Ip Rule Evaluation - D-Link NetDefend DFL-210 User Manual
Network security firewall
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
3.5.2. IP Rule Evaluation
This description of traffic flow is an extremely simplified version of the full flow description found
in Section 1.3, "NetDefendOS State Engine Packet Flow".
For example, before the route lookup is done, NetDefendOS actually first checks that the source
network for the traffic should, in fact, be arriving on the interface where it was received. This is
done by NetDefendOS performing a reverse route lookup which means that the routing tables are
searched for a route that indicates the network is found on that interface.
This second route should logically exist if a connection is bi-directional and it must have a pair of
routes associated with it, one for each direction.
3.5.2. IP Rule Evaluation
When a new connection, such as a TCP/IP connection, is being established through the D-Link
Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters
of the new connection is found. The rule's Action is then performed.
If the action allows it then the establishment of the new connection will go ahead. A new entry or
state representing the new connection will then be added to the NetDefendOS internal state table
which allows monitoring of opened and active connections passing through the D-Link Firewall. If
the action is Drop or Reject then the new connection is refused.
Stateful Inspection
After initial rule evaluation of the opening connection, subsequent packets belonging to that
connection will not need to be evaluated individually against the rule set. Instead, a highly efficient
algorithm searches the state table for each packet to determine if it belongs to an established
connection.
This approach is known as stateful inspection and is applied not only to stateful protocols such as
TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This
approach means that evaluation against the IP rule set is only done in the initial opening phase of a
connection. The size of the IP rule set consequently has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom is
the one that decides how the connection will be handled.
The exception to this is SAT rules since these rely on a pairing with a second rule to function. After
encountering a matching SAT rule the search will therefore continue on looking for a matching
103
Chapter 3. Fundamentals
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
