You are about to define here a new rule to manage a specific connection between two different zones. If the request matches the different criterion defined here, the "Result" action will be taken.
Here is a description of the different fields available in the form, fill them according to the criterion you want to be matched for this rule to be activated. Some options are also available to manage these connections:
Rule ID | The unique ID number identifying this policy rule. |
Result | The action taken for the connection request matching this rule. See table below. |
Logging | Set to "info" if you want each of these connections logged by syslog when accepted. |
Pre-defined Services | Choose either a common service in the pull-down list, or enter a name or service number in the field. |
Protocol | The protocol type associated to that service. |
Client | The zone from which the connection request is originated. The matching can be narrowed by specifying a precise IP or subnet, or even a port number. Leave "-" in the field for matching any IP or port. |
Server | the zone to which the connection request is directed. The matching can be narrowed by specifying a precise IP or subnet, or even a port number. Leave "-" in the field for matching any IP or port. |
Forwarding Address | If the request is targeted at the IP specified here (or if it is set to "all"), it will be forwarded to the "Server" IP and port. In this case, the "Server" field must specify a specific IP address. |
SNAT | If specified, and if the forwarding is activated above, then the source address of the request will be set to this "SNAT" value before being forwarded to the server. |
Here is a short description of the four possible actions:
ACCEPT | The connection is allowed. |
DROP | The connection request is ignored. |
REJECT | The connection request is blocked and a "destination-unreachable" message is sent back to the client. |
CONTINUE | The connection is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of, or intersect with, another zone. |
Example: you want the FTP server on 192.168.2.2 in your masqueraded DMZ to be accessible from the local 192.168.1.0/24 subnetwork. Note that since the server is in the 192.168.2.0/24 subnetwork, we can assume that access to the server from that subnet will not involve the firewall.
Result | ACCEPT |
Logging | |
Pre-defined Services | ftp |
Protocol | tcp |
Client | lan | 192.168.1.0/24 |
Server | dmz | 192.168.2.2 |
Forwarding Address | 155.186.235.151 |
SNAT |