2 port forwarding / nat, 1 port forwarding / destination nat – NEXCOM IFA 1610 User Manual
Page 51
Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.
IFA 3610/IFA 2610/IFA 1610 User Manual
Chapter 5: The Firewall Menu
48
Note:
There exist dozens predefined services that can be chosen from the drop down menus and should suffice to allow
the most common services to access the Internet. An user defined combination of port and protocol should be used only
if a service is not running on a standard port (e.g., an SSH server listens to port 2345 or a web server runs on port 7981)
or if a service is using a particular port (e.g., a multiplayer game on the Internet).
▪ ‘Access from’ sub-rule. Almost every rule can be further detailed by adding several Access from rules to it, for example
to limit access to a client depending on the zone from which it connects to the appliance. Access from rules can be
configured when the advanced mode is selected (see below). As a consequence, a rule can appear split on two or
more lines, depending on the number of access policies defined. Each access from sub-rule can be deleted individually,
without changing the main rule. Each of the sub-rules can even have a different filter policy.
▪ Policy, Filter Policy. The action to carry out on the packets that match the current rule. The drop-down menu allows
to select among four options: Allow with IPS - let the packet pass but analyse it with the Intrusion Prevention System,
Allow - let the packets pass without any check, Drop - discard the packet, and Reject - discard the packet and send
an error packet in response.
▪ Enabled. Every rule created is by default enabled, but it can be saved and not activated by unticking the checkbox,
i.e., it will not be taken into account for packet filtering. Disabling a rule may prove useful for troubleshooting
connections’ problems.
▪ Log, Log all accepted packets. By default, no log entries is written when traffic is filtered. To enable logging for a rule,
tick the box.
Warning:
If there is a lot of traffic and packets to be analysed, the size of the log files will likely grow rapidly, so in this
case remember to check the log directory regularly to avoid running out of space!
▪ Remark. A description or a remark about the rule, to remember the purpose of the rule.
▪ Position. Recall that the iptables rules are processed in the order they appear on the list and that some is a “terminating”
rule, i.e., it may drop or reject a packet and stop the processing of the subsequent rules. This drop-down menu allows
to choose in which position this rule should be saved.
▪ Actions. On all rules several actions can be carried out:
▪ - move the rule upwards or downwards in the list.
Hint: Remember that the ordering matters! The firewall rules are processed in the order they appear in the page, top
to bottom.
▪ - enable or disable the rule.
▪ - modify the rule.
▪ - remove the rule.
Finally, after every change has been saved in the firewall rules, the firewall should be restarted to reload the configuration.
A callout with a clickable Apply button will appear to recall this necessity.
5.2 Port Forwarding / NAT
The Port forwarding / NAT module is composed by three tabs: Port forwarding / DNAT, Source NAT, and Incoming routed
traffic. Its purpose is to manage all the traffic that flows through the uplink, from the RED zone to the appliance and the
NAT-ed traffic, both incoming and outgoing.
5.2.1 Port forwarding / Destination NAT
Destination NAT is usually employed to limit network accesses from an untrusted network or to redirect the traffic
coming from the untrusted network and directed to a given port or address-port combination. It is possible to define
which port on which interface should be forwarded to which host and port.