Relays
A relay in Ingate Firewall listens for traffic directed to a port on a specific IP address of the firewall itself. Packets arriving on this address and port are forwarded by the firewall to a server or other computer. The sender of the original packet doesn't know that the packet is forwarded.
Relays are mainly used to transfer traffic to servers located on a NAT:ed (masqueraded) network, where the IP addresses on the NAT:ed network cannot be accessed from the outside. When you use an IP address that is for local use only, you must use NAT and relays because these IP addresses cannot be accessed in any other way. Relays can also be used for non-NAT:ed networks. Relays in Ingate Firewall do not save any information locally; they only transfer traffic to a server.
Relays contain access control, which makes it possible to restrict the relays to certain IP addresses and time intervals.
One example is a web server on a NAT:ed internal network. The only computer that is visible from the outside is the firewall, so WWW traffic must go through it. In this case, you want to relay the outside traffic to the web server. Another example is an organization with its own name server on a NAT:ed network. For outsiders to search for names or IP addresses on the organization's servers, DNS (Domain Name System) traffic must be relayed in to the name server, which requires a UDP relay.
Relays are sorted by IP address and port number.
Listen to ...
Specify here the address and port to which others should send the packets which are to be forwarded to the unit you enter under Relay to.
IP address
Select one of the names or aliases defined on the interface pages under Network.
Port
The port number for this relay on the outside. This is the port on which this relay listens for traffic.
Relay to ...
DNS name or IP address
The name/address of the server to which traffic should be forwarded.
IP address
This field shows the IP address of the server. The field is updated when you click on Look up all IP addresses again or change the Relay to DNS name or IP address field.
Port
The port number of the server to which traffic should be forwarded.
Relay type
Select which relay type you want to use.
A TCP relay is a simple kind of forwarding. A relay listens to a port on a certain IP address in the firewall and forwards all traffic to the specified server. A TCP relay only processes TCP traffic. Examples of services that can be processed by a TCP relay include Telnet (terminal connections), SMTP (email), POP (email), NNTP (news), and HTTP (www). From the client, the relay works as a server, and from the server, the relay works as a client program.
A relay is slightly more secure than port forwarding, as it rewrites the entire packet instead of just the sender address. The drawback is that the relay consumes more computer resources in the firewall.
A standard TCP relay listens to a port on a certain IP address in the firewall and intercepts all TCP packets. It generates a new TCP packet puts the firewall's IP address as the sender, keeps all other information and forwards the new packet to the specified server.
TCP port forwarding is a simple kind of forwarding. It listens to a port on a certain IP address in the firewall and forwards all TCP traffic to the specified server after rewriting the sender address to the firewall's IP address.
Semi-transparent TCP port forwarding does the same as the TCP port forwarding, except that it doesn't rewrite the sender address. This means that the server will know which computer originally made the connection. The client still only sees the firewall.
A UDP relay is a simple way of forwarding UDP traffic. A relay listens to a port at a certain IP address in the firewall and forwards all traffic to the specified server. A UDP relay only processes UDP traffic. Examples of services that can be processed by a UDP relay are DNS (name/IP address queries) and SNMP (network monitoring).
A relay is slightly more secure than port forwarding, as it rewrites the entire packet instead of just the sender address. The drawback is that the relay consumes more computer resources in the firewall.
A standard UDP relay listens to a port on a certain IP address in the firewall and intercepts all UDP packets. It generates a new UDP packet puts the firewall's IP address as the sender, keeps all other information and forwards the new packet to the specified server.
UDP port forwarding is a simple kind of forwarding. It listens to a port on a certain IP address in the firewall and forwards all UDP traffic to the specified server after rewriting the sender address to the firewall's IP address.
Semi-transparent UDP port forwarding does the same as the UDP port forwarding, except that it doesn't rewrite the sender address. This means that the server will know which computer originally made the connection. The client still only sees the firewall.
The FTP service is different because it uses one channel for commands and another to send data, so it needs a special relay.
The FTP relay receives attempts to connect from a network and tries to contact the FTP server. From the client, the relay works as an FTP server, and from the server, the relay works as a client program. The FTP relay can handle active and passive FTP (see appendix A, IP Firewall in Ingate Firewall, for details).
The FTP relay assumes for active FTP that FTP data is available at the port number under the one for FTP commands. Usually, the server uses port 21 for FTP commands and 20 for FTP data.
The Address rewriting HTTP relay works in approximately the same way as a TCP/UDP relay, except that it converts IP addresses for the local pages, giving the pages the IP address you set under Listen to IP address. This relay can cause lost data when you retrieve a web page. Usually, it is better to use a TCP relay for WWW traffic. The Address rewriting HTTP relay uses more resources than a TCP relay.
Allow access from ...
Networks
Here, you select a network group, defined on the Networks and Computers page. Only the computers in the chosen group can use the relay.
IPsec peer
Here, you can select an IPsec peer, defined on the IPsec Peers page. If an IPsec peer is selected, only encrypted traffic from this peer will be relayed. The Local side of the IPsec tunnel for this peer must contain the IP address in Listen to IP address.
Time class
The Time class given defines when the relay is active. Inactive relays are ignored when handling arriving packets. You define time classes on the Time classes page under Rules and Relays. See also Time classes for more information.
Log class
Here, you define which Log class should be used to log the traffic through this relay. Log classes are defined on the Log Classes page under Logging. See also Log Classes in chapter 13, Logging, for more information.
Delete row
If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Save
Saves the Relays configuration to the preliminary configuration.
Undo
Clears and resets all fields in new rows and reset changes in old rows.
Look up all IP addresses again
Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Configuration page.