Stateless Policy - D-Link NetDefendOS User Manual

• Service: all_services
3. Select OK

3.6.8. Stateless Policy

A Stateless Policy is equivalent to an IP Rule. Both can be used to define a stateless connection,
however, using a Stateless Policy is the recommended method.
A stateless connection means that packets pass through the NetDefend Firewall without a state
for the connection being set up in NetDefendOS's state table. Since the stateful inspection
process is bypassed, this is less secure than a stateful connection. The traffic processing is also
slower since every packet is checked against the entire rule set.
Generally, using a Stateless Policy or IP Rule with a FwdFast action is not recommended because
both will yield slower traffic throughput when compared with a normal stateful connection.
However, some scenarios with certain protocols might require a stateless connection.
Note that the Protocol property of the Service object used with a Stateless Policy does not need to
be set to anything. The Protocol property is ignored with a Stateless Policy.
Example 3.38. Creating a Stateless Policy
In this example, TCP packets will be sent between the internal network lannet and the dmznet
network. This might be required in a real world situation because of certain traffic types causing
problems.
As with a FwdFast IP rule, two Stateless Policy objects are needed, one for each direction of traffic
flow. Instead of creating a custom Service object, this example will use the predefined object
all_tcp.
Command-Line Interface
Allow stateless TCP flow from lannet to dmznet:
gw-world:/> add StatelessPolicy SourceInterface=lan
Allow stateless TCP flow from dmznet to lannet:
gw-world:/> add StatelessPolicy SourceInterface=dmz
Note: By default, logging is enabled for a Stateless Policy
Like other types of policy, logging is enabled by default for a Stateless Policy object.
Unfortunately, this means that a log message will be generated for each packet that
triggers the rule. This is usually undesirable so it is better to disable logging on the policy.
SourceNetwork=lannet
DestinationInterface=dmz
DestinationNetwork=dmznet
Service=all_tcp
Name=stateless_lan_to_dmz
Action=Allow
SourceNetwork=dmznet
251
Chapter 3: Fundamentals