News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: ANY use of firewall rules when behind NAT/PAT?
Pages: [1]
Topic: ANY use of firewall rules when behind NAT/PAT?  (Read 1761 times)
« on: June 21, 2008, 17:39:47 »
Seb74 ***
Posts: 115
Probably a stupid question, but when having ONE public IP, and running Port Address Translation from your LAN (seems to be enabled by default unless you turn on Advanced Outbound NAT).....do the extra firewall rules do ANY good?

I mean, incoming traffic that dont have any forwarding specified is just dropped, it doesn't know which client on the LAN to go to. Yet you have to enable the traffic, lets say port 80 forwarding to a httpd-machine, both in NAT-forwarding AND in the firewall (firewall rule can be done automatically but anyway).

So, ain't I right that the firewall rules does no good at all in a simple setup like this?
Its more for when you run M0n0wall as a pure firewall?

Probably stupid, but I thought I'd ask in case I miss something important here....we all try to learn Smiley
« Reply #1 on: June 22, 2008, 06:24:28 »
knightmb ****
Posts: 341
Not a stupid question, you won't know until you ask.  Wink

NAT will map any port on the WAN to any machine/port on the LAN, fair enough. But without a Firewall rule, the mapping will be blocked. So that's why it has that option to "auto create firewall rule" when setting up a new inbound NAT mapping.

Seems like double the work, but actually very necessary for a good firewall. It allows you to control access to that NAT mapping. So if you wanted to block "hacker bob" from IP range 10.XX.XX.XX, you can setup a rule for this. Otherwise, in the event of a trouble maker, all you could do is turn off NAT and kill all the innocent people who were trying to access your web server. So without firewall rules, all NAT mappings would be just a "on/off" switch without any fine control.
Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #2 on: June 22, 2008, 06:36:22 »
ChainSaw
Guest
also, you can use 1:1 NAT if you have multiple static public IPs in which case only WAN rules are required.

CS...
« Reply #3 on: June 22, 2008, 08:07:39 »
Seb74 ***
Posts: 115
Ah, yeah, sure, of course its like that.
You can block/permit specific IP's....didn't think of that Smiley

The 1:1 scenario is obvious since its all just opened, but for PAT I couldn't think of any use...none of my cheap homerouters has had any firewall except the PAT-forwarding.

To bad hacker-IPs often aren't that static so you can't just block them.....maybe a few allows and block the rest are whats most useful if you have a need for such a private setup.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines