4 Replies Latest reply on Mar 27, 2012 3:15 AM by PhilM

    How to enable incomming connection from a specific Public IP address

      Hi, I need to allow my internal web server to be acccessed from the Internet from a specific IP address and I need to open port 3033, 21, 443 and 80. I am using Sidewinder and have been trying the whole day but have not suceed. The firewall was reset to factory default. I have successfully allowed users to gain internet access through the firewall but failed to allow any incomming connection to my Internal LAN servers. My Internal LAN server is while the Public IP address is 223.255.X.y. I was allocated /29 by the ISP, one for my router.

        • 1. Re: How to enable incomming connection from a specific Public IP address



          You haven't said which version of Sidewinder (now called McAfee Firewall Enterprise) you are running. The process for the various versions is largely the same, but there are subtle differences - particularly in the management GUI for the different versions.


          In the case of the ports you need to open, there are pre-configured services for ports 80 (HTTP), 443 (HTTPS) and 21 (FTP), but you will need to create a user-defined entry for port 3033. The GUI screen and the naming convention differs depending on which version, but the process is essentially same.


          You can then create a group to collect these services together so that they can all use the same rule (though this is not mandatory in v8 as you can assign multiple services in a rule),


          If the public IP address you wish to use is not the primary external IP address of the Firewall (not the one you configured on the external side in the setup wizard) you will need to edit the Interface and add this address as an alias. Otherwise the Firewall simply won't be listening on that address.


          Next create network objects for the external IP address and the address for the internal server.


          Finally you create the rule. For inbound rules where NAT is involved (which it is when using private addresses on the LAN side) the source and destination burb/zone values must both be the same you created for the external side (external, Internet, public, whatever you called it). The source address with be "Any" (to allow the internet at large to be able to access your site), the destination address is the object you created for the chosen public IP address and, finally, the redirect value should be configured to use the network object of the LAN host.


          That's it, really.


          The only other setting in the rule which you may wish to look at is the NAT setting. By default this is set to "Localhost", but if you want the web server to be able to see the real IP address of the hosts connecting into it (for reporting purposes, perhaps) then change this value to "None".


          I hope that helps, but if you can confirm which version you are running we should be able to put together some screenshots for you.



          1 of 1 people found this helpful
          • 2. Re: How to enable incomming connection from a specific Public IP address

            Thank you PhilM ... you explain it very clearly. I will give it a try.  The burb is one of the things that make me so confused.  Thanks again.

            • 3. Re: How to enable incomming connection from a specific Public IP address

              Anyway I am using sidewinder version 7

              • 4. Re: How to enable incomming connection from a specific Public IP address

                Burbs are just logical definitions.


                Interfaces belong to burbs and burbs are used in rules. Burbs also support a many-to-one relationship, meaning you have allocate more than one interface on your Firewall to the same burb.


                I tend to explain it by describing a building with 2 floors, each floor is the home to a different company (Company A & Company B). Company A decide to buy Company B, but instead of re-configuring company B's network they simply configure a spare interface on their Firewall and connect it to Company B's switch. Then then assign this interface to the "internal" burb which means that any pre-existing rule on the Firewall where "internal" burb is referenced will be available to the Company B network. Does that make sense?


                Unlike Firewalls of old where the rules were rules were created on a per-interface basis, if you needed to change the configuration of an interface you would then have to consider how this would affect the rules.


                Because there is no direct relationship between the rules and the physical interface it means that by changing the burb assignment you can completely alter the rules it uses.



                1 of 1 people found this helpful