Allowing incoming services, Network address translation – WatchGuard Technologies WatchGuard SOHO and SOHO | tc User Manual

User Guide 2.3

35

Allowing incoming services

Allowing incoming services

By default, the security stance of the SOHO is to deny unsolicited
incoming packets to computers on the private network protected
by the SOHO firewall. You can, however, selectively open your
network to certain types of Internet connectivity. For example, if
you would like to set up a Web server behind the SOHO, you can
add an incoming Web service.
It is important to remember that each service you add opens a
small window into your private network and marginally reduces
your security. This is the inherent trade-off between access and
security.

Network address translation

All incoming connections through a SOHO automatically use a
feature called dynamic network address translation (dynamic
NAT). Without dynamic NAT, your internal, private addresses
would not be passed along the Internet to their destination.
Furthermore, the SOHO protects your internal network by
disguising private IP addresses. During an Internet connection, all
traffic passed between computers includes their IP address
information. However, due to the dynamic NAT feature,
applications and servers on the Internet only see the public,
external IP address of the SOHO itself and are never privy to the
addresses in your private network address range when they
exchange information with a computer behind your firewall.
Imagine that you install a computer behind the SOHO with the
private IP address 192.168.111.12. If this address were broadcast to
the Internet, hackers could easily direct an attack on the computer
itself. Instead, the SOHO converts the address automatically to the
public, external address of the SOHO. When a hacker tries to