Chapter 15.                              Address Translation
Section 15.7                  Installing Address Translation
page 15-6                              FireWall-1 User Guide
Address Translation                                page 15-7
                              




15.     Address Translation-





15.1    Introduction

    
    
    The Need for Address Translation
        The need for IP address translation _ replacing one
        IP address in a packet by another IP address _
        arises in two cases:
       *    The network administrator wishes to conceal the
            network's internal IP addresses from the Internet.
            The administrator may reason that there is
            nothing to be gained, from a security point of
            view, by making a network's internal addresses
            public knowledge.
       *    An internal network's IP addresses are invalid Internet
            addresses (that is, as far as the Internet is concerned,
            these addresses belong to another network).
            This situation may have arisen for historical
            reasons: an internal network was originally not
            connected to the Internet and its IP addresses
            were chosen without regard to Internet
            conventions. If such a network is then connected
            to the Internet, its long-established internal
            IP addresses cannot be used externally. Changing
            these addresses may be impractical or
            unfeasible.
        In both cases, the internal IP addresses cannot be
        used on the Internet. However, Internet access must
        still be provided for the internal hosts with the
        invalid or secret IP addresses.
        Application gateways (proxies) have historically
        served as a partial solution to these problems. For
        example, to hide his or her internal IP addresses, a
        user can telnet to a gateway and from there continue
        to the Internet through a proxy. FireWall-1 can be
        easily set up to provide and enforce such a scheme
        for a wide variety of services (FTP, telnet, HTTP
        etc.). Moreover, FireWall-1 supplements this scheme
        by providing user authentication on the gateway.
        On the other hand, proxies do have drawbacks:
        1.  Proxies are tailored per application, so it is
            impossible to use applications that are not
            proxied, inbound or outbound.
        2.  Proxies are not transparent, so that even
            authorized outbound users need to go through the
            application on the gateway, and impose a large
            overhead on the gateway host.  Once a connection
            is accepted by a proxy, it functions as a packet
            forwarder at the application layer, which is an
            inefficient use of resources.
        3.  It is difficult to provide good proxies for
            protocols other than TCP.
        In contrast, FireWall-1's generic and transparent
        Address Translation Feature provides a complete and
        efficient solution.
    
    
    Example
        Consider the following network configuration:
        
        
        Figure 1.    Example Network Configuration
                
        Suppose the administrator of this network wishes to
        provide mail services to the internal (private)
        hosts, but the internal IP addresses cannot be used,
        for one of the reasons stated above (see "The Need
        for Address Translation", page 15-1.)
        Note: The gateway has a valid IP address which
        cannot be concealed.
        One possible solution is to move the mail server
        (which is currently on one of the internal hosts) to
        the gateway. This solution is not optimal, because
        of:
            *    the significant overhead the mail server imposes on the
             gateway
            *    reduced security
            *    the administrative overhead incurred when modifying the
             configuration
        A better solution might be to implement address
        translation on the gateway, as follows:
        The mail server is assigned a valid IP address (its
        public IP address), which is exposed to the
        Internet. However, internally, the mail server
        retains its existing (private) IP address.
        Incoming mail arrives at the gateway, where the
        destination IP address (the mail server's public IP
        address) is translated to its private address. The
        source IP address of outgoing mail is translated
        from the mail server's private IP address to its
        public IP address.




15.2    Direction

    
    
    Forward
        A forward packet is one that is traveling away from
        the initiator of the connection.
    
    
    Backward
        A backward packet is one that is traveling toward
        the initiator of the connection.




15.3    Translation Modes

    
    
    FWXT_HIDE
       This translation mode is used for connections
       initiated by the internal network and hides internal
       addresses behind a single external address, using
       port numbers to distinguish between them. For
       example, if the addresses are as follows:
        Legal IP         Illegal IP addresses
        address
        199.203.73.28    200.0.0.100 - 200.0.0.200
       Then the translation rule:
        
        200.0.0.100 200.0.0.200 FWXT_HIDE 199.203.73.28
        translates source addresses in the range 200.0.0.100
        - 200.0.0.200 of outbound packets to 199.203.73.28.
        Reply packets are directed to the correct host,
        thanks to the port number.
        FWXT_HIDE provides no access initiated from the
        outside into the internal network.
    
    
    FWXT_SRC_STATIC
       This mode translates illegal internal IP addresses
       to legal IP addresses.
        Legal IP Addresses     Illegal IP addresses
        199.203.73.15 -        200.0.0.100 -
        199.203.73.115         200.0.0.200
        Then the translation rule:
        
        200.0.0.100 200.0.0.200 FWXT_SRC_STATIC
        199.203.73.15
        translates the illegal addresses in the range
        200.0.0.100 - 200.0.0.200 to the legal addresses
        199.203.73.15 - 199.203.73.115.
        This mode is used when the connection is initiated
        by a host inside the internal network, and ensures
        that the originating host(s) have a unique specific
        IP address.  It is usually employed in conjunction
        with FWXT_DST_STATIC.
    
    
    FWXT_DST_STATIC
       This mode translates legal internal addresses to
       illegal addresses in the forward direction. For
       example, if the addresses are as follows:
        Legal IP Addresses     Illegal IP addresses
        199.203.73.15 -        200.0.0.100 -
        199.203.73.115         200.0.0.200
        Then the translation rule:
        
        199.203.73.15 199.203.73.115 FWXT_DST_STATIC
        200.0.0.100
        translates the illegal addresses in the range
        200.0.0.100 - 200.0.0.200 to the legal addresses
        199.203.73.15 - 199.203.73.115.
        This mode is used when the connection is initiated
        by a host outside the internal network, and ensures
        that the packets entering the internal network
        arrive at their proper destinations.




15.4    Interfaces

        Typically, Address Translation would be deployed on
        all of a gateway's interfaces. However, it is
        possible to restrict Address Translation to a
        prescribed subset of the interfaces.
        The fwx_iflist table, if it exists, contains the
        names of the interfaces on which Address Translation
        is deployed. fwx_iflist is generated by the Address
        Translation configuration utility, fwxlconf, in its
        output file $FWDIR/conf/xlate.conf.




15.5    Routing

        When using FWXT_HIDE and FWXT_SRC_STATIC, you must
        ensure that the translated ('legal') addresses are
        published, so that replies will be routed back to
        the gateway.
        When using FWXT_DST_STATIC, address translation
        takes place in the gateway after internal routing
        but before transmission. To ensure that physical
        layer routing does not misdirect the packet, use
        static routing (the Unix route command) to define
        the same "next hop" for both addresses.




15.6    Rule Base

        The Filter Code sees the packet as the initiator of
        the connection sees it, and the Rule Base should be
        defined accordingly.
        In the usual situation, this means that if the
        source is an internal machine and the destination an
        external one, then the source object should be an
        internal "illegal" address.
        If the source is an external machine and the
        destination is an internal one, then the destination
        objects should be the outside visible mirrored
        address of the "FWX_STATIC_DST" translated
        machine(s).
    
    
    Example
       Consider the following set of translation rules of a
       hypothetical organization that uses bits and pieces
       of the 10.0.0.0 class A network:
             From       To                       First
        No.  Original   Original   Method        Translated
             Address    Address                  Address
             (Port)     (Port)                   (Port)
        0    10.0.0.1   10.0.0.1   FWXT_SRC_STA  199.203.73
                                   TIC           .3
        1    199.203.7  199.203.7  FWXT_DST_STA  10.0.0.1
             3.3        3.3        TIC
        2    199.203.7  199.203.7  FWXT_DST_STA  10.0.67.0
             3.64       3.80       TIC
        3    10.0.0.2   10.255.25  FWXT_HIDE     199.203.73
                        5.255                    .2
        
        Rules 0 and 1
        The organization's mail server has an IP address of
        10.0.0.1, which is translated to 199.203.73.3.
        This is done both as FWXT_SRC_STATIC  (in the first
        line) and as FWXT_DST_STATIC (in line 2), since the
        mail gateway both accepts and initiates connections.
        In both cases, the mail server always appears to
        have the same legal IP address: 199.203.73.3 .
        
        Rule 2
        The block of addresses from 10.0.67.0 to 10.0.67.16
        are meant to provide public services, such as HTTP
        or FTP, to the outside world. These addresses are
        mirrored as the seventeen (17) addresses from
        199.203.73.64 to 199.203.73.80. So, for example,
        when an outside machine sends a packet to IP address
        199.203.73.70, the packet will actually arrive at
        10.0.67.6.
        
        Rule 3
        All the internal machines with the single exception
        of the mail server (which is covered by Rule 0) will
        have their source addresses translated to
        199.203.73.2 when they initiate communication to the
        outside the internal network.
        Note that the translation rules are evaluated one
        after the other. If a match is found, the
        translation is performed and no other rules are
        evaluated (in other words, translated addresses are
        not further translated).




15.7    Installing Address Translation

        The Address Translation feature is an add-on to
        FireWall-1 Version 1.2, and cannot be used with
        prior releases.
        The Address Translation feature is installed using
        the shell script fwxlate, which performs two tasks:
            *    upgrades the FireWall-1 software by replacing the
             FireWall-1 kernel module with a new one that supports
             Address Translation
            *    configures Address Translation according to your input
             by running the Address Translation configuration utility
             fwxlconf
        Note: After  you have installed Address Translation,
        you can modify the address translation configuration
        by running fwxlconf directly.
       After starting fwxlate, the following is displayed
       on the terminal:
       FireWall-1 Address Translation Enhancement Setup
       This script will replace the FW-1 kernel module with
       a new one that supports Address Translation, and
       will modify a configuration file.
       You will then be asked to describe the desired
       Address Translations configuration in terms of IP
       addresses.
       Hit <RETURN> to continue
       Press <Return> to continue. Next, the following will
       be displayed:
       FW-1 must be stopped while setting up.
       OK to stop FW-1 now ? (y/n) [y] :
       Type Y or press <Return>. Next, the following will
       be displayed:
       --------------- Extracting FW-1 XLATE Enhancement --
       ----------
       x ./modules/fwmod.4.1.3.o, 200322 bytes, 392 tape
       blocks
       x ./bin/fwxlconf, 1064960 bytes, 2080 tape blocks
       ---------------- Replacing Kernel Filter Module ----
       ---------
       Backing up current kernel module as
       /etc/fw/modules/fwmod.4.1.3.o.0524184303
       Installing new kernel module
       ------------- Modifying /etc/fw/lib/fwui_head.def --
       ----
       Backing up current fwui_head.def as
       /etc/fw/lib/fwui_head.def.0524184303
       Adding '#include' of the Translations File
       #include "base.def"
       - Installing Address Translation Configuration
       Utility --
       'fwxlconf' installed in /etc/fw/bin
       - Adding Evaluation License for Address Translation
       ---
       Type             Expiration Features
       Eval              1Jul95    Unknown feature 10000
       Eval             16Jun95    std routers
       Eval             16Jun95    std routers
       License file updated
       Putting license in /etc/fw/modules/fwmod.4.1.3.o
       --- Creating Initial Translation File --------------
       ----
       ----------------------------------------------------
       ------
       ******** Launching Configuration Utility
       **************
       FireWall-1 Address Translation Configuration
       ============================================
       A listing of the current configuration is displayed,
       and then you are asked to select one of the
       following options:
       Which of the following do you want ?
       (1) Add/Change a translation entry
       (2) Delete a translation entry
       (3) Add interface
       (4) Delete interface
       (5) Save configuration
       (6) Restore configuration from Disk
       (7) Quit
        From this point on, you can modify the configuration
        or quit.
        NOTE: To restrict Address Translation to a subset of
        the gateway's interfaces, select "Add Interface"
        from the menu.
       Once you have quit the configuration program, the
       following is displayed:
       ****************************************************
       ******
        Address Translation Enhancement Setup completed.
        You can now use /etc/fw/bin/fwstart to restart FW-
       1.
       ----------------------------------------------------
       ------
        The Address Translation you have configured will be
       in effect
         starting with the next time you install a filter
         e.g. fwui's Filter->Install, or the command line
         'fw load filter.W'.
        
