One-to-one NAT and firewall do not seem to work together

[thebertster]

Running 1.06g.

Similar to the problem discussed in viewtopic.php?f=9&t=376 but extended to one-to-one NAT mappings.

If a One-to-one NAT mapping is set up for a public IP address (which is routed by the ISP to the WAN IP address) to map to internal host, the default firewall policy allows all traffic to the public address, completely exposing the NATted host to the Internet.

If a firewall rule is added to block all incoming traffic to that host, stateful replies to OUTBOUND connections initiated from the internal host are also blocked. This is not the correct behaviour for a stateful firewall. Stateful replies to existing sessions which were allowed by an outbound rule should not be blocked by a deny INBOUND rule.

For example, set up a One-to-one NAT mapping from public IP a.b.c.d to internal IP 10.1.1.1. Leave the firewall policy with its single default "Allow Outbound" rule. From the Internet, all connections to a.b.c.d are allowed and NATted through to 10.1.1.1, leaving that host completely exposed.

Add a firewall rule to deny INBOUND traffic to 10.1.1.1 and connections to a.b.c.d from the Internet are now dropped.

However, 10.1.1.1 is not able to initiate any OUTBOUND connections as the stateful replies are dropped by the INBOUND deny rule.

This is absolutely no the correct behaviour for a stateful firewall and I've never encountered any firewall from any vendor that behaves in this way. This therefore appears to be a fairly fundamental bug in the implementation.

Unless I have missed something obvious, the product is not fit for purpose.