Ip Rule Actions - D-Link DFL-1660 User Manual

3.6.3. IP Rule Actions

This approach is known as stateful inspection and is applied not only to stateful protocols such as
TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This
approach means that evaluation against the IP rule set is only done in the initial opening phase of a
connection. The size of the IP rule set consequently has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom is
the one that decides how the connection will be handled.
The exception to this is SAT rules since these rely on a pairing with a second rule to function. After
encountering a matching SAT rule the search will therefore continue on looking for a matching
second rule. See Section 7.4, "SAT" for more information about this topic.
Non-matching Traffic
Incoming packets that do not match any rule in the rule set and that do not have an already opened
matching connection in the state table, will automatically be subject to a Drop action. As mentioned
above, to be able to log non-matching traffic, it is recommended to create an explicit rule called
DropAll as the final rule in the rule set with an action of Drop with Source/Destination Network
all-nets and Source/Destination Interface all. This allows logging to be turned on for traffic that
matches no IP rule.
3.6.3. IP Rule Actions
A rule consists of two parts: the filtering parameters and the action to take if there is a match with
those parameters. As described above, the parameters of any NetDefendOS rule, including IP rules
are:
• Source Interface
• Source Network
• Destination Interface
• Destination Network
• Service
When an IP rule is triggered by a match then one of the following Actions can occur:
Allow
FwdFast
NAT
SAT
Drop
The packet is allowed to pass. As the rule is applied to only the opening of a
connection, an entry in the "state table" is made to record that a connection is open.
The remaining packets related to this connection will pass through the NetDefendOS
"stateful engine".
Let the packet pass through the NetDefend Firewall without setting up a state for it in
the state table. This means that the stateful inspection process is bypassed and is
therefore less secure than Allow or NAT rules. Packet processing time is also slower
than Allow rules since every packet is checked against the entire rule set.
This functions like an Allow rule, but with dynamic address translation (NAT) enabled
(see Section 7.2, "NAT" in Chapter 7, Address Translation for a detailed description).
This tells NetDefendOS to perform static address translation. A SAT rule always
requires a matching Allow, NAT or FwdFast IP rule further down the rule set (see
Section 7.4, "SAT" in Chapter 7, Address Translation for a detailed description).
This tells NetDefendOS to immediately discard the packet. This is an "impolite"
141
Chapter 3. Fundamentals