<< Back to man.ChinaUnix.net

Port Forwarding Administrative Web Page

This subsection allows you to configure the Port Forwarding settings for Endian Firewall. This is 100% optional, so you may safely ignore this section if you do not wish to make use of this feature.

Port Forwarding Overview

Firewalls prevent externally initiated requests from accessing the protected system. However, sometimes, this is too strict a situation. For example, if one is running a web server, then any requests to that web server by users outside the protected network will be blocked by default. This means that only other users on the same internal network can use the web server. This is not the normal situation for web servers. Most people want outsiders to be able to access the server. This is where Port Forwarding comes in.

Port Forwarding is a service that allows limited access to the internal LANs from outside. When you set up your server, you can choose the receiving or “listening” ports on the internal network machines. This is done differently depending on which software is being used. Please refer to the documentation that came with your servers to set up the ports on those servers.

Figure 6.3. Adding a new poprtforwarding configuration

Adding a new poprtforwarding configuration

Once those receiving ports are ready, you are ready to enter information into the administration interface on Endian Firewall. The following describes each configuration fields:

Protocol

This drop down list allows you to choose whic protocol this rule will follow. Possible values are TCP, UDP and GRE. Most regular servers use TCP. Some game servers and chat servers use UDP. The GRE protocol is used for example in PPTP. If the protocol is not specified in the server documentation, then it is usually TCP

Source port

is the port to which the outsiders will connect. In most cases, this will be the standard port for the service being offered (80 for web servers, 20 for FTP servers, 25 for mail servers, etc.) If you wish, you may specify a range of ports to forward. To specify a range use the “:” character between two port numbers, lowest number first. Note that port ranges cannot overlap each other.

Destination IP

is the internal IP address of the server (for example, you may have your web server on 192.168.0.3).

Destination Port

is the port that you chose when you set up your server in the first paragraph. You only need to enter the source port, the destination will be filled in for you if it does not differ.

Alias IP

This dropdown menu allows you to choose which RED IP this rule will affect. Endian Firewall has the capability of handling more than one RED IP. With the Aliases submenu within Network main menu you are able to configure them. If you only have one RED IP set up, then choose Default IP.

Remark

This is optional. As the name says this field allows you to add some remark, in order to easier identify the rules within current rules list.

Enabled

Tick this box on to enable the current rule. You may temporarily disable a rule by ticking it off.

Endian Firewall automatically creates for each configured port forwarding rule a NAT rule for each zone in order to allow access to ORANGE not only from RED but also from each other zone.

Note

If you create a port forwarding rule from from an alias ip, Endian Firewall automatically generates NAT rules for outgoing connections started by the machine to which the port has been forwarded. in order to change the source ip address to the respective alias ip. This NAT will occur only for destination ports equal to those forwarded. This is needed for example if you like to run a mail server within the DMZ and therefore forward port 25 to the machine within the ORANGE network. That machine certainly needs to send mails with the alias ip and not with the main RED ip address.

Port Forwarding and External Access

The External Access page has NO affect on the GREEN or ORANGE networks. It is there to allow you to open ports to the EFW box itself and not the GREEN or ORANGE networks.

How do you open up external access then? It is combined into the Port Forwarding page - there is a field on the page labeled: 'Source IP, or network (blank for "ALL"):'

This is the field that controls external access - if you leave it BLANK, your port forward will be open to ALL INTERNET ADDRESSES. Alternatively if you put an address or network in there, it will be restricted to that network or Internet address.

Figure 6.4. Adds an acl to a portforwarding rule

Adds an acl to a portforwarding rule

You can have more than one external address - after you have created the port forward entry, it will appear in the table. If you wish to add another external address, click the Red Pencil with the Plus sign next to the entry, the entry screen at the top of the page will change (it will load values from the port forward) and allow you to enter an external IP address or network. When added you will now notice that there is a new entry under the port forward in the table.

Other things to note about port handling in general:

  • You can have port ranges and wildcards. Valid wildcards are:

    • * which translates to 1-65535

    • 85-* which translates into 85-65535

    • *-500 which translates into 1-500

  • Reserved ports - on the main Red Address (DEFAULT IP) some ports are reserved for EFW to do its business, they are 67, 68 for doing DHCP on RED and 10443 for the web interface itself.

Figure 6.5. Currently configured portforwarding rules

Currently configured portforwarding rules

You already have noticed the rules listing below unter Current rules, since that's the place with the red pencil icon. You can edit a record by clicking on the Yellow Pencil icon in the Action column and until you hit the update button nothing changes and nothing is lost. When you are editing a record you will see the record highlighted in yellow. When you edit a port forward, there will be an extra check box labeled Override external access to ALL. This is used as a quick and dirty way to open a port to ALL Internet addresses for testing or whatever your reasons.

To delete a record, click on the Trash Can icon on the right hand side of the Action column.

If you have a port forward with multiple external accesses, when you delete all of the external accesses, the port becomes open to ALL addresses, be careful of this one.

There is a Shortcut to enable or disable a port forward or external access - click on the “Enabled” icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a rule is disabled. Click on the checkbox to enable it again. Note: when you disable the port forward, all associated external accesses are disabled, and when you enable the port forward, all associated external accesses are enabled.