D-Link DFL-1660 User Manual page 190
Network security firewall
Hide thumbs
Also See for DFL-1660:
- User manual (483 pages) ,
- Installation manual (45 pages) ,
- Reference manual (948 pages)
Table of Contents
Advertisement
4.3. Policy-based Routing
exists which can catch anything not explicitly matched.
2.
A search is now made for a routing rule that matches the packet's source/destination
interface/network as well as service. If a matching rule is found then this determines the routing
table to use. If no routing rule is found then the main table will be used.
3.
Once the correct routing table has been located, a check is made to make sure that the source IP
address in fact belongs on the receiving interface. The Access Rules are firstly examined to see
if they can provide this check (see Section 6.1, "Access Rules" for more details of this feature).
If there are no Access Rules or a match with the rules cannot be found, a reverse lookup in the
previously selected routing table is done using the source IP address. If the check fails then a
Default access rule log error message is generated.
4.
At this point, using the routing table selected, the actual route lookup is done to find the
packet's destination interface. At this point the ordering parameter is used to determine how the
actual lookup is done and the options for this are described in the next section. To implement
virtual systems, the Only ordering option should be used.
5.
The connection is then subject to the normal IP rule set. If a SAT rule is encountered, address
translation will be performed. The decision of which routing table to use is made before
carrying out address translation but the actual route lookup is performed on the altered address.
Note that the original route lookup to find the destination interface used for all rule look-ups
was done with the original, untranslated address.
6.
If allowed by the IP rule set, the new connection is opened in the NetDefendOS state table and
the packet forwarded through this connection.
The Ordering parameter
Once the routing table for a new connection is chosen and that table is an alternate routing table, the
Ordering parameter associated with the table is used to decide how the alternate table is combined
with the main table to lookup the appropriate route. The three available options are:
1.
Default
The default behavior is to first look up the route in the main table. If no matching route is
found, or the default route is found (the route with the destination all-nets), a lookup for a
matching route in the alternate table is done. If no match is found in the alternate table then the
default route in the main table will be used.
2.
First
This behavior is to first look up the connection's route in the alternate table. If no matching
route is found there then the main table is used for the lookup. The default all-nets route will
be counted as a match in the alternate table if it exists there.
3.
Only
This option ignores the existence of any other table except the alternate table so that is the only
one used for the lookup.
One application of this option is to give the administrator a way to dedicate a single routing
table to one set of interfaces. The Only option should be used when creating virtual systems
since it can dedicate a routing table to a set of interfaces.
The first two options can be regarded as combining the alternate table with the main table and
assigning one route if there is a match in both tables.
190
Chapter 4. Routing
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
