Service Proxy Commands

These commands instruct the NetNAT to create new mapping relationships between apparent external services and actual internal services. The mapping relationships may be port-and-protocol conscious, or port independent.

Port Proxy command. Map a specific apparent IP Address/Port combination to an internal actual service.
Fixed Proxy command. Map all services of an external apparent IP Address to an internal IP Address.
Default Proxy command. Map all undefined services to an internal IP Address.
Subnet Mapping command. Use a specified apparent IP Address for all user computers in a specified subnet.
Local Proxy command. Do not map the service, as it is processed by the NetNAT locally.

In addition to these four modes, our NATs perform Dynamic Mapping of client IP Addresses into a single public IP Address. This is performed automatically between "private" interfaces and "public" ones, so no commands are shown.

Port Service Proxy

This service subcommand establishes a service-specific relationship between an apparent IP Address/Port Number/Protocol (UDP or TCP) combination on a public interface and an actual IP Address/Port Number combination on a private interface.

Any service request from the public area that is addressed to the apparent IP Address/Port Number combination is redirected to the actual service provider on the private network. Conversely, all reply messages from the actual IP Address/Port Number/Protocol combination are rewritten to appear to originate at the apparent public combination. All affected checksums are recalculated in the messages before they are transmitted.

A special wildcard for the apparent IP Address is provided, to simplify maintenance of the startup configuration as the public address changes. By specifying an asterisk (*) for the apparent IP Address, you are actually specifying the "natural" IP Address of the interface, which has been set either in an ifconfig command, or has been negotiated during a PPP session setup.

Command Syntax

  service [int] port [app IP|*] [app port] [TCP|UDP] [act IP] [act port] {flags}

Where:

"int" is the NetNAT Interface on the "public" side (i.e. en0, tr0, ppp0)
"app IP" is the apparent IP Address for the offered service or * if the natural IP Address of the interface is to be used
"app port" is the apparent Port Number for the service
"TCP|UDP" must specify the protocol to use, either TCP or UDP
"act IP" is the actual IP Address of the real server
"act port" is the actual Port Number of the real service
"flags" is an optional hex value for monitoring and logging flags

Fixed Service Proxy

This service subcommand establishes a service-independent relationship between an apparent IP Address on a public interface, and an actual IP Address on the private side.

Any service request from the public area that is addressed to the apparent IP Address is redirected to the actual service provider on the private network. Conversely, all reply messages from the actual IP Address (the actual server) are rewritten to appear to originate at the apparent public address.

Service requests that originate at the designated private "actual" server, such as telnet, ftp, www, etc., are rewritten to appear to originate at the apparent public address, also.

All affected checksums are recalculated in the messages before they are transmitted.

Command Syntax

  service [int] fixed [app IP] [act IP] {flags}

Where:

"int" is the NetNAT Interface on the "public" side (i.e. en0, tr0, ppp0)
"app IP" is the apparent IP Address for the public side
"act IP" is the actual IP Address of the real server
"flags" is an optional hex value for monitoring and logging flags

Default Service Proxy

This service subcommand establishes a last-resort default for service requests that have not been handled otherwise. An organization that suspects that Internet Bad Guys (IBGs) may be attempting to invade their system wish to set up a highly-instrumented host, and point the NAT's Default Service Proxy filter at it. In this way, the NAT will not reject the connection attempts offhand, but will route them through to this instrumented internal machine for examination.

Because the NAT routes all undefined services to this default machine, the use of the Default Service Proxy facility must be considered carefully. If mistakenly configured to send to an unprotected machine, your Firewall functionality will be compromised.

Any service request from the public area that is addressed to the apparent IP Address, and that is not otherwise handled by a Service Port Proxy relationship, is redirected to the configured service provider on the private network. Conversely, all reply messages from the actual IP Address (the actual server) are rewritten to appear to originate at the apparent public address.

All affected checksums are recalculated in the messages before they are transmitted.

Command Syntax

  service [int] default [app IP] [act IP] {flags}

Where:

"int" is the NetNAT Interface on the "public" side (i.e. en0, tr0, ppp0)
"app IP" is the apparent IP Address for the public side
"act IP" is the actual IP Address of the real server
"flags" is an optional hex value for monitoring and logging flags

Subnet Address Mapping

This service subcommand designates a public "apparent" IP Address to be shared by all computers in a private subnet. This permits an ISP (for example) to assign a single public IP Address for use by all computers at a customer site.

Command Syntax

  service [int] subnet [subnet address/bits] [app IP]
  service [int] client [subnet address/bits] [app IP]

Where:

"int" is the NetNAT Interface on the "public" side (i.e. en0, tr0, ppp0)
"subnet address/bits" is the subnet description for the client subnet
"app IP" is the apparent IP Address to be shared by all members of that subnet

When a client computer sends a message through the NAT to the outside world, the NAT must select an IP Address to use for that client, for this message. This command specifies that a certain IP Address will be used for everybody in the specified subnet. They may all be active at the same time, since we use port translation to permit them to share the IP Address simultaneously.

The two forms of the command are equivalent. The original name for the command was "service client" but is being changed to "service subnet" to make its meaning more clear. The subnet may be as restrictive as desired, allowing you to assign an apparent IP Address to a single computer if desired. For example:

service en0 subnet 192.168.31.4/32 204.204.19.18
service en0 subnet 192.168.31.0/24 204.204.19.19

This instructs the NAT to use 204.204.19.18 for the single computer at 192.168.31.4, and use 204.204.19.19 for everybody else in that subnet. At present, you may have up to 32 subnet mapping definitions in your NAT configuration.

Local Service Proxy

This service subcommand designates that the specified service is processed by the NAT itself, rather than by a device on the private network. An example would be SNMP or FTP, if permitted by the NAT. The NAT code detects the inbound service request and, when it notices the "local proxy" entry in the proxy table, checks for local listeners on the specified port. If there are none, the service request is rejected.

Command Syntax

  service [int] local [app IP] [app port] [TCP|UDP] {flags}

Where:

"int" is the NetNAT Interface on the "public" side (i.e. en0, tr0, ppp0)
"app IP" is the apparent IP Address for the NAT's server
"app port" is the apparent Port Number for this service
"TCP|UDP" must specify the protocol to use, either TCP or UDP
"flags" is an optional hex value for monitoring and logging flags

Monitoring and Logging Flags

These flag bits control the logging (via syslog) of significant events and of data volumes. At present, all logging uses facility "LOCAL2" and priority "INFO," but these will become configurable in a future release.

Flag Bits

At present, only the two most-significant bits are used. ---------------//--------------- | E | V | unused | ---------------//--------------- Where:

"E" enables logging of significant events. This has various meanings, depending on the type of Service Proxy mode.
"V" enables logging of data volumes. This causes counts of data segments and data bytes in and out to be logged every minute where the counts would be non-zero.

Syslog Record Formats

Formats of log records are as follows. Your syslog daemon will add the date and time, and the name of the NAT (or IP Address, if not in your DNS) at the beginning of each log record. All fields are colon-delimited for easy processing off-line. IP Addresses are 32-bit hexadecimal, flags are 16-bit hexadecimal. All other numeric fields are in decimal.

Proxy Event

This logs initial inbound connection events for port-style service proxy facilities. One should be careful with this, as it could create a lot of log information. It is enabled by setting the msb of the flags field (0x8000 or 0xc000 both have this bit set, 0x0000 and 0x4000 don't). pr:int:srcip:srcport:dstip:dstport:prot Where:

"Int" is the interface where the message arrived.
"Srcip" is the source IP Address of the message (who it came from).
"Srcport" is the source Port Number from the message.
"Dstip" is the destination IP Address of the message (who it was sent to).
"Dstport" is the destination Port Number from the message.
"Prot" is the numeric protocol, where ICMP is 0, TCP is 6, UDP is 17.

Default Proxy Event

This logs initial inbound connection events for default-style service proxy facilities. While one should be careful with this, due to the possibility of a massive number of events logged, this one can be very interesting. It logs redirection of protocols that you didn't anticipate. Typical examples are the "Authentication Protocol," where telnet servers attempt to learn more about the client user. It is enabled by setting the msb of the flags field (0x8000 or 0xc000 both have this bit set, 0x0000 and 0x4000 don't). df:int:srcip:srcport:dstip:dstport:prot Where:

"Int" is the interface where the message arrived.
"Srcip" is the source IP Address of the message (who it came from).
"Srcport" is the source Port Number from the message.
"Dstip" is the destination IP Address of the message (who it was sent to).
"Dstport" is the destination Port Number from the message.
"Prot" is the numeric protocol, where ICMP is 0, TCP is 6, UDP is 17.

Reject Proxy Event

This logs initial inbound connection events that are rejected because they didn't match any of the pre-established Service Proxy relationships. In other words, this logs deflected queries for services that you did not intend to provide. Typical examples are the "Authentication Protocol," where telnet servers attempt to learn more about the client user. It is enabled by the Syslog Reject command. This logging mode can generate a lot of data, so use it with care. rj:int:srcip:srcport:dstip:dstport:prot Where:

"Int" is the interface where the message arrived.
"Srcip" is the source IP Address of the message (who it came from).
"Srcport" is the source Port Number from the message.
"Dstip" is the destination IP Address of the message (who it was sent to).
"Dstport" is the destination Port Number from the message.
"Prot" is the numeric protocol, where ICMP is 0, TCP is 6, UDP is 17.

Service Proxy Statistics

If enabled, this logs data volumes in and out for a service proxy relationship. The log record is sent only when actual data traffic has occurred. It is sent each minute when a non-zero value can be reported. It can generate a lot of data, so use it with care, or be thoughtful in selecting which proxies are monitored. ps:int:appip:appport:actip:actport:prot:flags:bin:cin:bout:cout Where:

"Int" is the interface where the message arrived.
"Appip" is the source IP Address of the message (who it came from).
"Appport" is the source Port Number from the message.
"Actip" is the destination IP Address of the message (who it was sent to).
"Actport" is the destination Port Number from the message.
"Prot" is the numeric protocol, where ICMP is 0, TCP is 6, UDP is 17.
"Flags" is the current value of the optional hex flags field for this proxy.
"Bin" is the number of blocks received from the public net this minute.
"Cin" is the number of characters received from the public net this minute.
"Bout" is the number of blocks sent to the public net this minute.
"Cout" is the number of characters sent to the public net this minute.

NAT UP Message

If a syslog server is defined, all of our NATs will report "up" status via syslog approximately one minute after starting. The delay is to allow the various facilities to settle. The purpose of this is to track the number of reboots, without regard for the reason, since it's almost always too late to find out why. The common reasons for a reboot are:

The software took a flying leap into nowhere
The hardware watchdog timer caught us napping
Someone punched the reset button
We loaded new software or configuration data

The format of the UP message is: up:hostname Where "hostname" is the hostname as specified in a hostname command.

This page was last modified on 14 March, 1997.

This information is proprietary to Network Safety Corporation. Network Safety, WebElite, DialNAT and NetNAT are trademarks of Network Safety Corporation. For information on our products and services, please contact our sales department.

This page was prepared using WebElite, our professional editor for the Web.