Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8
Accepted Solution

Firewall or NAT first?

Which fires first NAT or Firewall?  I created a nat rule that redirects TCP port 8022 -> TCP port 22 and to a specific host.  Then my firewall rule is TCP port 22 to the same host as the NAT rule.

 

Comming in from the WAN connection I am able to connect from port 22 and 8022, and the desired effect is only on port 8022.  If I change the firewall rule to be port 8022 I can not connect on 8022 nor 22.

 


Accepted Solutions
Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8

Re: Firewall or NAT first?

Using the NAT rule and firewall rule I posted everything is working as desired.  When someone externally attempts to connect to port 22 they can not.  When someone externally attempts to connect to port 8022 they are redirected to my server running SSH (port 22) on my network.  Internally I'm find with port 22.

View solution in original post


All Replies
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3141
Solutions: 945
Contributions: 16

Re: Firewall or NAT first?

EdgeMAX Feature Ordering

EdgeMAX Router Software Development
Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8

Re: Firewall or NAT first?

So DNAT then Firewall.  How would I block 22 from coming in from the internat whilea llowing 22 to pass via dnat?  Would I add a dnat rule to forward the 22 to a bogus address?

New Member
Posts: 10
Registered: ‎04-17-2013
Kudos: 4

Re: Firewall or NAT first?

You might want to post your config.  They way you are describing it, port 22 should not be forwarding and only access on 8022 should work.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Firewall or NAT first?


@Rmilchman wrote:

So DNAT then Firewall.  How would I block 22 from coming in from the internat whilea llowing 22 to pass via dnat?  Would I add a dnat rule to forward the 22 to a bogus address?


I'm guessing the following is what you want?

  1. Traffic coming in from the Internet to the router's port 8022: translate the destination to an internal host port 22 and allow it through the firewall
  2. Traffic coming in from the Internet to the router's port 22: block it using firewall

If that's the case, they are actually handled by different "directions" for the firewall:

  1. For the traffic coming in to port 8022: After DNAT, it is actually "forwarded" through the router, so it is handled by the firewall on the "in" direction on the WAN interface (e.g., the "WAN_IN" ruleset in many of the example configurations) and a rule is needed there to allow it.
  2. For the traffic coming in to port 22: No NAT is involved, so this traffic is considered "local" to the router (i.e., has the router itself as the destination). Therefore, it is handled by the firewall on the "local" direction on the WAN interface (e.g., "WAN_LOCAL" in those examples) and a rule is needed there to block it.
Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8

Re: Firewall or NAT first?

That's excactly what I am trying to do.  Thank you,  I'll test it later.

Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8

Re: Firewall or NAT first?

I don't think my experience is normal behaivor, more so a device bug.

 

I tried multiple configuration and no matter what I did, a user was able to connect externall throug port 22 and ssh to an internal server.  I then deleted my NAT and firewall rules.  Create a new rule translating 8022 -> 22 and to a specifc destination I/P address.  i then created a firewall rule allowing port 22 on the wan interface to my external server.

 

Once again a user was able to connect from an external address to my SSH server on port 22 (even though I don't think they should be able to).  I then rebooted the router and it began to work as I expeted.  An external user can not connect directly to port 22, but can connect to port 8022 which gets translated to 22.

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Firewall or NAT first?

Could you post the configurations you tried that didn't work, or at least the current configuration so that people can take a look?

Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8

Re: Firewall or NAT first?

[ Edited ]

(EDIT: Use "Insert Code" to make config more readable)

Is this enough or do you want the entire config?

 

NAT:
rule 13 {
    description "ssh 8022"
    destination {
        port 8022
    }
    inbound-interface eth2
    inside-address {
        address 192.168.2.37
        port 22
    }
    log disable
    protocol tcp
    type destination
}

Firewall wan_in:
rule 3 {
    action accept
    description ssh
    destination {
        address 192.168.2.37
        port 22
    }
    log disable
    protocol tcp
    source {
    }
}

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: Firewall or NAT first?

The NAT rule and the firewall rule look fine and should allow the NATed connection to go to the internal server (assuming "wan_in" is applied to the "in" direction of the WAN interface and no other NAT/firewall rules are affecting such connections).

 

Now for blocking port 22 to the router itself, as mentioned above this requires firewalling on the "local" direction. So do you have a ruleset for the "local" direction of the WAN interface and include a rule (either default or explicit) there to block such connections? Posting the whole config (using "Insert Code") is probably better since, for example, how the rulesets are applied to the interfaces also affects the result.

Member
Posts: 196
Registered: ‎04-02-2013
Kudos: 29
Solutions: 8

Re: Firewall or NAT first?

Using the NAT rule and firewall rule I posted everything is working as desired.  When someone externally attempts to connect to port 22 they can not.  When someone externally attempts to connect to port 8022 they are redirected to my server running SSH (port 22) on my network.  Internally I'm find with port 22.