Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Moving from old linux fw rules to fw-1 1

Status
Not open for further replies.
Zulan

Zulan

Technical User
Sep 9, 2001
14
Hi everyone!

I am in the process of moving our old firewall rules to our new firewall-1 server. I don’t know much about the old server since I was not the administrator of it. But I have gotten the rules printed out and now Im trying to put them in to our new fw. We are using port forwarding a lot. Exampel of rules look like this:

734K 790M ACCEPT tcp ------ 0xFF 0x00 * 172.31.0.0/16 192.168.1.0/24 1024:65535 -> 20:23

154K 38M ACCEPT tcp !y---- 0xFF 0x00 * 192.168.1.0/24 172.31.0.0/16 21:23 -> 1024:65535

295K 61M ACCEPT tcp ------ 0xFF 0x00 * 192.168.1.0/24 172.31.0.0/16 20 -> 1024:65535

226K 9114K ACCEPT tcp ------ 0xFF 0x00 * 172.31.0.0/16 192.168.1.2 1024:65535 -> 80

434K 647M ACCEPT tcp !y---- 0xFF 0x00 * 192.168.1.2 172.31.0.0/16 80 -> 1024:65535

2628K 2136M ACCEPT tcp ------ 0xFF 0x00 * 172.31.0.0/16 192.168.1.0/24 1024:65535 -> 1024:65535

2061K 547M ACCEPT tcp !y---- 0xFF 0x00 * 192.168.1.0/24 172.31.0.0/16 1024:65535 -> 1024:65535

How would you translate this to the firewall-1 server?

Any guidance is greatly appreciated!

-Z
 
Sort by date Sort by votes
think you take one to one rules and put it in a new firewall server !


LaNceLoT
 
Upvote 0 Downvote
Thank you for your answer, but could you explain your answer in more detail?

What I have tried is in the "Address Translation" settings adding a rule based on the first exampel saying:

ORIGINAL PACKET
Source: 172.31.0.0.
Destination: 192.168.1.0
Service: Ports 1024-65535

TRANSLATED PACKET
Source: Original
Destination: 192.168.1.0
Service: ports 20-23

But this rule gives me an error saying "The range size of Original and Translated columns must be the same."

I am really lost here, please point me in the right direction.

 
Upvote 0 Downvote
It's not really precise in your print, we can't really understand what is the real NAT between what and what.

Otherwise if it's just port-mapping proceed like that for your exemple :

ORIGINAL PACKET
Source: 172.31.0.0/24
Destination: 192.168.1.0/24
Service: any (you can't specify a range)

TRANSLATED PACKET
Source: Original
Destination: original
Service: ports 21 (if you want the FTP server)

With this all the connection from the machine 172.31.0.0/24 to the machine 192.168.1.0 will arrive on the ftp server on the machine 192.168.1.0/24.

Hope you can find what you want




LaNceLoT
 
Upvote 0 Downvote
Yes, I can see that my explanation is not as pefect as it could have been. The reason for this is that I am really lost here. But I will try to explain what was explained to me regarding these rules.

172.31.0.0 is my internal network
192.168.1.0 is my DMZ.

We have some demo applications running on the DMZ so our affiliates can run them. But sometimes we want to run the demos as well from the internal network. We only have a very limited amount of Internet IP addresses so we use port forwarding for these services. That have already been setup on the new firewall and is working fine. But these rules that bother me is this:

Lets use the FTP as the example. What if, someone is sending out packages from ipxxx.xxx.xxx.x port 6000 to our ftp on port 21. Then the ftp has to be able to reply to port 6000, right? Or am I wrong? One theory that I have is that this might be automatic in the Checkpoint firewall?





 
Upvote 0 Downvote
Euh... yes think it's implicit on the checkpoint firewall. while your trying to access to ftp from any port the answer will be on the good por. No need of port forwarding !

Port forwarding server when you want the next exemple :
you have a kind of server somewhere where all people going to access for all service and you want to forward each service on the good server. exemple :
principal server : 192.168.0.1
ftp server : 192.168.0.2
http server : 192.168.0.3

and you have a NAT rule that is :
ORIGINAL PACKET
Source: any
Destination: 192.168.0.1
Service: ftp http

TRANSLATED PACKET
Source: Original
Destination: 192.168.0.2 192.168.0.3
Service: original

so the packet will go to the machine ftp server or http server it depend on the port which is attack on the principal server....

And port mapping is when you want to forward the port to an other port like this :
IP : 192.168.0.1
Port http : 8080

and you want people connect to the port http like usual you do like this :
ORIGINAL PACKET
Source: any
Destination: 192.168.0.1
Service: http (port 80)

TRANSLATED PACKET
Source: Original
Destination: original
Service: 8080

and you can have port (adress) forwading and port-mapping at the same time. You forward the IP adress and the port to the one you want !!!


Hope it can be a good explaination for you that is lost [thumbsup]

regards



LaNceLoT
 
Upvote 0 Downvote
Thank you Lancelot! This helped.

Have a nice weekend! :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
324
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
336
Johnkite
Johnkite
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
178
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
67
quar
quar
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
170
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top