Adding A Goto Rule - D-Link NetDefendOS User Manual

When a new connection is opened with dmz_net as the destination, NetDefendOS first performs
a lookup in the main table. The appropriate Goto rule triggers and the rule search continues in
the rule set called dmz_ip_rules. The diagram below illustrates the example.
This example uses the destination network as the method of dividing up the rules but another
factor, such as an interface or service, could have been used instead.
This approach creates a multi-level tree structure, a technique which is used in many situations
for efficient searching of large amounts of data. The optimum size of any rule set can only be
determined on a case by case basis. However, a rule of thumb that can be applied is to not allow
any rule set exceed a thousand entries. Above that number, using Goto rules should be
considered to help in speeding up rule set processing.
Example 3.32. Adding a Goto Rule
In this example, a Goto rule is added to the end of the IP rule set main so that all traffic going to
the network dmz_net uses the rule set dmz rules. It is assumed that the IP rule set dmz_rules has
already been created.
Command-Line Interface
gw-world:/> add GotoRule SourceInterface=any
Web Interface
SourceNetwork=all-nets
DestinationInterface=any
DestinationNetwork=dmz_net
Service=all_services
RuleSet=dmz_rules
Name=goto_dmz
238
Chapter 3: Fundamentals