3.5. The IP Rule Set
3.5. The IP Rule Set
3.5.1. Security Policies
Policy Characteristics
NetDefendOS Security Policies designed by the administrator, regulate the way in which traffic can
flow through a D-Link Firewall. Policies in NetDefendOS are defined by different NetDefendOS
rule sets. These rule sets share a common means of specifying filtering criteria which determine the
type of traffic to which they will apply. This set of criteria consists of:
Source Interface
Source Network
Destination Interface
Destination Network
Service
The NetDefendOS rule sets, all of which use the same five filtering parameters, include:
•
IP rules.
•
Pipe rules (see Section 10.1, "Traffic Shaping").
•
Policy-based Routing rules (see Section 4.3, "Policy-based Routing").
•
IDP rules (see Section 6.5, "Intrusion Detection and Prevention").
•
Authentication rules (source net/interface only - see Chapter 8, User Authentication).
Specifying Any Interface or Network
When specifying the filtering criteria in any of the rule sets specified above there are three useful
pre-defined options that can be used :
•
For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0
which will mean that any IP address is acceptable.
•
For Source or Destination Interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.
•
The Destination Interface can be specified as core. This means that traffic, such as an ICMP
Ping is destined for the D-Link Firewall itself and it is NetDefendOS that will respond to it.
An Interface or Interface Group where the packet is received at
the D-Link Firewall. This can also be a VPN tunnel.
The network that contains the source IP address of the packet.
This might be a NetDefendOS IP object which could define a
single IP address or range of addresses.
An Interface or an Interface Group from which the packet
would leave the D-Link Firewall. This can also be a VPN tunnel.
The network to which the destination IP address of the packet
belongs. This might be a NetDefendOS IP object which could
define a single IP address or range of addresses.
The protocol type to which the packet belongs. Service objects
define a protocol/port type. Examples might be HTTP or ICMP.
Custom services can also be defined.(see Section 3.2, "Services"
for more information.)
73
Chapter 3. Fundamentals