D-Link DFL-1660 User Manual page 138

3.6.1. Security Policies
• Policy-based Routing Rules
These rules determine the routing table to be used by traffic and are described in Section 4.3,
"Policy-based Routing". The network filter for these rules can be IPv4 or IPv6 addresses (but
not both in a single rule).
• Authentication Rules
These determine which traffic triggers authentication to take place (source net/interface only)
and are described in Chapter 8, User Authentication.
IP Rules and the Default main IP Rule Set
IP rule sets are the most important of these security policy rule sets. They determine the critical
packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through
the NetDefend Firewall, and if necessary, how address translations like NAT are applied. By
default, one NetDefendOS IP rule set always exist and this has the name main.
There are two possible approaches to how traffic traversing the NetDefend Firewall could be dealt
with:
• Everything is denied unless specifically permitted.
• Or everything is permitted unless specifically denied.
To provide the best security, the first of these approaches is adopted by NetDefendOS. This means
that when first installed and started, the NetDefendOS has no IP rules defined in the main IP rule set
and all traffic is therefore dropped. In order to permit any traffic to traverse the NetDefend Firewall
(as well as allowing NetDefendOS to respond to ICMP Ping requests), some IP rules must be
defined by the administrator.
Each IP rule that is added by the administrator will define the following basic filtering criteria:
• From what interface to what interface traffic flows.
• From what network to what network the traffic flows.
• What kind of protocol is affected (the service).
• What action the rule will take when a match on the filter triggers.
Specifying Any Interface or Network
When specifying the filtering criteria in any of the policy rule sets, there are several useful
predefined configuration objects that can be used:
• For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0
which will mean that any IP address is acceptable.
• For Source or Destination Interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.
• The Destination Interface can be specified as core. This means that traffic, such as an ICMP
Ping, is destined for the NetDefend Firewall itself and NetDefendOS will respond to it.
New connections that are initiated by NetDefendOS itself do not need an explicit IP rule as they
are allowed by default. For this reason, the interface core is not used as the source interface.
Such connections include those needed to connect to the external databases needed for such
138
Chapter 3. Fundamentals