Securing Local Servers using NAT and IP filtering:
Many WinRoute networks involve servers placed behind WinRoute that are only accessible through port mappings so that the necessary services are publicly available, while all other connection attempts are denied by NAT's stateful inspection. NAT protects the server from inbound traffic arriving from the Internet or any other public network, however WinRoute will (by default) allow all outbound IP communication. For most cases NAT security is sufficient, however it may be desirable to restrict everything except that which is absolutely necessary. In other words, only returning traffic (server response) will be allowed out to the Internet.
Consider the following example.
Let's assume there is a server at 192.168.1.9 hosting the following services (TELNET/FTP/HTTP/HTTPS/SMTP/DNS/POP3/IMAP). NAT with port mapping will allow only the necessary inbound services. For port mapping configuration see the 'Port Mapping/Forwarding' section in this chapter.
To ensure that only the necessary server response packets are passed through the WinRoute firewall back to the requesting client the following packet filter rules are necessary.
Note that in each case we are concerned with only the source information because it will always be the same. The destination information will be variable so we cannot define values based on this criteria. Note that for most of the TCP rules the '!SYN' is used to represent 'established' connections. In this case the server will not be able to establish outbound communication, rather it can only answer queries issued to it by remote clients. This type of policy would block some viruses such as 'Code Red' which was designed to pass through most firewalls. In this example FTP (passive mode) will be denied by the catch-all rule because it requires a connection back to the client that is dynamically negotiated and therefore cannot be pre-defined.