Port forwarding is needed when masquerading is used. What port forwarding does is to make the firewall look like a group of servers to the Internet while passing the packets to the appropriate servers on the internal private IP address space. For our example we will configure the following port forwarding.
When defining port forwarding for a service there is no need to also define any associated firewall rules to allow accept packets for the service. This is done automatically behind the scenes. This is why there were no rules created above to accommodate the following service, source, destination combinations.
Port forward incoming SMTP requests to the mail server.
Port forward incoming DNS requests to the name server.
Port forward incoming SIMAP and SPOP3 requests to the mail server.
Port forward incoming HTTP and HTTPS requests to the web server.
Port forward incoming SMTP requests to a mail server.
To create a port forwarding rule enter the "Port Forwarding" category in the Guardian Digital WebTool and click on "Create Rule". A pop-up window will appear titled "Edit Port Forwarding Rule". The procedure is pretty simple. Choose the following parameters:
Protocol that the service uses.
The local address and port (local being the address and port that will receive requests for the service, in a two interface scenario this will be the external interface).
The remote address and port to forward the packet to. In other words the IP address of the internal server and the associated port. Typically the local port and remote ports will be the same.
So for the first port forwarding rule we will forward SMTP requests that are sent from the Internet to the firewall. The rule will send these packets to the internal mail server which will then process the incoming mail. So fill in the following values in a new port forwarding rule pop-up window:
Protocol for SMTP is TCP.
Use the pull down menu for the local address and choose the external interface.
The port used by SMTP is port 25 so enter 25 in the port field.
The remote zone is internal so choose "int".
The remote address is the address of the internal mail server and in our example that is 10.0.99.11.
The remote port, which is the port that the internal mail server listens to for SMTP request is 25.
Click on "Create Rule".
You will now see this rule listed under the "Port Forwarding Rules" title bar in the Guardian Digital WebTool page. So now any mail sent to the firewall from the Internet will automatically be forwarded to the internal mail server.
Now create port forwarding rules for the rest of the services by repeating the above procedure and plugging in the following values fore each service.
Table 4-8. DNS Port Forwarding Spec
|Protocol||TCP and UDP|
DNS uses two protocols TCP and UDP so there needs to be two rules created, one for each protocol.
Table 4-12. HTTPS Port Forwarding Spec
Once these rules have been created you should now have a port forwarding table that looks like this.