Migration to V18 NAT

Hi guys, 

 

there was a little conversation about the migration of NAT in V18.

Just a little information / explanation, how i interact with the V18 Migration.

 

If you migrate to V18, the MASQ Rules in the firewall policies are gone. Those rules are getting migrated to Linked NAT rules, which are basically doing the same. 

But you will get some of those rules. 

 

for example:

 

You can actually replace those rules with a new SNAT Rule.

This new rule has to match on your internal interface and your external interface.

 

For example:

 

 

This will actually match, if you put it on top of your rule set.

 

 

My Suggestion would be: Place a top rule like that on your rule set and reset the counter of all other rules below. 

 

 

So you can actually verify, that your new SNAT Rule is matching against everything.

All Linked NAT Rules should have a usage of 0. 

 

If that is the case for a longer period, start to delete those Linked NAT rules. 

 

The new Rule set should be clean. 

Parents Reply Children
  • Hello Axsom,

    The (Pre/D)NAT will always occur first and Source NATs will always occur last, this is extremely common in iptables based system.

    Please see below:

     

    Emile

  • Hi Emile,

    Thanks for this.  I agree that the flow would appear that way based on the diagram, but the explanation I have received and in the handout indicates step 3 is simply a lookup so it knows what to do for the zone translation.  The actual DNAT is done post firewall rule processing.  At least that is how I interpret it.  I think a little clearer explanation from Sophos in the training would help alleviate a lot of the confusion.

    Here is a snippet from page 45 of the Sophos EAP1 handout:

    This diagram shows how packets flow through the firewall and NATing is applied.

    When a packet arrives and the marking has been done the XG Firewall performs a NAT lookup for DNAT or Full NAT rules. If a NAT rule has been matched the destination zone is translated before the packet goes to the firewall. This means that the firewall will be matching rules based on the post-NAT destination zone and the pre-NAT IP address.

    After the firewall either:

    • The DNAT or Full NAT rule matched in step 3 is used to do the translation

    • A second NAT lookup is done for SNAT rules or linked rules and this translation is applied

    Finally the packet is delivered.

    Thanks,

    John

  • Hello Axsom,

    I think, unfortunately, this confusion is down to the odd nature of the double touching of the firewall that has been chosen.

    The NAT is definitely considered first, that is why the Firewall rules have to have the post NAT zone. The NAT then completes the forward after the firewall has "allowed it".

    I don't agree with any of this design as it leads to too much confusion.

    Emile

  • Hello all,

    I'm sorry but I'm a little tired of how Sophos interprets the iptables packet flow. Please see the picture below, this is the classic iptables packet flow, only taken from the documentation for UTM v9.
    What else do you want to think of when using iptables? Again you will invent the wheel, really?
    Everything else is just "rape" of logical processes implemented natively in iptables. Yes, you can blatantly think that you will invent the wheel again, but you will only produce an unusable hybrid of incomprehensible existence.

    Or do not use iptables, you have a choice ...

    Regards

    alda

  • Friends, it is so simple, so let me even simplify it more.

    INPUT (yellow) = packets for internal programs on XG like WAF, SMTP proxy etc.

    OUTPUT(yellow) = outgoing packets from internal programs on XG

    FORWARD (yellow) = routed traffic

    PREROUTING = DNAT (you have to change the destination address before routing)

    POSTROUTING = SNAT (change it just before the packets will leave the system)

     

    Important:

    See the diagram -> if you use DNAT you will "steal" the packets from internal program.

    So - for example it is not a good idead to do a DNAT for 25/tcp if you would like to use Email protection.

    Jindrich Rosicka

    awin IT

  • Hello Jindrich,

    If it were that simple we wouldn't be discussing it so frankly

    The issue we are discussing is that the Firewall rules double touch both pre and post NAT for incoming packet flow and it seems nonsensical.

    Emile

  • I see. Totally agree. New NAT rules does not make sense at all. It is step back as in complex environments will be really hard to see whats related to what.

    Jindrich Rosicka

    awin IT

  • Hi Jindrich,

    I don't see a problem with the NAT-ing, personally, but only with the firewall rules relation to DNATs that don't to me.

    Emile