Port Forwarding in
BrazilFW and Coyote Linux

This is where you customize your firewall to permit selected Internet traffic to services on the inside (LAN/DMZ). Both BrazilFW and Coyote Linux come loaded with example rules that are not active. You configure port forwarding using the Webadmin.Secure access for BrazilFW webadmin from the Internet.It is imperative that you understand the theory in the Firewall primer if you are going to troubleshoot firewall rules.Rules created in Advanced Firewall Configuration can overide these port forwards.

Check the Pre-Configured Services option before creating new rules. It may be available or there may be a similar one that you can just modify.To activate one of these examples click edit (not shown) then click on the activate radio button. Do use the Comments field as it will help you remember what this is supposed to do.

Single Port option is just that. You could also use the "Range Of Ports" option and specify only one port. This is how the single port forward rules are created in the Pre-Configured Services.You would use this option if you need to specify an External IP Address if you have secondary static IP address attached to the WAN interface or you are changing the external port forwarded to a different port on the inside LAN as in the Example Secondary WWW above.

Range of Ports option has no default protocol selected so don't forget to specify it otherwise you will get an error. You can use this also for single port forword. The FTP example above is one use of "Range of Ports". With this option you cannot specify an External IP Address (if you have a second one) so it applies to all External IP Addresses.

Pre-Configured Services has options for stuff lots of people want to do like a web servers, P2P, and remote control. Some rules like FTP use a range of ports. Others use a single port while some like VNC produce 2 rules. There's not much to show here. You select one and it works. Let's say you are using the VNC thing but have changed the ports. It's easier to create them as is then edit to change the ports. If it exists use it! Fill in the optional comment. This way there is no guessing which rule does what when your are looking at the main panel above especially when creating 2 rule configs like VNC. You may have to re-visit this in a few months and the port numbers may not be fresh in your mind.

Edit Configuration File

Both Brazil Firewall and Coyote Linux create intermediate files when you fill those firewall configuration forms. Reloading the firewall converts these to iptables commands, flushes all the rules, and executes the iptables commands. They look like the following when edited.

# Auto examples:
auto Y tcp 80 192.168.0.10 dns # Example - WWW
#
# Port examples:
port N 192.168.0.9 tcp 81 80 dns # Example - Secondary WWW

This can be used when you want to make a lot of similar changes at one time. More experienced people use this method. The format of these files is particular to BrazilFW and Coyote Linux. You need to understand this format before using them and even then you can get your fingers burnt by not entering them correctly. There is an example of that in my troubleshooting firewall rules which is a real live case from the forums.

A good use of this is when you want to make a rule similar to an example but do not want to active the example nor change it. Cut and paste the rule then look at it from the menu to change it. In the real live case example above the person just cut and pasted and presumed it was OK. The computer saw it differently.These are not iptables commands. They get interpreted to iptables commands by scripts.

Enable LAN to use External IP (don't)

Lastly, there is this radio button "Enable LAN to use External IP" on all the forms and it is on by default. This is to allow connections to LAN servers from the LAN but by using the Internet IP address assigned to your WAN. It does this using a bit of "magic" in the nat PREROUTING and POSTROUTING and by resolving your DNS name to your WAN address.It may be convenient to access your web server (or whatever) by its DNS name just like the Internet users. The cost is that all this internal traffic (both directions) is being routed through Coyote Linux/BrazilFW when it could and should be direct. If you run your firewall on a P4 it may not be a problem. Chances are it's a lowly Pentium 100. So why slow it down with all that work? While it is doing all this, traffic to/from the Internet is stacking up. It's true that it does not expose you to any additional risk.Even if you will never access your internal servers in this way, turn it off anyway. It still creates 2 rules that MUST be evaluated for every new connection from the Internet.

Turning it off creates the problem of not being able to access your server by its public name like www.myweb.ca or whatever. This is solved by sticking an entry for that server in the Coyote Linux/Brazil Firewall local hosts file. The Internet people will have that domain name resolved by an Internet DNS server to go to your Internet IP address.For example: If www.myweb.ca is your DNS name then put www.myweb.ca in the hosts file and set it to the internal IP address. This requires a re-boot to take effect.
Webadmin->Configuration Files->Local Hosts

# Include here the IP and the names of your local machines
# you want to be resolved by Coyote DNS
# Format:
#IP_ADDRESS     HOST.DOMAIN     ALIAS
# Example
#192.168.0.20   www.myweb.ca

Any time you create or change rules you must reload the firewall to make them active and backup the configuration if you want these changes to stay for the next boot.

When reloading the rules beware of this message. It means some rule(s) did not work.

Try `iptables -h' or 'iptables --help' for more information.