#-----------------------------------------------------------------------------#
#    This file contains miscellaneous rules (mostly forwarding rules),        #
#    demonstrating how services (e.g. pop3, smtp, ftp, ipsec, multimedia, etc)#
#    can be forwarded through the firewall.                                   #
#                                                                             #
#    To activate the rules, simply move them to firerule.cnf and update the   #
#    Mapping-Dest-IP to the IP address of your internal computer.             #
#                                                                             #
#    DISCLAIMER: Not all samples have been tested by F/X Communications.      #
#-----------------------------------------------------------------------------#


# Forwarding to an internal Web Server ---------------------------------------#

PORTMAP-WWW-IN		Rule-Status = Enabled,
			Comment = "Running A WEB Server on an internal server",
			Destination = "current",
			Service = WWW,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",
			Mapping-Dest-Port = WWW

PORTMAP-WWW-OUT		Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = WWW,
			Rule-Action = Portmap,
			Mapping-Dest-Port = WWW


# An internal FTP Server -----------------------------------------------------#

PORTMAP-FTP-IN		Rule-Status = Enabled,
			Comment = "FTP port 20 and 21",
			Destination = "current",
			Service = FTP,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-FTP-OUT		Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = FTP,
			Rule-Action = Portmap,


PORTMAP-FTPDATA-IN	Rule-Status = Enabled,
			Destination = "current",
			Service = FTP-DATA,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-FTPDATA-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = FTP-DATA,
			Rule-Action = Portmap,


# Running an internal SMTP (Mail) Server -------------------------------------#

PORTMAP-SMTP-IN		Rule-Status = Enabled,
			Comment = "SMTP port 25",
			Destination = "current",
			Service = SMTP,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-SMTP-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = SMTP,
			Rule-Action = Portmap,


# Running a POP3 (Mail) Server -----------------------------------------------#

PORTMAP-POP3-IN		Rule-Status = Enabled,
			Comment = "POP3 port 110",
			Destination = "current",
			Service = POP3,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-POP3-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = POP3,
			Rule-Action = Portmap,


# Forwarding all IPSec to one internal PC ------------------------------------#
#
# Before using these rules, carefully read the NAT section in the in 
# the IPSec reference manual - available here: http://www.fx.dk/ipsec

IPSEC-IN                Rule-Status = Enabled,
                        Comment = "Map incoming IPSec (protocol 50)",
                        Destination = "current",
                        Protocol = 50,
                        Rule-Action = Portmap,
                        Mapping-Dest-IP = "10.1.1.1",

IPSec-IKE-IN            Rule-Status = Enabled,
                        Comment = "Map incoming ISAKMP (IKE negotiations)",
                        Destination = "current",
                        Service = 500,
                        Protocol = UDP,
                        Rule-Action = Portmap,
                        Mapping-Dest-IP = "10.1.1.1",
                        Mapping-Dest-Port = 500


# Running the dialpad telephony application (www.dialpad.com) ----------------#

PORTMAP-DIALPAD-I1      Rule-Status = Enabled,
                        Comment = "Map data to dialpad",
			Destination = "current",
                        Protocol = UDP,
                        Service = 51200,
                        Rule-Action = Portmap,
                        Mapping-Dest-IP = "10.1.1.1",
                        Mapping-Dest-Port = 51200,

PORTMAP-DIALPAD-I2      Rule-Status = Enabled,
			Destination = "current",
                        Protocol = UDP,
                        Service = 51201,
                        Rule-Action = Portmap,
                        Mapping-Dest-IP = "10.1.1.1",
                        Mapping-Dest-Port = 51201,

PORTMAP-DIALPAD-I3      Rule-Status = Enabled,
			Destination = "current",
                        Protocol = TCP,
                        Service = 51210,
                        Rule-Action = Portmap,
                        Mapping-Dest-IP = "10.1.1.1",
                        Mapping-Dest-Port = 51210,

# Buddy phone (telephony application) ----------------------------------------#

BUDDY-IN                Rule-Status = Enabled,
                        Comment = "Buddyphone Incoming",
                        Destination = "current",
                        Service-List = "700:701",
                        Rule-Action = Portmap,
                        Mapping-Dest-IP = "10.1.1.1",

BUDDY-OUT               Rule-Status = Enabled,
                        Comment = "Buddyphone Outgoing",
                        Source = "10.1.1.1",
                        Source-Port = 701,
                        Rule-Action = Portmap,
                        Mapping-Dest-Port = 701,

BUDDY-OUT2              Rule-Status = Enabled,
                        Comment = "Buddyphone Outgoing",
                        Source = "10.1.1.1",
                        Source-Port = 700,
                        Rule-Action = Portmap,
                        Mapping-Dest-Port = 700,


# Running a Real Player (try without these rules first!) ---------------------#

PORTMAP-REALPLAY-IN	Rule-Status = Enabled,
			Comment = "Real Player - Port 6970 UDP",
			Destination = "current",
			Protocol = UDP,
			Service = 6970,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-REALPLAY-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Protocol = UDP,
			Source-Port = 6970,
			Rule-Action = Portmap,


# Running a DOOM Server ------------------------------------------------------#

PORTMAP-DOOM-IN		Rule-Status = Enabled,
			Comment = "Quake Server, Port 26000 UDP",
			Destination = "current",
			Protocol = UDP,
			Service = 666,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-DOOM-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Protocol = UDP,
			Source-Port = 666,
			Rule-Action = Portmap,


# Running a Quake Server -----------------------------------------------------#

PORTMAP-QUAKE-IN	Rule-Status = Enabled,
			Comment = "Quake Server, Port 26000 UDP",
			Destination = "current",
			Protocol = UDP,
			Service = 26000,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-QUAKE-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Protocol = UDP,
			Source-Port = 26000,
			Rule-Action = Portmap,


# Running a Quake2 Server ----------------------------------------------------#

PORTMAP-QUAKE2-IN	Rule-Status = Enabled,
			Comment = "Quake Server, Port 27910 UDP",
			Destination = "current",
			Protocol = UDP,
			Service = 27910,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-QUAKE2-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Protocol = UDP,
			Source-Port = 27910,
			Rule-Action = Portmap,


# Gaming at the MSN Gaming Zone ----------------------------------------------#

PORTMAP-ZONE-IN		Rule-Status = Enabled,
			Comment = "The Zone - TCP Port 28800, 28912",
			Destination = "current",
			Service = 28800,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-ZONE-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 28800,
			Rule-Action = Portmap,


PORTMAP-ZONE-IN1	Rule-Status = Enabled,
			Destination = "current",
			Service = 28912,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-ZONE-OUT1	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 28912,
			Rule-Action = Portmap,


PORTMAP-DIRECTX-IN	Rule-Status = Enabled,
			Comment = "The Zone - DirectX 6.0",
			Destination = "current",
			Service = 47624,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-DIRECTX-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 47624,
			Rule-Action = Portmap,


# Gaming on Battle.net -------------------------------------------------------#

PORTMAP-BATTLE-IN	Rule-Status = Enabled,
			Comment = "Battle.net - open TCP ports 116, 118 and udp 6112",
			Destination = "current",
			Service = 116,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-BATTLE-OUT	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 116,
			Rule-Action = Portmap,


PORTMAP-BATTLE-IN1	Rule-Status = Enabled,
			Destination = "current",
			Service = 118,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-BATTLE-OUT1	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 118,
			Rule-Action = Portmap,


PORTMAP-BATTLE-IN2	Rule-Status = Enabled,
			Destination = "current",
			Protocol = UDP,
			Service = 6112,
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-BATTLE-OUT2	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Protocol = UDP,
			Source-Port = 6112,
			Rule-Action = Portmap,


# Running ICQ - See also: http://www.icq.com/firewall/port.html --------------#

PORTMAP-ICQ-IN		Rule-Status = Enabled,
			Comment = "ICQ - open ports 3989 through 4000",
			Destination = "current",
			Service-List = "3989:4000",
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-ICQ-OUT1	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3989,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT2	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3990,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT3	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3991,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT4	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3992,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT5	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3993,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT6	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3994,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT7	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3995,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT8	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3996,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT9	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3997,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT10	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3998,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT11	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 3999,
			Rule-Action = Portmap,

PORTMAP-ICQ-OUT12	Rule-Status = Enabled,
			Source = "10.1.1.1",
			Source-Port = 4000,
			Rule-Action = Portmap,


# Forwarding all incoming traffic to an internal server ----------------------#
#
# Notice these rules will render NAT useless. The Firewall will be
# nothing but a relay that forwards all packets to an internal PC.

PORTMAP-ALL-IN		Rule-Status = Enabled,
			Comment = "All incoming traffic is forwarded",
			Destination = "current",
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-ALL-OUT		Rule-Status = Enabled,
			Source = "10.1.1.1",
			Rule-Action = Portmap,


# Forwarding real world IP addresses to internal IP addresses ----------------#
#
# Assume a business that owns 255 real world IP addresses (a class C). The 
# Firewall is likely to accept traffic destined to many of these addresses
# and instead of mixing external and internal IP addresses on your network, 
# simply map the external IP to an internal IP address. For outgoing packets
# the process is reversed.
#
# For example: All incoming traffic to 209.15.16.17 is forwarded to 10.1.1.1
# on the internal net. In the outgoing direction, traffic is converted back
# to appear to be coming from 209.15.16.17.

PORTMAP-REAL-IP-IN	Rule-Status = Enabled,
			Comment = "Traffic to 209.15.16.17 is forwarded to 10.1.1.1",
			Destination = "209.15.16.17",
			Rule-Action = Portmap,
			Mapping-Dest-IP = "10.1.1.1",

PORTMAP-REAL-IP-OUT	Rule-Status = Enabled,
			Comment = "Map 10.1.1.1 to source IP of 209.15.16.17",
			Source = "10.1.1.1",
			Rule-Action = Portmap,
                        Mapping-Dest-IP = "209.15.16.17",
