Help: Network Objects
 
Introduction Enter all of your network objects here. For example, make sure that all of your internal networks are defined. If there are external hosts or networks that you need to define rules for, add them here.
What is a
Network Object?
A network object is something that you want to apply a firewall rule to. This could be:
  • A network, that is hidden behind your firewall.
  • A host, that needs to have specific firewall rules attached to it. For example, you may want to set up your mail server or web server to be network objects.
  • A remote network that you need special access to (eg: VPN access).
  • Any other host or LAN inside or outside of your firewall.

Object Name You can give your objects any name you want. There are a number of pre-defined objects, you should not name your objects with a name that is already taken by one of those.

One common strategy is to name your networks with the extension _NET or _net so they are easier to find.


Network
Address
You need to specify the network address of the network object. This will be one of the following:
  • For a single machine, its IP address.
  • For a network, the base network address of the LAN or WAN. For example, a network containing machines that are all in the range 192.168.1.x has the network address of 192.168.1.0.

Network Mask You need to specify the network mask of the network object. This will be one of the following:
  • For a single machine, 32.
  • For a network, the network mask of the LAN or WAN. For example, a network containing machines that are all in the range 192.168.1.x has the network mask of 24.
The network mask can be entered as a dotted netmask (eg: 255.255.255.0) or as a number of network bits to include in the mask (eg: 24). For example, the values 255.255.255.255 and 32 are identical.
Masquerade? If a network is behind your firewall, and you want to allow access from that network to the internet through the single (assigned by an ISP) address of the firewall using address translation, then you need to masquerade that network.

For example, in a simple network environment where you have a LAN, and this firewall is the gateway to the internet, then you need to masquerade the network object for that LAN.

If the network object is a remote host or network, then you probably should NOT masquerade it.

You MUST masquerade a network object that is to be the target of any port forwarding.

Traffic between masqueraded networks (eg: between one network object that is masqueraded, and another that is also masqueraded) will not be masqueraded by the firewall. This means that if you have a remote network that you need to access using the natural, un-masqueraded IP addresses from your network, then you could either masquerade both networks, or neither network.