View Single Post
Old 5th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Further clarification of NAT and redirection

If there are specific ports you know about, or, ranges of ports you know about, for specific systems in your DMZ, you may write a redirect rule.

In situations where port numbers are unknown .... how do you redirect that traffic to the appropriate system?

Let us pretend that your various systems have TCP ports open, but you don't know the port number, nor can you limit the port number to a specific range.

Let us also pretent that your firewall receives a TCP SYN packet incoming to your single IP address, TCP protocol, port number 12345. A SYN packet is the first packet of the three-way TCP handshake.

NAT allows the firewall to replace the 78.134.x.x Internet IP address with the appropriate private IP address, such as 192.168.1.13 or 192.168.0.8, and then route the packet on to that address. State is tracked. Packets sent in reply from 192.168.1.13 or 192.168.0.8 will have their IPs replace with 78.134.x.x and be routed on via your ISP.

If there is no rdr rule for that port, the firewall will assume the packet is destined for the firewall itself, and will respond according to inbound pass/block rules and if a service is listening on that port.

Since NAT only allows the replacement of one IP address with another, I suppose it is possible to redirect to the broadcast address. However, I doubt a broadcast will work: IP supports multicasting (the broadcasting of packets), but TCP cannot be broadcast.

Think about it for a moment. If that SYN packet is sent to every device in the DMZ, every device will respond to it, and, to any all follow-on packets. The handshake will likely never properly complete, since the first rejection packet will stop the attempted connection.
Reply With Quote