What happens now?
• External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct.
• Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be
dynamically address translated. This changes the source port to a completely different port,
which will not work.
The problem can be solved using the following rule set:
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 FwdFast lan wwwsrv any all-nets 80 -> All
4 NAT lan lannet any all-nets All
5 FwdFast lan wwwsrv any all-nets 80 -> All
• External traffic to wan_ip:80 will match rules 1 and 5 and will be sent to wwwsrv.
• Return traffic from wwwsrv:80 will match rules 2 and 3.
• Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender
address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic
passes through the NetDefend Firewall.
• Return traffic will automatically be handled by the NetDefend Firewall's stateful inspection
mechanism.
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation
353
