Policy-Based Routing Table Selection; The Ordering Parameter - D-Link NetDefend DFL-210 User Manual
Network security firewall ver. 1.05
Hide thumbs
Also See for NetDefend DFL-210:
- User manual (495 pages) ,
- Log reference manual (476 pages) ,
- Cli reference manual (213 pages)
Table of Contents
Advertisement
4.3.4. Policy-based Routing Table Se-
lection
based Routing rule can be triggered by the type of Service (eg. HTTP) in combination with the
Source/Destination Interface and Source/Destination Network.
When looking up Policy-based Rules, it is the first matching rule found that is triggered.
4.3.4. Policy-based Routing Table Selection
When a new connection is established the following is the way the decision is made as to which
routing table is chosen:
1.
Access Rules are checked first.
2.
The source interface is looked up in the main routing table to find the packet's destination ad-
dress.
3.
A search is made for a Policy-based Routing rule that matches the source and destination inter-
face. If a matching rule is found then this determines the routing table to use.
4.
Once the correct routing table has been located, a final check is made to make sure that the
source IP address is routed on the receiving interface. This is done by making a reverse lookup
in the routing table using the source IP address. If this check fails then a Default access rule
error message is generated.
5.
The connection is then subject to the normal IP Rule-set. If a SAT rule is encountered, address
translation will be performed. The decision of which routing table to use is made before carry-
ing out address translation but the actual route lookup is performed on the altered address.
6.
The packet is finally forwarded and the new connection opened by NetDefendOS.
4.3.5. The Ordering parameter
Once the routing table for a new connection is chosen and that table is an alternate routing table, the
Ordering parameter associated with the table is used to decide how the alternate table is combined
with the main table to lookup the appropriate route. The three available options are:
1.
Default - The default behaviour is to first look up the connection's route in the main table. If
no matching route is found, or the default route 0.0.0.0/0 is found, a lookup for a matching
route in the alternate table is done. If no match is found in the alternate table then the default
route in the main table will be used.
2.
First - This behaviour is to first look up the connection's route in the alternate table. If no
matching route is found there then the main table is searched.
3.
Only - This option ignores the existence of any other table except the alternate table. One ap-
plication of this is to give the administrator a way to dedicate a single routing table to one set of
interfaces.
The first two options can be regarded as combining the alternate table with the main table and as-
signing one route if there is a match in both tables.
Important - Ensuring all-nets appears in the main table.
A common mistake with Policy-based routing is the absence of a route in the default
main routing table with a destination interface of all-nets. The absence of an all-nets
route will prevent Policy-based Routing Rules from functioning.
77
Chapter 4. Routing
Advertisement
Table of Contents
