In almost are firewalls, the object is to allow packets to flow across 2 interfaces regardless if the interface are L2 ( transparent mode ) or L3 ( routed aka NAT mode ) and a firewall-policy has been configured to allow such activity aka "accept action".
Take a look at this;
I highlighted both DNAT and SNAT .
A DNAT ( destination NAT ) for all practical reasons is a VIP. In linux iptables , it's known as pre-routing due to this action takes place before we looking into the routing information base.
Where as SNAT ( source NAT ) is always a process after we determine where/what interface to route out of ( post-routing ).
In all cases regardless of direction, advance-security features are applied after we found the matching policy and advance feature has been enabled per the policy. This could be a IPS sensor or URL filter, etc....
uRPF checks is also critical since a modern firewall will drop packets that don't have a loose or strict route for the "source", but keep in mind that unicast-routing is always determine by the "destination". A router/firewall without uRPF does not care too much about the source-address in the routing determination.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment