Hi Rob, It's really difficult to tell where the "break" is occurring without seeing your NAT and firewall configuration but to start:
SNAT occurs after the packets hit the firewall (the source address/ ports don't get changed until after the packet has traversed the firewall so you need to match on the original source address/ ports) and DNAT occurs before the packets hit the firewall (the destination address is changed before the packet traverses the firewall so you need to match on the NAT'ted destination address and ports). When you're using NAT and firewall together, you need to design the firewall with the this in mind. If an issue is occurring with packets that are being SNAT'ted then you may have the wrong source and destinations applied in the firewall. Or, the issue could be as simple as you haven't opened enough ports in the firewall for legitimate traffic to flow properly. NAT simply changes the source and destination parameters of a packet. It doesn't block any unwanted traffic. Most networks will want to be protected by a firewall. NAT by itself still leaves your network wide open to malicious traffic. Here's a good link on the order in which NAT and firewall occurs: http://www.faqs.org/docs/iptables/traversingoftables.html If you'd like us to take a closer look at why your SNAT is failing, you can post the relevant portions of your configuration. For your own safety, please *DO NOT* post anything with public IPs or other personal information. Thank you, Robyn Rob Shepherd wrote: > Dear Vyatta users, > > I've made a SNAT entry, to allow a network to hide behind a public IP > address. > (Not MASQ Though). This entry works fine. > > I then made a some DNAT rules to port-forward from the external IP address to > a > service internally. This also appears to work. > > However my query is with firewall rules. If I make some firewall rules to > reflect the service, I break the SNAT for outgoing connections. > > It doesn't seem to acknowledge the state of outgoing connections. (I can use > tcpdump to see TCP ACKs being dropped, when coming in from remote hosts being > connected to from an inside host) > > My question is.... Do I need firewall rules in this case? Can I make the > assumption that my NAT configuration is enough security? > > Could anybody tell me when firewall rules might be used in conjunction with > NAT etc. > > Thanks > > Rob > > > > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
