4.4. Port Forwarding

Port forwarding is needed when masquerading is used. What port forwarding does is to make the firewall look like a group of servers to the Internet while passing the packets to the appropriate servers on the internal private IP address space. For our example we will configure the following port forwarding.

Note

When defining port forwarding for a service there is no need to also define any associated firewall rules to allow accept packets for the service. This is done automatically behind the scenes. This is why there were no rules created above to accommodate the following service, source, destination combinations.

4.4.1. Creating a Port Forwarding Rule

To create a port forwarding rule enter the "Port Forwarding" category in the Guardian Digital WebTool and click on "Create Rule". A pop-up window will appear titled "Edit Port Forwarding Rule". The procedure is pretty simple. Choose the following parameters:

  • Protocol that the service uses.

  • The local address and port (local being the address and port that will receive requests for the service, in a two interface scenario this will be the external interface).

  • The remote address and port to forward the packet to. In other words the IP address of the internal server and the associated port. Typically the local port and remote ports will be the same.

So for the first port forwarding rule we will forward SMTP requests that are sent from the Internet to the firewall. The rule will send these packets to the internal mail server which will then process the incoming mail. So fill in the following values in a new port forwarding rule pop-up window:

  • Protocol for SMTP is TCP.

  • Use the pull down menu for the local address and choose the external interface.

  • The port used by SMTP is port 25 so enter 25 in the port field.

  • The remote zone is internal so choose "int".

  • The remote address is the address of the internal mail server and in our example that is 10.0.99.11.

  • The remote port, which is the port that the internal mail server listens to for SMTP request is 25.

  • Click on "Create Rule".

You will now see this rule listed under the "Port Forwarding Rules" title bar in the Guardian Digital WebTool page. So now any mail sent to the firewall from the Internet will automatically be forwarded to the internal mail server.

4.4.2. Creating the Remaining Port Forwarding Rules

Now create port forwarding rules for the rest of the services by repeating the above procedure and plugging in the following values fore each service.

4.4.2.1. DNS

Table 4-8. DNS Port Forwarding Spec

ParameterValue
ProtocolTCP and UDP
Local Address192.168.1.81
Local Port53
Remote Zoneint
Remote Address10.0.99.12
Remote Port53

Note

DNS uses two protocols TCP and UDP so there needs to be two rules created, one for each protocol.

4.4.2.2. SIMAP

Table 4-9. SIMAP Port Forwarding Spec

ParameterValue
ProtocolTCP
Local Address192.168.1.81
Local Port993
Remote Zoneint
Remote Address10.0.99.11
Remote Port993

4.4.2.3. SPOP3

Table 4-10. SPOP3 Port Forwarding Spec

ParameterValue
ProtocolTCP
Local Address192.168.1.81
Local Port995
Remote Zoneint
Remote Address10.0.99.11
Remote Port995

4.4.2.4. HTTP

Table 4-11. HTTP Port Forwarding Spec

ParameterValue
ProtocolTCP
Local Address192.168.1.81
Local Port80
Remote Zoneint
Remote Address10.0.99.13
Remote Port80

4.4.2.5. HTTPS

Table 4-12. HTTPS Port Forwarding Spec

ParameterValue
ProtocolTCP
Local Address192.168.1.81
Local Port443
Remote Zoneint
Remote Address10.0.99.13
Remote Port443

Once these rules have been created you should now have a port forwarding table that looks like this.

Figure 4-9. Port Forwarding Rules