HPE Community
Operating System - HP-UX
1820485 Members
2485 Online
109624 Solutions
New Discussion юеВ

Re: Firewall: NAT and FILTERS

 
SOLVED
Go to solution
Fred Martin_1
Valued Contributor

тАО07-23-2002 06:47 AM

тАО07-23-2002 06:47 AM

Firewall: NAT and FILTERS

I realize this is not related to HP-UX but I'm at a loss and hoping someone can help me out.

I have a Lucent Portmaster IRX firewall (Lucent, but formerly Livingston) - running ComOS 3.9.

I've had filters on the firewall for some time, but now need to use Network Address Translation (NAT).

Question - will NAT foul up my present filters? i.e. is the translation done before or after filtering?

In other words should the filters use the private IP addresses or the public?

Anyone with a Portmaster pls. reply!
Thanks
fmartin@applicatorssales.com
0 Kudos
Reply
6 REPLIES 6
Christopher Caldwell
Honored Contributor

тАО07-23-2002 07:14 AM

тАО07-23-2002 07:14 AM

Re: Firewall: NAT and FILTERS

I'm not sure on Lucent - Cisco ACLs (filters) are applied to interfaces and (optionally) have directions.

So the answer for Cisco would be, it depends on where you apply the ACL (filter). If you apply to the outside (public) interface, the packets are already NAT'd. If you apply to the inside (private) interface, the packets have not yet been NAT'd.

YMMV.
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО07-23-2002 07:21 AM

тАО07-23-2002 07:21 AM

Re: Firewall: NAT and FILTERS

Well, I dont have a portmaster, but that shouldnt matter.
NAT occurs at the lan side of the router. Filters occur at the wan side of the router. You can run both and change both on the fly and it should not impact the other end.
I.E. Port filter on port 20,21 to block FTP blocks all FTP from the WAN side.
NAT occurs when client makes request for port. Lets say a client wants to FTP. The NAT occurs at the client side, and gets to the wan side of the router, at which point it is blocked by the filter.
Tha NAT still occurs because in a router the 2 interfaces/networks have to act separately.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
James Beamish-White
Trusted Contributor

тАО07-23-2002 07:23 AM

тАО07-23-2002 07:23 AM

Solution

Re: Firewall: NAT and FILTERS

I can only answer based on Firewall-1, but for F1 the answer is "no".

For an example, (F1 based), the allow/deny rulebase is processed first, then the NAT/PAT rules. E.g. (public IP 1.1.1.1, private IP range 2.2.2.2)

1.1.1.1:80 -> allowed -> PAT to 2.2.2.2 creates a session.
PAT rules back and forth allow 1.1.1.1 <-> 2.2.2.2

Hope this helps,
Cheers!
James
GARDENOFEDEN> create light
Reply
Shannon Petry
Honored Contributor

тАО07-23-2002 07:23 AM

тАО07-23-2002 07:23 AM

Re: Firewall: NAT and FILTERS

reading the other message, I guess you could configure the filters on the client side, just not sensible to me to let the traffic get through the wan side then filter....

So be careful on where your filters are.
Microsoft. When do you want a virus today?
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО07-23-2002 08:05 AM

тАО07-23-2002 08:05 AM

Re: Firewall: NAT and FILTERS

Right, the filters are applied to the WAN port, and I've left the LAN open (although I could filter there as well).

The filters are basically in the form:

permit src-addr/mask dst-addr/mask protocol src-port dst-port

There are inbound packets and outbound packets and there are seperate filters for each.

I'm not sure I have my question answered; it all still depends on precisely where NAT is applied.

I have the IRX-211, and can't find anything on the Lucent website. The manuals I have were printed when Livingston was still around and prior to NAT being part of the software, that was a later upgrade.
fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО07-23-2002 11:16 AM

тАО07-23-2002 11:16 AM

Re: Firewall: NAT and FILTERS

Found my answer, by doing the following.

I created a filter with a single entry:

permit log

That one line permits everything but logs the detail.

After only a few seconds I could see that not one of my internal private IP's was showing in the logs; only the public address (NAT was converting the private to public).

So the answer is: yes, NAT was fouling my present filters, which explicitely named hosts by the private IP addresses.

Filtering occurs -after- NAT. So the filters need to use the public IP address.

Thanks all,
Fred
fmartin@applicatorssales.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.