Ip Rule Actions - D-Link NetDefend DFL-210 User Manual

3.5.3. IP Rule Actions

3.5.3. IP Rule Actions
A rule consists of two parts: the filtering parameters and the action to take if there is a match with
those parameters. As described above, the parameters of any NetDefendOS rule, including IP rules
are:
• Source Interface
• Source Network
• Destination Interface
• Destination Network
• Service
The Service in an IP rule is also important because if an Application Layer Gateway object is to be
applied to traffic then it must be associated with a Service object (see Section 6.2, "Application
Layer Gateways").
When an IP rule is triggered by a match then one of the following Actions can occur:
Allow
FwdFast
NAT
SAT
Drop
Reject
Bi-directional Connections
A common mistake when setting up IP Rules is to define two rules, one rule for traffic in one
direction and another rule for traffic coming back in the other direction. In fact nearly all IP Rules
types allow bi-directional traffic flow once the initial connection is set up. The Source Network
and Source Interface in the rule means the source of the initial connection request. Once a
connection is permitted and established traffic can then flow in either direction over it.
The exception to this bi-directional flow is FwdFast rules. If the FwdFast action is used then the
rule will not allow traffic to flow from the destination back to the source. If bi-directional flow is
required then two FwdFast rules are needed, one for either direction. This is also the case if a
FwdFast rule is used with a SAT rule.
The packet is allowed to pass. As the rule is applied to only the opening of a
connection, an entry in the "state table" is made to record that a connection is open.
The remaining packets related to this connection will pass through the NetDefendOS's
"stateful engine".
Let the packet pass through the D-Link Firewall without setting up a state for it in the
state table. This means that the stateful inspection process is bypassed and is therefore
less secure than Allow or NAT rules. Packet processing time is also slower than Allow
rules since every packet is checked against the entire rule set.
This functions like an Allow rule, but with dynamic address translation (NAT) enabled
(see Section 7.1, "Dynamic Network Address Translation" in Chapter 7, Address
Translation for a detailed description).
This tells NetDefendOS to perform static address translation. A SAT rule always
requires a matching Allow, NAT or FwdFast rule further down the rule set (see
Section 7.3, "Static Address Translation" in Chapter 7, Address Translation for a
detailed description).
This tells NetDefendOS to immediately discard the packet. This is an "impolite"
version of Reject in that no reply is sent back to the sender. It is often preferable since
it gives a potential attacker no clues about what happened to their packets.
This acts like Drop, but will return a "TCP RST" or "ICMP Unreachable message",
informing the sending computer that the packet was disallowed. This is a "polite"
version of the Drop action.
75
Chapter 3. Fundamentals