D-Link DFL-260E User Manual for DFL-260E - Page 382
SAT and FwdFast Rules, FwdFast
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 382 highlights
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation matching rule does NetDefendOS execute the static address translation. Despite this, the first matching SAT rule found for each address is the one that will be carried out. The phrase "each address" above means that two SAT rules can be in effect at the same time on the same connection, provided that one is translating the sender address whilst the other is translating the destination address. # Action 1 SAT 2 SAT Src Iface any lan Src Net all-nets lannet Dest Iface core any Dest Net wwwsrv_pub Standard Parameters TCP 80-85 SETDEST 192.168.0.50 1080 SETSRC pubnet The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition, if anyone tries to connect to the public address of the web server, the destination address will be changed to its private address. # Action 1 SAT 2 SAT Src Iface lan any Src Net lannet all-nets Dest Iface wwwsrv_pub wwwsrv_pub Dest Net TCP 80-85 TCP 80-85 Parameters SETDEST intrasrv 1080 SETDEST wwwsrv-priv 1080 In this instance, both rules are set to translate the destination address, meaning that only one of them will be carried out. If an attempt is made internally to communicate with the web server's public address, it will instead be redirected to an intranet server. If any other attempt is made to communicate with the web server's public address, it will be redirected to the private address of the publicly accessible web server. Again, note that the above rules require a matching Allow rule at a later point in the rule set in order to work. 7.4.7. SAT and FwdFast Rules It is possible to employ static address translation in conjunction with FwdFast rules, although return traffic must be explicitly granted and translated. The following rules make up a working example of static address translation using FwdFast rules to a web server located on an internal network: # Action Src Iface 1 SAT any 2 SAT lan 3 FwdFast any 4 FwdFast lan Src Net all-nets wwwsrv all-nets wwwsrv Dest Iface core any core any Dest Net wan_ip all-nets wan_ip all-nets Parameters http SETDEST wwwsrv 80 80 -> All SETSRC wan_ip 80 http 80 -> All We now add a NAT rule to allow connections from the internal network to the Internet: # Action 5 NAT Src Iface lan Src Net lannet Dest Iface any Dest Net all-nets Parameters all_services What happens now is as follows: • External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct. • Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from wan_ip:80. Correct. • Internal traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. This is almost correct; the packets will arrive at wwwsrv, but: • Return traffic from wwwsrv:80 to internal machines will be sent directly to the machines 382