Address Translation In D-Link Firewall - D-Link DFL-1600 User Manual

114
source and destination address and port numbers - it is possible to validate
any or all of this information before passing the traffic. This checking helps
the firewall to protect a private LAN against attacks from the outside.
NAT mechanism discard all traffic that does not match a mapping table
entry, therefore it is also regarded as a security device. However, NAT is
not a substitute for firewall rules. There are TCP and UDP ports open
corresponding to applications and services running on the NAT. If the NAT
device is a computer, rather than a dedicated firewall, then the computer is
vulnerable to attack. Therefore, the recommendation is to use
NAT-enabled firewall with rule settings specified for traffic.
14.2.3

Address translation in D-Link Firewall

D-Link firewalls support two types of address translation: dynamic (NAT
hide), and static (SAT).
Dynamic Network Address Translation
The process of dynamic address translation involves the translation of
multiple sender addresses into one or more sender addresses, like private IP
addresses are mapped to a set of public IP addresses.
Example:
FW tran 195.11.22.33: 32789
reply
FW rest
Table 14.1 shows a example of dynamic NAT, The sender, e.g. 192.168.1.5,
sends a packet from a dynamically assigned port, for instance, port 1038, to
a server, e.g. 195.55.66.77 port 80.
Usually, the firewall translates the sender address to the address of the
interface closest to the destination address. In this example, we use
195.11.22.33 as the public address. In addition, the firewall changes the
Dynamic NAT
Sender
192.168.1.5 : 1038
195.11.22.33: 32789
192.168.1.5 : 1038
Table 14.1: Dynamic NAT.
D-Link Firewalls User's Guide
Chapter 14. IP Rules
Server
195.55.66.77 : 80
195.55.66.77 : 80
195.55.66.77 : 80
195.55.66.77 : 80