Changes between Version 3 and Version 4 of RulesNAT
- Timestamp:
- 04/08/09 10:18:21 (13 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
RulesNAT
v3 v4 14 14 What does this mean? It basicly says: all connections of type http (webbrowsing) from you local network to the internet will be natted. Simple heh!? 15 15 16 Please note: the snataction in Vuurmuur does not create ACCEPT rules in iptables. This means that you have to create ACCEPT rules as well. In the above example this means:16 Please note: the SNAT action in Vuurmuur does not create ACCEPT rules in iptables. This means that you have to create ACCEPT rules as well. In the above example this means: 17 17 {{{ 18 18 accept service http from local.lan to world.inet … … 34 34 If you use Vuurmuur in a NAT environment, hosts on the internet by default can't reach the machines in the lan behind the firewall. The solution to enable this is called portforwarding. What happens is the following. A client is connecting to a port on the firewalls public ipaddress. The firewall is configured to translate this connection so it is send to a host on your network behind the firewall. To the client this is transparant. 35 35 36 To create a portforwarding rule in Vuurmuur you select 'Portfw' as action, and the server as destination. Vuurmuur figures out by itself that the initial connection is made to the firewall itself. Unlike Source NAT, with portfw you don't have to create accept rules! The portfw action takes care of that. 36 To create a portforwarding rule in Vuurmuur you select 'Portfw' as action, and the server as destination. Vuurmuur figures out by itself that the initial connection is made to the firewall itself. Unlike Source NAT, with portfw you don't have to create accept rules! The portfw action takes care of that. You can use the DNAT action for creating the nat rules only. 37 37 38 38 Example: … … 91 91 == Source port randomization == 92 92 93 In 0.5.74 alpha6 the 'random' option was introduced for all above actions except redirect. The purpose of this option is to randomize the source ports of the connections that are NAT'd. This is useful for dealing with the current day DNS problems. For a write up on that see: http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html93 In Vuurmuur 0.6 the 'random' option was introduced for all above actions except redirect. The purpose of this option is to randomize the source ports of the connections that are NAT'd. This is useful for dealing with the current day DNS problems. For a write up on that see: http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html