The card Default offers the possibility to configure the following options:
• | Activate rule: Mark or unmark this checkbox if you want to activate / deactivate the rule. |
• | Source address: Choose from the selection menu a Host/Net alias or a Host/Net group or choose CUSTOM and enter an IP address or a network address in the textfield. If the actual packet comes from this IP address or from this network range, this rule matches. If you choose the option ANY from the selection field, this option will be ignored, and the rule matches without consideration of the source address. If you mark the checkbox except, the entered IP address will be negated. This means, that the rule matches to all source IP addresses except the one you entered. In the overview this case is shown with an exclamation mark in front of the IP address. |
• | Destination address: Choose from the selection menu a Host/Net alias or a Host/Net group or choose CUSTOM and enter an IP address or a network address in the textfield. If the actual packet is determined for this IP address or for this network range, this rule will match. If you choose the option ANY from the selection field, this option will be ignored, and the rule will match without consideration of the destination address. If you mark the checkbox except, the entered IP address will be negated. This means, that the rule will match to all destination IP addresses except the one you entered. In the overview this case is shown with an exclamation mark in front of the IP address. |
• | Service: Choose one of the services from the selection list or choose ANY if you want this field to be ignored, because all packets should be filtered. If you choose CUSTOM, you can set further details for this rule in the fields that appear afterwards. |
• | Action: Choose the kind of alteration you want to make from this select box. |
• | DNAT: Destination Network Address Translation: The target IP address is modified to a specified value. |
• | REDIRECT: The request will be forwarded to an other port. |
• | SNAT: Source Network Address Translation: The source IP address is modified to a specified value. |
• | MASQUERADE: The source IP address is modified to the IP address that Gibraltar got by using a DHCP server (especially used for dial-in connections where the IP address is not fixed; also used in connections that do not get a fixed IP address. |
• | --to: Enter the IP address or port you want to redirect the packet to. For example, if you want to redirect all HTTP requests to an internal web server, you have to enter its IP address here. If you chose the action MASQUERADE, no entry in this field is allowed. If you chose an other action, an entry is necessary. |
• | IP address: Enter the IP address, the packet should be masqueraded with. |
• | Port: Enter at the selection of the option REDIRECT in target the local port, to which the inquiry should be redirected. For example a transparent proxy for a certain port. |
• | IP range to: Here you can enter a further IP address, which builds a range with the IP address entered in the textfield IP address. This option is used for load balancing for inquiries to several identity www-servers. Inquiries are redirected to the IP addresses in the range by Round-Robin-process and thereby the load is balanced to several servers. |
• | Comment: Enter a comment for this rule in this textfield. |
ATTENTION: The modification of the packets because of NAT does not mean that packet filtering is done! You have to configure separate filter rules for all modified packets as in the case of incoming packets the packet filtering will only be done after the modification and in the case of outgoing packets before the change.
Specifics of TCP/UDP
• | Source port: Enter the port, that sends the packet in this textfield. If the packet comes from the entered port, the further options of the rule will be checked. If you leave this field blank, this option will be ignored and irrelevant for the check of the packet. You can either choose a port from 1 to 65535 or a certain range. A range of ports can be declared through a start port and an end port, divided by a colon (e.g. 2400:2600 means all the ports from 2400 to 2600). Optionally you can choose all ports from or to a certain port. By entering a colon followed by a port number, all the ports up to this number are meant. By entering a port number followed by a colon, all the ports up from this port number are meant (e.g. :500 means all ports from 1 to 500, 500: means all ports from 500 to 65535). |
• | Destination port: Enter the port, the packet goes to. If the packet arrives at the entered port, this rule will match and all options will be checked. The entry in the textfield works as in Source port. |

|