topic Re: UDP mapping (on R80.20) in General Topics

UDP mapping (on R80.20)

Hugo_vd_Kooij — Tue, 27 Nov 2018 12:18:49 GMT

Silly me. I tried to find the answer in Secure Knowledge or in some existing predefined service. But I could not find the answer.

I want to map a port on the firewall to a port on another server. (aka: my honeypot)

It's easy to clone http_mapped and do this for TCP port. But I can't find an example for UDP.

So I did the next best thing and did a trial-and-error attempt:

Clone http_mapped to my own service HoneyPot_SIP
General
1. Match By : Change from IP Protocol 6 to IP protocol 17
Advanced
1. Match: Change tcp to udp
2. Match: Change dport=80 to dport=5060
3. Action: Change 80 to 5060
4. Action: Change 0.0.0.0 to my HoneyPot IP address
Publish and install policy

So far it seems work just fine. Need to do some real capturing to see it the translate actually works.

PhoneBoy — Tue, 27 Nov 2018 20:46:59 GMT

Curious why you wouldn’t use regular NAT rules for this (which is what I do).

Danny — Tue, 27 Nov 2018 21:05:14 GMT

I remember having done this a long time ago as well. There was some advantage, NAT didn't provide back then.

However, keep in mind that any _mapped service won't be accelerated by SecureXL as mentioned by Tim.

Hugo_vd_Kooij — Wed, 28 Nov 2018 09:02:40 GMT

There are some side effects if you do NAT on the gateway itself.

The port mapping does not interfere with other traffic.

But it is also is a matter of taste I guess.

The point was more about documenting HOW to do it.