D-Link DFL-260E User Manual page 137

3.6.1. Security Policies
features as IDP.
• The Service can be specified as all_services which includes all possible protocols.
Creating a Drop All Rule
Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. In
order to be able to log the dropped connections, it is recommended that an explicit IP rule with an
action of Drop for all source/destination networks/interfaces is placed as the last IP rule in the IP
rule set. This is often referred to as a Drop All rule.
The IP Addresses in IP Rules can be IPv4 or IPv6
IP rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's
filtering properties.
However both the source and destination network must be either IPv4 or IPv6. It is not permissible
to combine IPv4 and IPv6 addresses in a single rule. For this reason, two Drop All rules will be
required when using IPv6, one for IPv4 and one for IPv6 as shown below:
Name
DropAll
DropAll6
For further discussion of this topic, see Section 3.2, "IPv6 Support".
Traffic Flow Needs an IP Rule and a Route
As stated above, when NetDefendOS is started for the first time, the default IP rules drop all traffic
so at least one IP rule must be added to allow traffic to flow. In fact, two NetDefendOS components
need to be present:
• A route must exist in a NetDefendOS routing table which specifies on which interface packets
should leave in order to reach their destination.
A second route must also exist that indicates the source of the traffic is found on the interface
where the packets enter.
• An IP rule in a NetDefendOS IP rule set which specifies the security policy that allows the
packets from the source interface and network bound for the destination network to leave the
NetDefend Firewall on the interface decided by the route.
If the IP rule used is an Allow rule then this is bi-directional by default.
The ordering of these steps is important. The route lookup occurs first to determine the exiting
interface and then NetDefendOS looks for an IP rule that allows the traffic to leave on that interface.
If a rule does not exist then the traffic is dropped.
Tip: Include the rule set name in the drop all name
There may be several IP rule sets in use. It is recommended to include the IP rule set
name in the name of the drop all rule so it can be easily identified in log messages.
For example, the drop all rule for the main rule set should be called main_drop_all or
similar.
Action Source Iface
Drop any
Drop any
Source Net Dest Iface
all-nets any
all-nets6 any
137
Chapter 3. Fundamentals
Dest Net Service
all-nets all_services
all-nets6 all_services