Kerio Tech Firewall6 User Manual
Page 84
Chapter 7
Traffic Policy
84
are let in. This translation method guarantees high security — the firewall will not let in any
packet which is not a response to the sent request.
However, many applications (especially applications working with multimedia, Voice over IP
technologies, etc.) use another traffic method where other clients can (with direct connection
established) connect to a port “opened” by an outgoing packet. Therefore, WinRoute supports
also the Full cone NAT mode where the described restrictions are not applied for incoming
packets. The port then lets in incoming packets with any source IP address and port. This
translation method allows running of applications in the private network that would either
work only partially or they would not work at all.
For example of using of Full cone NAT for VoIP applications, refer to chapter
.
Warning
Use of Full cone NAT brings certain security threats — the port opened by outgoing connection
can be accessed without any restrictions being applied. For this reason, it is recommended to
enable Full cone NAT only for a specific service (i.e. to create a special rule for this purpose).
By any means do not allow Full cone NAT in the general rule for traffic from the local network
to the Internet
! Such rule would significantly decrease security of the local network.
Note:
1.
Older versions of WinRoute (to version 6.3.1 incl.) used so called Symmetric NAT where
each outgoing connection on the firewall was assigned a new source port from the reserved
range. For this reason, since 6.4.0 WinRoute includes significantly improved support for
VoIP and multimedia applications than the previous versions even without using special
traffic rules. Both methods have the same security level — they differ only in method of
assigning source ports on the firewall.
2.
The method of IP address translation having been used since version 6.4.0 (i.e. Port re-
stricted cone NAT) allows also using of the IPSec protocol. Special support for IPSec in-
cluded in older versions of WinRoute is not needed any longer.
Destination NAT (port mapping):
Destination address translation (also called port mapping) is used to allow access to services
hosted in private local networks behind the firewall. All incoming packets that meet defined
rules are re-directed to a defined host (destination address is changed). This actually “moves”
to the Internet interface of the WinRoute host (i.e. IP address it is mapped from). From the
client’s point of view, the service is running on the IP address from which it is mapped (usually
on the firewall’s IP address).
Options for destination NAT (port mapping):
Typically the NAT rule created by the Traffic policy wizard — see chapter