D-Link NetDefendOS User Manual page 229

later in this section.
• IP Policies
The IP Policy object is an alternative to using IP Rule objects. They are designed to simplify the
creation of policies and make it easier to define such common tasks as address translation. IP
Policy objects are implemented in the background by IP Rule objects and one IP Policy may
correspond to more than one IP Rule.
IP Policy objects come in a number of varieties with different usages. The following are the
available types:
i. IP Policy - This is the generic equivalent to an IP Rule and provides traffic filtering with
the option to apply a range of different actions to that traffic.
ii. SLB Policy - This is specifically for server load balancing and is described in
Section 10.4.7, "SLB Policy".
iii. Stateless Policy - This is specifically for stateless traffic and can replace an IP Rule object
with an Action of FwdFast. This is described further in Section 3.6.8, "Stateless Policy".
iv. Multicast Policy - This is specifically for multicast traffic and can replace an IP Rule
object with an Action of Multicast SAT. This is described further in Section 4.7.2.2,
"Multicast Policy".
• Pipe Rules
These determine which traffic triggers traffic shaping to take place and are described in
Section 10.1, "Traffic Shaping".
• Policy-based Routing Rules
These rules determine the routing table to be used by traffic and are described in Section 4.3,
"Policy-based Routing". The network filter for these rules can be IPv4 or IPv6 addresses (but
not both in a single rule).
• Authentication Rules
These determine which traffic triggers authentication to take place (source net/interface
only) and are described in Chapter 8, User Authentication.
The Default main IP Rule Set
IP rule sets are the most important of these security policy rule sets. They determine the critical
packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass
through the NetDefend Firewall, and if necessary, how address translations like NAT are applied.
IP rule sets can contain both IP Rule and IP Policy objects. By default, one IP rule set always exist
and this has the name main.
There are two possible approaches to how traffic traversing the NetDefend Firewall could be
dealt with:
• Everything is denied unless specifically permitted.
• Or everything is permitted unless specifically denied.
To provide the best security, the first of these approaches is adopted by NetDefendOS. This
means that when first installed and started, the NetDefendOS has no IP rules or IP policies
defined in the main IP rule set and all traffic is therefore dropped. In order to permit any traffic to
229
Chapter 3: Fundamentals