Packet Filtering

By default, your CyberGuard SG appliance allows network traffic as shown in the following table:

Incoming Interface

LAN/VPN/Dial-In

DMZ

DMZ

WAN

Outgoing Interface

Any

WAN

Any except WAN

Any

Action

Accept

Accept

Drop

Drop

You can configure your CyberGuard SG appliance with additional filter rules to allow or restrict network traffic. These rules can match traffic based on the source and destination address, the incoming and outgoing network port, and/or the services.

You can also configure your CyberGuard SG appliance to perform network address translation (NAT). This may be in the form of source address NAT, destination address NAT, or 1-to-1 NAT. Network address translation modifies the IP address and/or port of traffic traversing the CyberGuard SG appliance.

The most common use of this is for port forwarding (aka PAT/Port Address Translation) from ports on the CyberGuard SG appliance’s WAN interface to ports on machines on the LAN. This is the most common way for internal, masqueraded servers to offer services to the outside world. Destination NAT rules are used for port forwarding.

Source NAT rules are useful for masquerading one or more IP addresses behind a single other IP address. This is the type of NAT used by the CyberGuard SG appliance to masquerade your private network behind its public IP address.

1-to-1 NAT creates both Destination NAT and Source NAT rules for full IP address translation in both directions. This can be useful if you have a range of IP addresses that have been added as interface aliases on the CyberGuard SG appliance’s WAN interface, and want to associate one of these external alias IP addresses with a single internal, masqueraded computer. This effectively allocates the internal computer its own real world IP address, also known as a virtual DMZ.

Function

NAT Method

 

 

Port forwarding (PAT)

Destination NAT

 

 

Masquerading

Source NAT

 

 

Virtual DMZ

1-to-1 NAT

73

Firewall

Page 77
Image 77
SnapGear 2.0.1 user manual Packet Filtering, Incoming Interface, Outgoing Interface, Action, Function NAT Method