Migration to V18 NAT

I need to put another information into this thread.

NAT Policies uses first match! 

Be careful in case of DNAT / SNAT etc.

This operates just like the UTM then, NATs first then Firewall rules.

Emile

Hi Emile,

I'm pretty sure it's the other way:  firewall first then NAT.

The training slide was a little confusing to me at first with the NAT lookup at step 3 (packet flow).

Thanks,

John

Hello Axsom,

The (Pre/D)NAT will always occur first and Source NATs will always occur last, this is extremely common in iptables based system.

Please see below:

Emile

Hello Axsom,

The (Pre/D)NAT will always occur first and Source NATs will always occur last, this is extremely common in iptables based system.

Please see below:

Emile

Hi Emile,

Thanks for this.  I agree that the flow would appear that way based on the diagram, but the explanation I have received and in the handout indicates step 3 is simply a lookup so it knows what to do for the zone translation.  The actual DNAT is done post firewall rule processing.  At least that is how I interpret it.  I think a little clearer explanation from Sophos in the training would help alleviate a lot of the confusion.

Here is a snippet from page 45 of the Sophos EAP1 handout:

This diagram shows how packets flow through the firewall and NATing is applied.

When a packet arrives and the marking has been done the XG Firewall performs a NAT lookup for DNAT or Full NAT rules. If a NAT rule has been matched the destination zone is translated before the packet goes to the firewall. This means that the firewall will be matching rules based on the post-NAT destination zone and the pre-NAT IP address.

After the firewall either:

• The DNAT or Full NAT rule matched in step 3 is used to do the translation

• A second NAT lookup is done for SNAT rules or linked rules and this translation is applied

Finally the packet is delivered.

Thanks,

John

Hello Axsom,

I think, unfortunately, this confusion is down to the odd nature of the double touching of the firewall that has been chosen.

The NAT is definitely considered first, that is why the Firewall rules have to have the post NAT zone. The NAT then completes the forward after the firewall has "allowed it".

I don't agree with any of this design as it leads to too much confusion.

Emile

Hello all,

I'm sorry but I'm a little tired of how Sophos interprets the iptables packet flow. Please see the picture below, this is the classic iptables packet flow, only taken from the documentation for UTM v9.
What else do you want to think of when using iptables? Again you will invent the wheel, really?
Everything else is just "rape" of logical processes implemented natively in iptables. Yes, you can blatantly think that you will invent the wheel again, but you will only produce an unusable hybrid of incomprehensible existence.

Or do not use iptables, you have a choice ...

Regards

alda

Friends, it is so simple, so let me even simplify it more.

INPUT (yellow) = packets for internal programs on XG like WAF, SMTP proxy etc.

OUTPUT(yellow) = outgoing packets from internal programs on XG

FORWARD (yellow) = routed traffic

PREROUTING = DNAT (you have to change the destination address before routing)

POSTROUTING = SNAT (change it just before the packets will leave the system)

Important:

See the diagram -> if you use DNAT you will "steal" the packets from internal program.

So - for example it is not a good idead to do a DNAT for 25/tcp if you would like to use Email protection.

Hello Jindrich,

If it were that simple we wouldn't be discussing it so frankly

The issue we are discussing is that the Firewall rules double touch both pre and post NAT for incoming packet flow and it seems nonsensical.

Emile

I see. Totally agree. New NAT rules does not make sense at all. It is step back as in complex environments will be really hard to see whats related to what.

Hi Jindrich,

I don't see a problem with the NAT-ing, personally, but only with the firewall rules relation to DNATs that don't to me.

Emile