beautypg.com

Kerio Tech Firewall6 User Manual

Page 84

background image

Chapter 7

Traffic Policy

84

are let in. This translation method guarantees high security — the firewall will not let in any

packet which is not a response to the sent request.

However, many applications (especially applications working with multimedia, Voice over IP

technologies, etc.) use another traffic method where other clients can (with direct connection

established) connect to a port “opened” by an outgoing packet. Therefore, WinRoute supports

also the Full cone NAT mode where the described restrictions are not applied for incoming

packets. The port then lets in incoming packets with any source IP address and port. This

translation method allows running of applications in the private network that would either

work only partially or they would not work at all.

For example of using of Full cone NAT for VoIP applications, refer to chapter

7.8

.

Warning

Use of Full cone NAT brings certain security threats — the port opened by outgoing connection

can be accessed without any restrictions being applied. For this reason, it is recommended to

enable Full cone NAT only for a specific service (i.e. to create a special rule for this purpose).

By any means do not allow Full cone NAT in the general rule for traffic from the local network

to the Internet

4

! Such rule would significantly decrease security of the local network.

Note:

1.

Older versions of WinRoute (to version 6.3.1 incl.) used so called Symmetric NAT where

each outgoing connection on the firewall was assigned a new source port from the reserved

range. For this reason, since 6.4.0 WinRoute includes significantly improved support for

VoIP and multimedia applications than the previous versions even without using special

traffic rules. Both methods have the same security level — they differ only in method of

assigning source ports on the firewall.

2.

The method of IP address translation having been used since version 6.4.0 (i.e. Port re-

stricted cone NAT) allows also using of the IPSec protocol. Special support for IPSec in-

cluded in older versions of WinRoute is not needed any longer.

Destination NAT (port mapping):

Destination address translation (also called port mapping) is used to allow access to services

hosted in private local networks behind the firewall. All incoming packets that meet defined

rules are re-directed to a defined host (destination address is changed). This actually “moves”

to the Internet interface of the WinRoute host (i.e. IP address it is mapped from). From the

client’s point of view, the service is running on the IP address from which it is mapped (usually

on the firewall’s IP address).

Options for destination NAT (port mapping):

Typically the NAT rule created by the Traffic policy wizard — see chapter

7.1

.

4