Nat proxy
Páginas: 6 (1292 palabras)
Publicado: 16 de enero de 2011
NETASQ TECHNICAL NOTE
NETASQ UTM Appliances HOW TO : Explicit redirection of traffic to proxies
NETASQ TECHNICAL NOTE
1
NETASQ TECHNICAL NOTE
INTRODUCTION
Proxies can be activated on NETASQ UTM appliances by automatically and implicitly defining filter and translation rules for traffic that must pass through proxies. This is possible since proxies on NETASQ UTM appliances arecapable of operating via interfaces. In order to use proxies, subject to prior configuration by the administrator, the source port and interface of traffic to be redirected to the proxy must be known. Therefore, when the proxy is activated, all traffic from the specified interface will be redirected to it. In this case, users or hosts which need or need not pass through the proxy cannot be filtered,so this document offers an alternative solution to enable this form of filtering. This method is based on the deletion of automatic proxy rules.
IMPLICIT RULES EXPLAINED
There are four different proxies on all UTM appliances : SMTP, POP3, HTTP (transparent and explicit mode) and FTP. Proxies are always bound to one or more interfaces :
The SMTP proxy in this case in bound to interface INand OUT with two different profiles. This way the UTM can be configured with different settings for incoming and outgoing email.
NETASQ TECHNICAL NOTE
2
NETASQ TECHNICAL NOTE
HTTP proxy runs on port 8080, SMTP on port 8081, POP3 on port 8082 and FTP on port 8083. This gives the following implicit NAT rules :
> ipnat -l List of active MAP/Redirect filters: rdr lnc1 0.0.0.0/0 port 80 ->127.0.0.1 port 8080 tcp rdr lnc1 0.0.0.0/0 port 25 -> 127.0.0.1 port 8081 tcp rdr lnc1 0.0.0.0/0 port 110 -> 127.0.0.1 port 8082 tcp rdr lnc1 0.0.0.0/0 port 21 -> 127.0.0.1 port 8083 tcp rdr lnc0 0.0.0.0/0 port 25 -> 127.0.0.1 port 8081 tcp
Implicit filter rules for these proxies :
> sfctl -s filter | grep 80 0 :0 : pass attach http on in proto tcp from any to dynamic 0.0.0.0 port 8080 0 :0 :pass attach http on in proto tcp from any to 127.0.0.1 port 8080 0 :0 : pass attach smtp on in proto tcp from any to 127.0.0.1 port 8081 0 :0 : pass attach smtp on out proto tcp from any to 127.0.0.1 port 8081 0 :0 : pass attach pop3 on in proto tcp from any to 127.0.0.1 port 8082 0 :0 : pass attach ftp on in proto tcp from any to 127.0.0.1 port 8083
The first rule is for the Explicit HTTP, thesecond one is for the Transparent HTTP. The third rule is for outgoing SMTP, the fourth is for incoming SMTP. So for every proxy there are two implicit rules : one to NAT redirect the traffic to the internal IP address on the port of the proxy (except for explicit HTTP, in which case you don’t need to NAT), and one to allow the traffic to the proxy port on the internal IP address.
Explicitredirection of traffic to proxies
Traffic can be redirected explicitly to a proxy in two steps: 1. Deactivation of implicit rules, 2. Creation of explicit rules. Deactivation of implicit rules To enable the creation of explicit redirection rules, the implicit rule module has to be deactivated on the proxy to be filtered. The procedure for this is as follows: 1. Connect in console mode to the NETASQUTM appliance to be configured and edit the file /usr/Firewall/ConfigFiles/NAT/nat, 2. Assign the value “0” to the variable associated with the proxy concerned (HttpProxy to deactivate HTTP proxy rules, for example) in the “Config” section, 3. Confirm the changes made and close the file.
NETASQ TECHNICAL NOTE
3
NETASQ TECHNICAL NOTE
Creation of explicit rules As traffic towardsproxies on NETASQ UTM appliances can no longer be redirected after the deactivation of implicit NAT rules, they must be rewritten explicitly. Translation rules need to be created, therefore prepare a slot according to the image below:
Firstly, an “explicit” translation rule has to be defined, which will redirect a certain type of traffic to a proxy on the NETASQ UTM appliance. In the example, HTTP...
NETASQ UTM Appliances HOW TO : Explicit redirection of traffic to proxies
NETASQ TECHNICAL NOTE
1
NETASQ TECHNICAL NOTE
INTRODUCTION
Proxies can be activated on NETASQ UTM appliances by automatically and implicitly defining filter and translation rules for traffic that must pass through proxies. This is possible since proxies on NETASQ UTM appliances arecapable of operating via interfaces. In order to use proxies, subject to prior configuration by the administrator, the source port and interface of traffic to be redirected to the proxy must be known. Therefore, when the proxy is activated, all traffic from the specified interface will be redirected to it. In this case, users or hosts which need or need not pass through the proxy cannot be filtered,so this document offers an alternative solution to enable this form of filtering. This method is based on the deletion of automatic proxy rules.
IMPLICIT RULES EXPLAINED
There are four different proxies on all UTM appliances : SMTP, POP3, HTTP (transparent and explicit mode) and FTP. Proxies are always bound to one or more interfaces :
The SMTP proxy in this case in bound to interface INand OUT with two different profiles. This way the UTM can be configured with different settings for incoming and outgoing email.
NETASQ TECHNICAL NOTE
2
NETASQ TECHNICAL NOTE
HTTP proxy runs on port 8080, SMTP on port 8081, POP3 on port 8082 and FTP on port 8083. This gives the following implicit NAT rules :
> ipnat -l List of active MAP/Redirect filters: rdr lnc1 0.0.0.0/0 port 80 ->127.0.0.1 port 8080 tcp rdr lnc1 0.0.0.0/0 port 25 -> 127.0.0.1 port 8081 tcp rdr lnc1 0.0.0.0/0 port 110 -> 127.0.0.1 port 8082 tcp rdr lnc1 0.0.0.0/0 port 21 -> 127.0.0.1 port 8083 tcp rdr lnc0 0.0.0.0/0 port 25 -> 127.0.0.1 port 8081 tcp
Implicit filter rules for these proxies :
> sfctl -s filter | grep 80 0 :0 : pass attach http on in proto tcp from any to dynamic 0.0.0.0 port 8080 0 :0 :pass attach http on in proto tcp from any to 127.0.0.1 port 8080 0 :0 : pass attach smtp on in proto tcp from any to 127.0.0.1 port 8081 0 :0 : pass attach smtp on out proto tcp from any to 127.0.0.1 port 8081 0 :0 : pass attach pop3 on in proto tcp from any to 127.0.0.1 port 8082 0 :0 : pass attach ftp on in proto tcp from any to 127.0.0.1 port 8083
The first rule is for the Explicit HTTP, thesecond one is for the Transparent HTTP. The third rule is for outgoing SMTP, the fourth is for incoming SMTP. So for every proxy there are two implicit rules : one to NAT redirect the traffic to the internal IP address on the port of the proxy (except for explicit HTTP, in which case you don’t need to NAT), and one to allow the traffic to the proxy port on the internal IP address.
Explicitredirection of traffic to proxies
Traffic can be redirected explicitly to a proxy in two steps: 1. Deactivation of implicit rules, 2. Creation of explicit rules. Deactivation of implicit rules To enable the creation of explicit redirection rules, the implicit rule module has to be deactivated on the proxy to be filtered. The procedure for this is as follows: 1. Connect in console mode to the NETASQUTM appliance to be configured and edit the file /usr/Firewall/ConfigFiles/NAT/nat, 2. Assign the value “0” to the variable associated with the proxy concerned (HttpProxy to deactivate HTTP proxy rules, for example) in the “Config” section, 3. Confirm the changes made and close the file.
NETASQ TECHNICAL NOTE
3
NETASQ TECHNICAL NOTE
Creation of explicit rules As traffic towardsproxies on NETASQ UTM appliances can no longer be redirected after the deactivation of implicit NAT rules, they must be rewritten explicitly. Translation rules need to be created, therefore prepare a slot according to the image below:
Firstly, an “explicit” translation rule has to be defined, which will redirect a certain type of traffic to a proxy on the NETASQ UTM appliance. In the example, HTTP...
Leer documento completo
Regístrate para leer el documento completo.