Ip Rule Evaluation - D-Link NetDefend DFL-210 User Manual

3.5.2. IP Rule Evaluation

IP Rules
The IP rule set is the most important of these security policy rule sets. It determines the critical
packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through
the D-Link Firewall, and if necessary, how address translations like NAT are applied.
There are two possible approaches to how traffic traversing a NetDefendOS could be dealt with:
• Everything is denied unless specifically permitted
• Everything is permitted unless specifically denied
To provide the best security, the first of these approaches is adopted by NetDefendOS and the Drop
action is the default policy of the IP rule set meaning that everything is denied. In order to permit
any traffic (including NetDefendOS responding to ICMP Ping requests) IP rules must be defined by
the administrator that allow traffic to traverse the D-Link Firewall.
Although dropping packets is achieved without an explicit IP rule, for logging purposes it is
recommended that a Drop IP rule with logging enabled is placed as the last rule in the IP rule set.
3.5.2. IP Rule Evaluation
When a new TCP/IP connection is being established through the D-Link Firewall, the list of IP rules
are evaluated from top to bottom until a rule that matches the parameters of the new connection is
found. The rule's Action is then performed.
If the action allows it then the establishment of the new connection will go ahead. A new entry or
state representing the new connection will then be added to NetDefendOS's internal state table
which allows monitoring of opened and active connections passing through the D-Link Firewall. If
the action is Drop or Reject then the new connection is refused.
Stateful Inspection
After initial rule evaluation of the opening connection, subsequent packets belonging to that
connection will not need to be evaluated individually against the rule set. Instead, a highly efficient
algorithm searches the state table for each packet to determine if it belongs to an established
connection.
This approach is known as stateful inspection and is applied not only to stateful protocols such as
TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This
approach means that evaluation against the IP rule set is only done in the initial opening phase of a
connection. The size of the IP rule set consequently has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom is
the one that decides how the connection will be handled.
The exception to this is SAT rules since these rely on a pairing with a second rule to function. After
encountering a matching SAT rule the search will therefore continue on looking for a matching
second rule (see Section 7.3, "Static Address Translation" for more information on this).
Non-matching Traffic
Incoming packets that don't match any rule in the rule set and that don't have an already opened
matching connection in the state table, will automatically be subject to a Drop action. For
explicitness there should be a rule called DropAll as the final rule in the rule set with an action of
Drop with Source/Destination Network all-nets and Source/Destination Interface all.
74
Chapter 3. Fundamentals