Page 1 of 1

NAT routing based on address lists?

Posted: Thu Sep 23, 2010 7:42 pm
by multipath
I have setup a layer 7 firewall rule to place certain ip addresses in a address-list.
Logically it is : If ip is in address_list_filter and webpage matches address_list_block then route to web proxy on port 8080.
Web proxy is set to block all. If ip is in address_list_filter and webpage does not match address_list_block then passthrough do not route to proxy.
This does not seem to work. It is as if it never looks at the layer7-protocol. Anyone have any ideas?

Here is my Nat rule:

;;; Kid Friendly Web Proxy
chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address-list=kid_friendly_dns dst-address-list=""
layer7-protocol=kid_friendly-www dst-port=80

Re: NAT routing based on address lists?

Posted: Thu Sep 23, 2010 7:54 pm
by fewi
NAT happens on the first packet of a connection. For TCP that would be the SYN flag packet without any payload - there isn't any layer 7 information to match. You generally can only make NAT decisions based on layer 3 and layer 4 information. The best you can do is use layer 7 filters to unconditionally add source and destination IP addresses to address lists and then make NAT decisions based on ONLY whether an IP address is on a particular address list.

Re: NAT routing based on address lists?

Posted: Thu Sep 23, 2010 8:04 pm
by multipath
Thanks, that explains why the layer 7 was never looked at.