Kerio Tech Firewall6 User Manual

Page 88

Advertising
background image

Chapter 7

Traffic Policy

88

Destination

The Internet interfaces group. With this group, the rule is usable for any type of Internet

connection (see chapter

6

) and it is not necessary to modify it even it Internet connection

is changed.

Service

This entry can be used to define global limitations for Internet access. If particular ser-

vices are defined for IP translations, only these services will be used for the IP translations

and other Internet services will not be available from the local network.

Action

To validate a rule one of the following three actions must be defined: Permit, Drop, Deny.

Translation

In the Source NAT section select the Default settings option (the primary IP address of

the interface via which packets go out from the WinRoute host will be used for NAT). This

also guarantees versatility of this rule — IP address translation will always be working

correctly, regardless the Internet connection type and the particular link type via which

the

packet

will be sent to the Internet.

Warning

The No translation option should be set in the Destination address translation section,

otherwise the rule might not function. Combining source and destination IP address

translation is relevant under special conditions only .

Placing the rule

The rule for destination address translation must be preceded by all rules which deny

access to the Internet from the local network.

Note: Such a rule allows access to the Internet from any host in the local network, not from

the firewall itself (i.e. from the WinRoute host)!

Traffic between the firewall and the Internet must be enabled by a special rule. Since WinRoute

host can access the Internet directly, it is not necessary to use NAT.

Figure 7.22

Rule for traffic between the firewall and hosts in the Internet

Port mapping

Port mapping allows services hosted on the local network (typically in private networks) to

become available over the Internet. The locally hosted server would behave as if it existed

directly on the Internet (public address of the WinRoute host).

Since 6.4.0, WinRoute allows to access mapped services also from the local network. This

avoids problems with different DNS records for the Internet and the local network.

Traffic rule for port mapping can be defined as follows:

Advertising
Popular Brands
Popular manuals