Packet filtering – SnapGear 2.0.1 User Manual

Firewall

73

Packet Filtering

By default, your CyberGuard SG appliance allows network traffic as shown in the
following table:

You can configure your CyberGuard SG appliance with additional filter rules to allow or
restrict network traffic. These rules can match traffic based on the source and destination
address, the incoming and outgoing network port, and/or the services.

You can also configure your CyberGuard SG appliance to perform network address
translation (NAT). This may be in the form of source address NAT, destination address
NAT, or 1-to-1 NAT. Network address translation modifies the IP address and/or port of
traffic traversing the CyberGuard SG appliance.

The most common use of this is for port forwarding (aka PAT/Port Address Translation)
from ports on the CyberGuard SG appliance’s WAN interface to ports on machines on
the LAN. This is the most common way for internal, masqueraded servers to offer
services to the outside world. Destination NAT rules are used for port forwarding.

Source NAT rules are useful for masquerading one or more IP addresses behind a single
other IP address. This is the type of NAT used by the CyberGuard SG appliance to
masquerade your private network behind its public IP address.

1-to-1 NAT creates both Destination NAT and Source NAT rules for full IP address
translation in both directions. This can be useful if you have a range of IP addresses that
have been added as interface aliases on the CyberGuard SG appliance’s WAN interface,
and want to associate one of these external alias IP addresses with a single internal,
masqueraded computer. This effectively allocates the internal computer its own real
world IP address, also known as a virtual DMZ.

Function

NAT Method

Port forwarding (PAT)

Destination NAT

Masquerading

Source NAT

Virtual DMZ

1-to-1 NAT

Incoming Interface

Outgoing Interface

Action

LAN/VPN/Dial-In

Any

Accept

DMZ

WAN

Accept

DMZ

Any except WAN

Drop

WAN

Any

Drop