Example – Westermo RedFox Series User Manual
Page 701
Westermo OS Management Guide
Version 4.17.0-0
31.1.4.2.3
1-1 NAT and implicit firewall rules
Consider the sample net-
work setup shown in
and
. Assuming the ”inbound” interface is
named ”vlan2”, then the ”1-to-1” NAT rule could be achieved with the following
CLI command.
Example
# Example with implicit firewall rule
example:/config/ip/firewall/#> nat type 1-to-1 in vlan2 dst 10.20.30.0/24
to-dst 192.168.2.0/24 addfilter
The ”addfilter” attribute will add implicit firewall rules to allow forward traffic
(
) to automatically pass through the firewall.
One rule is created in each direction, as shown below.
Example
example:/#> show firewall
...
=== Forwarding Packet Filter Rules ===========================================
Forwarding Policy DROP
target
prot in
out
source
destination
...
ACCEPT
all
vlan2
any
anywhere
192.168.2.0/24
ACCEPT
all
any
vlan2
192.168.2.0/24
anywhere
...
Using the ”addfilter” makes it easy to get your NAT-traffic through the firewall in
either direction. But in cases where there are security concerns, such as when
the ”inbound” interface is located on the public Internet, use of the ”addfilter”
option for ”1-to-1 NAT” is too permissive. Instead you could add explicit fire-
wall rules to allow traffic according to your specific requirements. An example is
shown below where traffic is only allowed to be initiated from the private network
(i.e., the ”reverse” direction as shown in
). Note that the ”nat” command
does not include the ”addfilter” option here.
Example
# Example with explicit firewall rule instead of implicit
example:/config/ip/firewall/#> nat type 1-to-1 in vlan2 dst 10.20.30.0/24
to-dst 192.168.2.0/24
example:/config/ip/firewall/#> filter allow out vlan2 src 192.168.2.0/24
The resulting firewall rule is shown below.
➞ 2015 Westermo Teleindustri AB
701