Typically, port forwards are used to forward requests that arrive at an external network interface to a network host in an internal network zone. It's common to think of such requests arriving from hosts on the Internet. However, port forwards can be used to forward any type of traffic that arrives at an interface, regardless of whether the interface connects to the Internet or some other network zone. You can also create port forwarding rules for requests from an internal network address.
For example, you can create a port forward rule to forward HTTP requests on port 80 to a web server listening on port 81 in a Demilitarized Zone (DMZ). If the web server has an IP address of 192.168.2.60, you can create a port forward rule to forward all port 80 TCP traffic to port 81 on 192.168.2.60.
Port forwards can be configured where network traffic uses the following path through the Smoothwall:
- Client IP addresses: Traffic coming from these IP addresses. Leave blank for all (default).
- Local IP(Interface): The interface the traffic will be arriving on (the Internet facing IP address).
- Service: The services the traffic will try to reach (For example, a web server on TCP ports 80 and 443).
- Target IP address: The internal IP address of the hosting server.
- Ports: The service ports on the hosting server.
Note: It's important to consider the security implications of each new port forward rule. Any network is only as secure as the services made available upon it. Port forwards allow unknown hosts from the external network to access an internal host. If a hacker or cracker manages to break into a host that they have been forwarded to, they might gain access to other hosts in the network. For this reason, we recommend that all port forwards are directed towards hosts in isolated network zones, that preferably contain no confidential or security-sensitive network hosts. Use the Firewall rules page to make sure that the target host of the port forward is contained within a suitably isolated network, that is, a DMZ scenario.
Port forward rules are applied in the top-down order they're listed in the Port forwards table. Once a match is found, no further searching is made.
Use this page to forward requests that arrive at an external network interface to a network host in an internal network zone.
Procedure
- On the NETWORK menu, under the Configuration submenu, click Port forwards.
- Either click Add port forward or find the rule that you want to place the new rule before or after, place your mouse cursor over the rule, click Add and then click either Rule above or Rule below.
- Either select the Client IP addresses port forwarded for this rule and click Add or to apply this rule to all IP addresses, leave this blank.
- To add a new object or group directly, click Create and select the Type that you want to add, enter the Name, Address or select the Address objects and enter a descriptive Comment, and then click Add item.
- To remove the object or group, click the - icon next to the IP address that you want to remove.
- From the Local IP list, select the relevant interface that requests are received on. All traffic received on this interface is port forwarded, unless Client IP addresses are specified.
- Select the Services to be port forwarded and click Add leave blank to include all services.
- To add a new service or group directly, click Create and select the Type that you want to add, enter the Name, Address or select the Address objects and enter a descriptive Comment, and then click Add item.
- To remove the object, click the - icon next to the service that you want to remove.
- Select the relevant Target IP addresses that traffic is forwarded to. If multiple IP addresses are selected, port forwarded traffic is load balanced across them.
- To add a new address object or group directly, click Create, select the Type that you want to add, enter the Name and either Address or select the Address objects to add to the group, enter a descriptive Comment and click Add item.
- To remove the object or group, click the - icon next to the IP address that you want to remove.
- Either enter the Target port number that traffic is forwarded to or to preserve the destination port used in the incoming packet, if applicable, leave this blank.
- To log all matching traffic to the Smoothwall Firewall log, select the Log connection option.
- To deploy intrusion prevention for traffic by using this rule, select the Intrusion Prevention System (IPS) option.
- Enter a descriptive Comment and click Save changes.
Follow-up tasks
- To edit a rule, under the Port forward rules section, place your mouse cursor over the rule that you want to amend, click Edit, make your changes and click Save changes.
- To move a rule, under the Port forward rules section, place your mouse cursor over the rule that you want to move and drag it to the position that you want, and then click Save.
- To delete a rule, under the Port forward rules section, place your mouse cursor over the rule that you want to delete and click Delete.