Firewall; Policy; Policy Modes; Action Types - D-Link DFL-200 User Manual

Firewall

Policy

The Firewall Policy configuration section is the "heart" of the firewall. The policies are the
primary filter that is configured to allow or disallow certain types of network traffic through the
firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to
traffic flowing through the WAN interface of the firewall.
When a new connection is being established through the firewall, the policies are evaluated,
top to bottom, until a policy that matches the new connection is found. The Action of the rule
is then carried out. If the action is Allow, the connection will be established and a state
representing the connection is added to the firewall's internal state table. If the action is Drop,
the new connection will be refused. The section below will explain the meanings of the various
action types available.

Policy modes

The first step in configuring security policies is to configure the mode for the firewall. The
firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-200 network
address translation to protect private networks from public networks. In NAT mode, you can
connect a private network to the internal interface, a DMZ network to the DMZ interface, and a
public network, such as the Internet, to the external interface. Then you can create NAT mode
policies to accept or deny connections between these networks. NAT mode policies hide the
addresses of the internal and DMZ networks from users on the Internet. In No NAT (Route)
mode you can also create routed policies between interfaces. Route mode policies accept or
deny connections between networks without performing address translation. To use NAT
mode select Hide source addresses (many-to-one NAT) and to use No NAT (Route) mode
choose No NAT.

Action Types

Drop – Packets matching Drop rules will immediately be dropped. Such packets will be
logged if logging has been enabled in the Logging Settings page.
Reject – Reject works basically the same way as Drop. In addition to this, the firewall sends
an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a TCP
packet, a TCP RST message. Such packets will be logged if logging has been enabled in the
Logging Settings page.
Allow – Packets matching Allow rules are passed to the stateful inspection engine, which will
remember that a connection has been opened. Therefore, rules for return traffic will not be
required as traffic belonging to open connections is automatically dealt with before it reaches
the policies. Logging is carried out if audit logging has been enabled in the Logging Settings
page.

Source and Destination Filter

Source Nets – Specifies the sender span of IP addresses to be compared to the received
packet. Leave this blank to match everything.