D-Link NetDefendOS User Manual page 237

A Simple Multiple Rule Set Example
Below are two simple IP Rule set tables which illustrate how multiple rule sets might be used. The
main rule set contains a first Goto rule which will jump to the named administrator defined table
called ExtraRules.
The administrator defined rule set ExtraRules contains a NAT and SAT rule. If neither are triggered
then the final Return rule will cause the scanning process to go back to the entry in main which
follows the Goto rule. In this case it will be the second entry in main.
The main IP rule set
# Rule Type Src Iface
1 Goto ExtraRules any
2 Allow any
The ExtraRules IP rule set
# Rule Type Src Iface
1 SAT any
2 NAT If2
3 RETURN If2
Increasing IP Rule Set Lookup Speed
When the rule set main contains many thousands of rules, the speed of rule set lookup can
become impaired and this can degrade the overall throughput of the firewall. Typical symptoms
of this can be:
• Consistently high CPU loads in the firewall.
• Unusually long loading times for Web Interface pages (which is a result of high CPU loads).
The solution is to break up a large rule set and move rules into several new rule sets. Typically,
each new rule set will contain entries related to a particular type of traffic. A small number of
Goto rules can then be added to the rule set main and each can point to the rule set that is
related to a particular type of traffic.
For example, the IP rule set main may contain thousands of rules where the Destination Network
might be any one of the networks called dmznet, lannet or wannet. It can be much more efficient
to divide these rules based on the Destination Network and place each group in new rule sets
called dmz_rules, lan_rules and wan_rules.
Three Goto rules are placed in the main rule set to point to these new rule sets:
Goto rule set Src Iface
dmz_rules any
lan_rules any
wan_rules any
Src Net Dest Iface
all-nets core
192.168.0.0/24 core
Src Net Dest Iface
all-nets any
176.16.0.0/16 any
all-nets any
Src Net Dest Iface
all-nets any
all-nets any
all-nets any
237
Chapter 3: Fundamentals
Dest Net Service
172.16.40.0/24 all_services
172.16.0.0/16 all_services
Dest Net Service
172.16.40.66 all_services
all-nets all_services
all-nets all_services
Dest Net Service
dmznet all_services
lannet all_services
wannet all_services