1. Home
    2. /
  2. Manuals
    3. /
  3. SnapGear
    4. /
  4. SG565
    5. /
  5. 24
Page 116 / 249 Scroll up to view Page 111 - 115
Firewall
111
The
Incoming Interface
is the interface/network port that the CyberGuard SG appliance
received the network traffic on.
The
Outgoing Interface
is the interface/network port that the CyberGuard SG appliance
will route the network traffic out.
None will match network traffic that is destined for the
CyberGuard SG appliance itself.
This is useful for controlling access to services provided
by the CyberGuard SG appliance, such as the Web Management Console.
The
Log
option controls whether to log the first packet of the connection.
You may enter
a
Log Prefix
to make it easier to identify which rules are being matched when inspecting
the system log.
NAT
Once appropriate addresses (and perhaps service groups) have been defined, you may
add 1-to-1 and Destination NAT rules.
Source NAT rules may be added at any time, as
these may apply solely between the interfaces of the CyberGuard SG appliance itself.
By default, the CyberGuard SG appliance performs Source NAT on traffic where the
incoming interface is LAN and the outgoing interface is WAN.
See the
Advanced
section
of the chapter entitled
Network Connections
for information on configuring the basic
masquerading (Source NAT) relationships between your CyberGuard SG appliance’s
interfaces.
Destination NAT/port forwarding
Destination NAT alters the destination address and optionally the destination port of
packets received by the CyberGuard SG appliance.
Typically this is used for port
forwarding.
Port forwarding allows controlled access to services provided by machines on your
private network to users on the Internet by forwarding requests for a specific service
coming into one of the CyberGuard SG appliance’s interfaces (typically the WAN
interface) to a machine on your LAN, which services the request.
Enable
Uncheck to temporarily disable this rule
Descriptive Name
An arbitrary name for this rule
This rule will be applied to packets that match the critera described by the next four fields.
Incoming Interface
The interface that receives the request (for port
forwarding will typically be set to
WAN
/
Internet
)
Page 117 / 249
Firewall
112
Source Address
The address from which the request originated (for
port forwarding you may specify this to restrict the
internal service to be only accessible from a specific
remote location)
Destination Address
The destination address of the request, this is the
address that will be altered
Destination Services
The destination service(s) (port(s)) of the request,
many public ports may be forwarded to a single
internal port
The next two fields describe how matching packets should be altered.
To Destination Address
The address to replace the
Destination Address
(for port forwarding this will typically be the private
address of an internal machine)
To Destination Service
The address to replace
Destination Services
, this
need not be the same as the
Destination Service
used to match the packet, but often will be
Generally leave
Create a corresponding ACCEPT firewall rule
checked unless you
want to manually create a more restrictive filter rule
through
Rules
.
Source NAT
Source NAT alters the source address and optionally the source port of packets received
by the CyberGuard SG appliance.
This is typically used for masquerading.
You can use the Source NAT functionality of Packet Filtering to tweak your CyberGuard
SG appliance’s masquerading behaviour.
See the
Advanced
section of the chapter entitled
Network Connections
for information on
configuring the basic masquerading (Source NAT) relationships between your
CyberGuard SG appliance’s interfaces.
Enable
Uncheck to temporarily disable this rule
Descriptive Name
An arbitrary name for this rule
This rule will be applied to packets that match the critera described by the next four fields.
Page 118 / 249
Firewall
113
Source Address
The address from which the request originated (for
masquerading this will typically be a private LAN or
DMZ address)
Outgoing Interface
The interface that receives the request (for
masquerading this will typically be private interface,
i.e.
LAN
or
DMZ
)
Destination Address
The destination address of the request
Destination Services
The destination service(s) (port(s)) of the request
The next two fields describe how matching packets should be altered.
To Source Address
The address to replace the
Source Address
(for
masquerading this will typically be a public address
of the CyberGuard SG appliance, i.e.
WAN
/
Internet
)
To Source Service
The service to replace
Source Services
, this need
not be the same as the
Source Service
used to
match the packet, but often will be
1-to-1 NAT
This creates both a Source NAT and Destination NAT rule for mapping an all services on
an internal, private address to an external, public address.
Enable
Uncheck to temporarily disable this rule
Descriptive Name
An arbitrary name for this rule
The public network is on
Select the interface on which the public address
resides, this will typically be
WAN
/
Internet
or
DMZ
Change private address
The private address to change
Into public address
The public address, typically a WAN interface alias
Leave
Create a corresponding ACCEPT firewall rule
checked to create a
virtual DMZ
type scenario, where the machine at the private address will be effectively unfirewalled.
Page 119 / 249
Firewall
114
Warning
Leaving
Create a corresponding ACCEPT firewall rule
will allow all traffic into and out
from the specified private address, i.e. the private address will no longer be shielded by
your CyberGuard SG appliance’s firewall.
Otherwise, you may manually create filter rules through
Rules
.
Rules
The
Rules
configuration page allows firewall experts to view the current firewall rules and
add custom
iptables
firewall rules.
To access this page, click
Rules
in the
Firewall
menu.
Note
Only experts on firewalls and iptables will be able to add effective custom firewall rules
(further reading can be found at
).
Configuring the CyberGuard SG appliance’s firewall via the
Incoming Access
and
Outgoing Access
and
Packet Filtering
configuration pages is adequate for most
applications.
Refer to
Appendix C – System Log
for details on creating custom log rules using iptables.
Universal Plug and Play Gateway
The Universal Plug and Play (UPnP) Gateway allows UPnP capable applications and
devices to request port forwarding rules to be established on demand.
This allows some
applications and devices that may not operate correctly behind the NAT firewall to
automatically work.
Warning
There is concern in the security community over the potential vulnerability that UPnP
gateways present. For maximum security disable the UPnP Gateway feature.
Page 120 / 249
Firewall
115
Configuring the UPnP Gateway
The UPnP Gateway needs to be run on a pair of interfaces, the external interface and the
internal interface.
The UPnP Gateway will send out notifications on the internal interface, advertising its
presence on the network.
Any UPnP capable applications or devices that you require to
make use of the UPnP Gateway need to be connected to the CyberGuard SG appliance
via this interface.
The UPnP Gateway will listen on this interface to requests from UPnP
capable applications and devices to establish port forwarding rules.
In response to these requests, the UPnP Gateway will establish port forwarding rules to
allow matching packets to be forwarded from the configured external interface through to
the internal interface.
Note
The port forwarding rules set up via the UPnP Gateway are temporary. Power cycling the
CyberGuard SG appliance will clear the list of configured UPnP port forwarding rules, as
will the event of either the internal or external interfaces becoming unavailable.
The UPnP Gateway is intended for transitory application port forwarding, such as those
established by some versions of Microsoft Messenger for file transfers.
For long term
port forwarding, we recommend configuring the necessary rules via the
Destination NAT
features in
Packet Filtering
.
Should there be a conflict, rules established via Packet Filtering will have priority over
those established via the UPnP Gateway.
Port Tunnels
Port tunnels are point to point tunnels similar in many ways to port forwards.
The
CyberGuard SG appliance supports two distinct kinds of port tunnels:
httptunnel
which tunnels traffic using the HTTP protocol
stunnel
which tunnels traffic using SSL
httptunnel based tunnels are
not
encrypted.
They are, however, rather good for
penetrating zealous firewalls.

Rate

4 / 5 based on 3 votes.

Popular SnapGear Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top