Multiple sat rule matches, Sat and fwdfast rules – D-Link DFL-2500 User Manual

configuration.

There is no definitive list of what protocols that can or cannot be address translated. A general rule
is that VPN protocols cannot usually be translated. In addition, protocols that open secondary
connections in addition to the initial connection can be difficult to translate.

Some protocols that are difficult to address translate may be handled by specially written algorithms
designed to read and/or alter application data. These are commonly referred to as Application Layer
Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer
Gateways and for more information please see Section 6.2, “Application Layer Gateways”.

7.3.6. Multiple SAT rule matches

NetDefendOS does not terminate the rule set lookup upon finding a matching SAT rule. Instead, it
continues to search for a matching Allow, NAT or FwdFast rule. Only when it has found such a
matching rule does the firewall execute the static address translation.

Despite this, the first matching SAT rule found for each address is the one that will be carried out.

"Each address" above means that two SAT rules can be in effect at the same time on the same
connection, provided that one is translating the sender address whilst the other is translating the
destination address.

#

Action Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wwwsrv_pub

TCP 80-85 SETDEST 192.168.0.50 1080

2

SAT

lan

lannet

all-nets

Standard

SETSRC pubnet

The two above rules may both be carried out concurrently on the same connection. In this instance,
internal sender addresses will be translated to addresses in the "pubnet" in a 1:1 relation. In addition,
if anyone tries to connect to the public address of the web server, the destination address will be
changed to its private address.

#

Action Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

lan

lannet

wwwsrv_pub

TCP 80-85

SETDEST intrasrv 1080

2

SAT

any

all-nets

wwwsrv_pub

TCP 80-85

SETDEST wwwsrv-priv 1080

In this instance, both rules are set to translate the destination address, meaning that only one of them
will be carried out. If an attempt is made internally to communicate with the web servers public
address, it will instead be redirected to an intranet server. If any other attempt is made to
communicate with the web servers public address, it will be redirected to the private address of the
publicly accessible web server.

Again, note that the above rules require a matching Allow rule at a later point in the rule set in order
to work.

7.3.7. SAT and FwdFast Rules

It is possible to employ static address translation in conjunction with FwdFast rules, although return
traffic must be explicitly granted and translated.

The following rules make up a working example of static address translation using FwdFast rules to
a web server located on an internal network:

#

Action

Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wan_ip

http SETDEST wwwsrv 80

2

SAT

lan

wwwsrv

any

all-nets

80 -> All SETSRC wan_ip 80

3

FwdFast

any

all-nets

core

wan_ip

http

4

FwdFast

lan

wwwsrv

any

all-nets

80 -> All

We add a NAT rule to allow connections from the internal network to the Internet:

7.3.6. Multiple SAT rule matches

Chapter 7. Address Translation

217