Ip Rule Components - D-Link NetDefend DFL-210 User Manual

Network security firewall ver. 1.05
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

3.5.4. Editing IP Rule-set Entries

3.5.3. IP Rule components

A rule consists of two logical parts: the connection parameters and the action to take if there is a
match with those parameters.
Rule parameters are pre-defined and reusable network objects such as Addresses and Services,
which can be used in any rule to specify the criteria for a match.
IP Rule Parameters
The following parameters are set for a single rule. There has to be a match with all parameters in a
rule for that rule to be triggered.
Service
Source Interface
Source Network
Destination Interface
Destination Network
IP Rule Actions
When an IP rule is triggered by a match with its parameters any one of the following can occur:
Allow
NAT
FwdFast
SAT
Drop
Reject
The protocol type to which the packet belongs. Services are
defined as logical objects before configuring the rules.
An Interface or Interface Group where the packet is received on
the firewall.
The network that contains the source IP address of the packet.
An Interface or an Interface Group from which the packet
would leave the firewall.
The network to which the destination IP address of the packet be-
longs.
The packet is allowed to pass. As the rule is applied to only the opening of a connec-
tion, an entry in the "state table" is made to record that a connection is open. The re-
maining packets related to this connection will pass through the firewall's "stateful in-
spection engine".
This functions like an Allow rule, but with dynamic address translation (NAT) enabled.
See Section 7.1, "Dynamic Address Translation (NAT)".
Let the packet pass through the firewall without setting up a state for it. This means
that the stateful inspection process is bypassed and is therefore less secure than Allow
or NAT rules. Packet processing is also slower than Allow rules as every packet is
checked against the entire rule-set.
Tells NetDefendOS to perform static address translation. A SAT rule also requires a
matching Allow, NAT or FwdFast rule further down the rule-set. See Section 7.2,
"Static Address Translation (SAT)" for more information on this topic.
Tells NetDefendOS to immediately discard the packet.
Acts like Drop, but will return a "TCP RST" or "ICMP Unreachable message", inform-
ing the sending computer that the packet was disallowed.
Note
Packets not matching a rule in the rule-set and not having an already opened match-
ing connection in the "state table" will be dropped.
53
Chapter 3. Fundamentals

Advertisement

Table of Contents
loading

Table of Contents