I am trying to figure out the same type of thing. I am trying to NAT forward port 5150 -> 3306 to allow access mysql from outside.
When you do the NAT forward it allows all traffic through, you then define firewall rules to block unwanted access.
So that means adding to the access control list at least two rules:
1) Block all incoming access to port 5150 (or 3306?)
2) Add an allow rule from external host I want to access mysql, and place it above the deny rule.
That sounds OK in theory. But assume I have many ports I want to do this for (22, 80, 443, 3306, 3389, 465). Now I am looking at 12 rules minimum, 6 to block and 6 to allow.
I thought it would be easier to have a single rules to block all external access (the last rule on my access control list). Then I need only 6 rules to allow the incoming and 1 rule to block everything.
That sounds good (in my mind anyway), but when I try and block all incoming I end up blocking everything. It basically blocks even my outbound access, I don't know if my outbound requests are being blocked or if only the incoming data is being blocked even though I originated the request.
Has anyone been successful at a rules to block all inbound, so you don't have to define so many rules to block on NAT forwarded ports?
