Why Shouldn't You Hide the Firewall Interface?

[roadrunner]

Why Shouldn't You Hide the Firewall Interface?
Contributed by BenSmith
Published in geeklog Thursday, June 26 2003 @ 12:42 PM EST
Published in oldfaq 2002-Nov-28 20:35 dwelchATphoneboyDOTcom

You can include the firewall's IP address in a "source" hide range. However, this is not recommended as it may cause some unintended side effects. Earlier versions (3.0) of FireWall-1 did not recommend doing this.

Consider the following NAT rulebase. It only has the following rule:

Original Translated
No. Source Destination Service Source Destination Service
1 Internal-Net Any Any FireWall(h) Orig Orig


Assume that the firewall has an IP address on the Internal-Net. Now if any host on the Internal-Net (including the firewall) wants to initiate a connection to the outside network, they will be translated and hidden behind the firewall's external IP. What happens if the firewall wants to initiate a connection to the inside network? It will appear as if the packet is coming from the external interface (instead of the internal one). This may not be what you want.

You can address this in one of three ways:


Create two separate NAT ranges, one for all the IPs before the firewall and one after. Put them into a group. Use this instead of your internal-net object.
Put a NAT rule at the top of the rulebase that says if the firewall originates a packet, do not translate it. e.g.:
Original Translated
No. Source Destination Service Source Destination Service
1 FireWall Any Any Orig Orig Orig
2 Internal-Net Any Any FireWall(h) Orig Orig


3. Put a NAT rule before the above rule before your hide rule that does not translate packets that both originate and terminate in the Internal-Net. e.g.:

Original Translated
No. Source Destination Service Source Destination Service
1 Internal-Net Internal-Net Any Orig Orig Orig
2 Internal-Net Any Any FireWall(h) Orig Orig


-- RayLodato - 07 Jan 2004


FAQForm
FAQs.Class: NetworkAddressTranslationFAQs
FAQs.OS:
FAQs.Version: