Firewalls and NAT address translation

Relevant classes: any Firewalls and NAT In a environment where each system has its own valid IP-address there is no need to use the optional port specifier in the cfrun.hosts files. It comes in need when we use a firewall and behind the firewall we have machines with a private IP-address. Without the port specifer you can update the machine behind the firewall in two steps. First update the firewall machine and then from the firewall the internal machines. In these kind of situations the firewall is mostly configured for NAT (Network Address Translation). There are two different types of NAT. SNAT: Source Network Address Translation also known as IP-masquerading. With this feature machines from a private IP-range can connect to the outside world and the connections seem to come from the firewall machine. DNAT: Destination Network Address Translation enables us to route a packet from the outside world to a machine behind the firewall. On the firewall we can configure that port 22000 on the firewall machine is routed to host-name:5308. DNAT give us the possibilty to update the machines behind the firewall from a central server in one step instead of two. Cfrun can handle DNAT situations. It allows us to specify to which port we want to connect on a machine instead of the default (5308) one. Here is an example (cfrun.hosts): node1.example.org node2.example.org:22000 -DNis node2.example.org:22001 This connects to: node1 with standard port node2 with port 22000 and extra options -DNis node2 with port 22000 Back to documentation