Three questions, related to port forwarding and firewall setup.

I am trying to get UT set up to replace an existing firewall. As I read the documentation (http://wiki.untangle.com/index.php/Firewall#Blocking_or_Passing_Network_Traffic_by_Pr otocol_and_Port), the firewall checks connections before NAT happens.

Question 1: Is this true?

If it is, then my configuration is incorrect.

NAT: external IP 64.186.55.194 (80) forwards to internal IP 10.10.10.10 (80).
Firewall: allows external traffic bound for 10.10.10.10 (80); defaults to block all.

When I replace our existing firewall with a UT box configured this way, traffic is able to come through the firewall to our web server, and the log indicates that the rule above is the one that matched.

Question 2: if, indeed, the firewall happens before the NAT, why does this rule work at all? Why would not traffic simply be stopped altogether immediately when I connect UT?

This works for about an hour. Then all inbound traffic, including web traffic is blocked.

Question 3: if the NAT happens before the firewall, that is, if the documentation first linked to above is misleading, why does this rule only work for about an hour? The UT box has 2GB RAM and a newer processor ... is it possible that it's just getting completely congested in that time?

Today it's been running for 2 1/2 hours and still working, though each of the last two days it stopped after one hour. Grrr.

UPDATE Again: Stopped filtering at 11:18. The block/pass bars are still bouncing; nothing is getting through from the outside.

Sounds like you need to add an exception for your webserver IP to the attack blocker. I could be wrong though....

I should have included in the original post: only the firewall and reporting modules are installed. And I would think that if I needed to add an exception then nothing would get through from the moment I switched over to Untangle. Instead things seem to work just fine for a few hours before stopping.

I'm starting to wonder whether the problem has to do with the network card(s) I'm using (StarTech Gigabit Ethernet). But then I'd expect that we wouldn't be able to get out either, and that's not the case. Outbound traffic works just fine; it's only incoming after a few hours. After disconnecting (but not powering off) the machine overnight, traffic flow again resumes for a while.

Are you running bit torrent or doing huge downloads?

@mdh: That's certainly possible. We are a small seminary, and the residences are on the network, so I would not be surprised if something along those lines was being downloaded. When start of year settles down a bit I'll install the protocol filter and see what I see.

You could always turn on Protocol Control to log only, and block later if necessary. In the meantime, see if Attack Blocker is showing you events that correspond to the times in question.

So I enabled logging on Protocol Control. Nothing strange seems to be happening; certainly nothing that would overwhelm (a request every few seconds, plus DNS traffic from our internal DNS servers passing on requests). I also enabled the Attack Blocker -- again, nothing exceptional. There were a few instances of devices being limited, but those instances did not correlate with the failure of the Untangle box to pass traffic through, plus most (> 95% [estimate]) of the limits were being placed on devices sending traffic out from the network, not on devices sending traffic in to the network.

I changed the external network card, and I specified 100 M-bit full duplex (instead of letting it auto-negotiate). This morning the whole box ran just fine for about four hours, then stopped allowing traffic from the outside, though the firewall was not indicating blocks and traffic from the inside continued to pass through merrily.

Summary: as best as I am able to discern, the problem is not network hardware, excessive traffic, or Untangle configuration.

What am I missing?

Just some information...

NAT is done by IPTables, the firewall module runs within the VM. So NAT happens before the firewall module is engaged but after the packet filter.