This article applies to the Smoothwall Filter & Firewall On-Prem solution in either Hardware or VM form.
A Primer on Port Forwarding
When deployed as an in-line Firewall, you may be required to permit external access to your LAN to make locally hosted services available to remote users. This could simply be opening up access to a public-facing web-server, or allowing specific access to on-site infrastructure management tools for third-part support groups.
Port Forward rules, as part of the Firewall module, permit this access to be set up. Port-forward rules provide a destination-NAT (DNAT) service with optional Port Address Translation (PAT). The policies can also be configured to have IPS scanning run on them on a per-policy basis for added security.
In short, Port Forward rules are used when external users require access to LAN resources, as such, they can be considered 'inbound' Firewall rules. Due to the connection tracking employed by the Firewall module, 'outbound' Firewall rules are not required to match Port-Forwards.
Any 'inbound' traffic which does not match a Port Forward policy is rejected or dropped by the Firewall and logged as 'bad external traffic'.
Understanding Policy Elements
The Port Forward policies are made up of the following elements:
- Client IP: This defines the expected IP address(s) or public range that should be permitted across the Firewall. Defaults to Any.
- Local IP: The external IP address on the Smoothwall which users will be accessing either directly or via a publicly resolvable hostname.
NOTE: Where multiple internal interfaces are configured, they may also be available to provide internal-only port forwards if required.
- Services: The TCP/UDP ports or named services (custom or preset) that are to be permitted across the Firewall. Defaults to Any.
- Target IPs: The IP address of the internal resource the traffic should be forwarded too.
- Target Port: Where Port Address Translation is required, enter the destination port here. The Firewall will preserve ports by default.
- Log Connections: Enable logging on the policy.
- IPS: Enable IPS on the policy.
Creating a Port Forward Policy
To create a Port Forward Policy:
- Log-in to your Smoothwall Filter & Firewall Admin UI.
- Navigate to Network > Configuration > Port Forwards.
- Use the 'Add port forward' tool at the top-right to open the policy creator.
- Fill out the policy form elements as required - you can create named IP and Service Objects on the fly with the 'Create' button where applicable.
- Save the policy.
Testing a Port Forward
If Log Connections has been enabled on a Port Forward you will be able to see the traffic over the policy in the Real-Time Firewall log.
Navigate to Reports > Real-Time > Firewall and from the first filter field select Rule and the second field select Port Forward. All logged and active Port Forwards will display their traffic. You can narrow down the results by applying multiple filters, such as Destination IP and Destination Port.