Appendix C. Common services
The following is a description of some of the most common services and how they can be managed in an Ingate Firewall.
The following descriptions use the term `high port' for a port with a high number (1024-65535).
HTTP
HTTP stands for HyperText Transfer Protocol and is primarily used for transferring web pages. HTTP is a simple protocol to manage and does not require much comment. We describe it here because it is common and can serve as an example for similar services.
HTTP usually uses a high port number on the client, port 80 on the server, and the TCP protocol. This corresponds to the following service definition:
| Services | ||||
|---|---|---|---|---|
| Name | Protocol | Firewall type | Client ports | Server ports |
| http | TCP | Dynamic session management | 1024-65535 | 80 |
Outgoing HTTP
Allow the http service as defined above from the computers that are allowed to use WWW (for example, the entire network on the inside), to the addresses to which they have access (for example the Internet, everything on the outside), using the firewall rules. Example:
| Rules | |||
|---|---|---|---|
| Client | Server | Services | Action |
| Inside | Internet | http | Allow |
| Inside | Internet | dns | Allow |
| Internet | Inside | dns-reply | Allow |
DNS must work so that you can use a domain name (such as www.ingate.com) in URLs. If you accidentally block DNS, you can only surf with IP addresses in the URLs.
Incoming HTTP
To allow outside computers to access web servers on an internal network, there are two alternatives: either use firewall rules or a relay. The relay solution can be used regardless of whether NAT is used or not. Forwarding with firewall rules can be used only if NAT isn't used.
Using Rules
Allow the http service as defined above from the computers that are allowed to visit your web server (such as the Internet, everything on the outside) to the address of your web server. Example:
Using Relays
Use a relay to forward HTTP connections to the correct computer. Example (assuming that 192.168.1.17 is the internal IP address of the web server):
| Relays | |||||
|---|---|---|---|---|---|
| Listen to ... | Relay to ... | Relay type | Allow access from | ||
| IP address | Port | DNS name or IP address | Port | Networks | |
| Outside (1.2.3.4) | 80 | 192.168.1.17 | 80 | TCP relay | Internet |
The address in Listen to IP address is the one that visitors should point their browsers at.
If the web server on the inside insists on sending back its internal IP address in the web pages, problems will occur, since external web browsers can only access the web server via the relay. If this happens, you can use the Address rewriting HTTP relay type instead of a TCP relay to modify the outgoing web pages when they pass through the firewall. See appendix A, IP Firewall in Ingate Firewall.