D-Link DFL-800-AV-12 User Manual - Page 211
Translation of a Single IP, Address 1:1, Source Interface
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 211 highlights
7.3.1. Translation of a Single IP Address (1:1) Chapter 7. Address Translation Then create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ 3. Now enter: • Action: Allow • Service: http • Source Interface: any • Source Network: all-nets • Destination Interface: core • Destination Network: wan_ip 4. Under the Service tab, select http in the Pre-defined list 5. Click OK The example results in the following two rules in the rule set: # Action Src Iface Src Net Dest Iface 1 SAT any all-nets core 2 Allow any all-nets core Dest Net wan_ip wan_ip Parameters http SETDEST 10.10.10.5 80 http These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet. In this example, we use a rule that permits everything from the internal network to access the Internet via NAT hide: # Action Src Iface Src Net Dest Iface Dest Net Parameters 3 NAT lan lannet any all-nets All Now, what is wrong with this rule set? If we assume that we want to implement address translation for reasons of security as well as functionality, we discover that this rule set makes our internal addresses visible to machines in the DMZ. When internal machines connect to wan_ip port 80, they will be allowed to proceed by rule 2 as it matches that communication. From an internal perspective, all machines in the DMZ should be regarded as any other Internet-connected servers; we do not trust them, which is the reason for locating them in a DMZ in the first place. There are two possible solutions: 1. You can change rule 2 so that it only applies to external traffic. 2. You can swap rules 2 and 3 so that the NAT rule is carried out for internal traffic before the Allow rule matches. Which of these two options is the best? For this configuration, it makes no difference. Both solutions work just as well. However, suppose that we use another interface, ext2, in the D-Link Firewall and connect it to another network, perhaps to that of a neighboring company so that they can communicate much faster with our servers. If option 1 was selected, the rule set must be adjusted thus: # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core wan_ip http SETDEST 10.10.10.5 80 2 Allow wan all-nets core wan_ip http 211