firewalls public ipaddress. The firewall is configured to translate this connection so it is send to a host on your network behind the firewall. To the client this is transparant.
    3535
    36 To create a portforwarding rule in Vuurmuur you select 'Portfw' as action, and the server as destination. Vuurmuur figures out by itself that the initial connection is made to the firewall itself. Unlike Source NAT, with portfw you don't have to create accept rules! The portfw action takes care of that.
     36To create a portforwarding rule in Vuurmuur you select 'Portfw' as action, and the server as destination. Vuurmuur figures out by itself that the initial connection is made to the firewall itself. Unlike Source NAT, with portfw you don't have to create accept rules! The portfw action takes care of that. You can use the DNAT action for creating the nat rules only.
    3737
    3838Example:
     
    9191== Source port randomization ==
    9292
    93 In 0.5.74 alpha 6 the 'random' option was introduced for all above actions except redirect. The purpose of this option is to randomize the source ports of the connections that are NAT'd. This is useful for dealing with the current day DNS problems. For a write up on that see: http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
     93In Vuurmuur 0.6 the 'random' option was introduced for all above actions except redirect. The purpose of this option is to randomize the source ports of the connections that are NAT'd. This is useful for dealing with the current day DNS problems. For a write up on that see: http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html