6.4.2. Procedure – Creating a new packet filtering Service (PFService)

To create a new packet filter service that inspects a traffic on the packet level, complete the following steps.

  1. Navigate to the Services tab of the Zorp ZMC component and click New.

    Creating a new PFService

    Figure 6.24. Creating a new PFService

  2. Enter a name for the service into the opening dialog. Use clear, informative, and consistent service names. It is recommended to include the following information in the service name:

    • source zones, indicating which clients may use the service (for example, intranet)

    • the protocol permitted in the traffic (for example, HTTP)

    • destination zones, indicating which servers may be accessed using the service (for example, Internet)

    Tip

    Name the service that allows internal users to browse the Web intra_HTTP_internet. Use dots to indicate child zones, for example, intra.marketing_HTTP_inter.

  3. Click in the Class field and select PFService.

  4. To spoof the IP address of the client in the server-side connection (so that the target server sees as if the connection originated from the client), select the Use client address as source option.

    Note

    For IPv6 traffic, the PFService will always spoof the client address, regardless of the setting of the Use client address as source option.

  5. To redirect the connection to a fixed address, select Routing > Directed, and enter the IP address and the port number of the target server into the respective fields. You can use links as well.

  6. Optional Step: In the NAT section, the Network Address Translation policy used to NAT the address of the client (SNAT), the server (DNAT), or both. For details, see Section 6.7.5, NAT policies.

    Note

    To remove a policy from the service, select the empty line from the combobox.

    Note

    NAT policies cannot be used in packet filtering services (PFServices) for IPv6 traffic.

  7. Commit your changes.