D-Link DFL-260E User Manual for DFL-260E - Page 137
Creating a Drop All Rule, The IP Addresses in IP Rules can be IPv4 or IPv6 - default ip
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 137 highlights
3.6.1. Security Policies Chapter 3. Fundamentals features as IDP. • The Service can be specified as all_services which includes all possible protocols. Creating a Drop All Rule Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. In order to be able to log the dropped connections, it is recommended that an explicit IP rule with an action of Drop for all source/destination networks/interfaces is placed as the last IP rule in the IP rule set. This is often referred to as a Drop All rule. Tip: Include the rule set name in the drop all name There may be several IP rule sets in use. It is recommended to include the IP rule set name in the name of the drop all rule so it can be easily identified in log messages. For example, the drop all rule for the main rule set should be called main_drop_all or similar. The IP Addresses in IP Rules can be IPv4 or IPv6 IP rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's filtering properties. However both the source and destination network must be either IPv4 or IPv6. It is not permissible to combine IPv4 and IPv6 addresses in a single rule. For this reason, two Drop All rules will be required when using IPv6, one for IPv4 and one for IPv6 as shown below: Name DropAll DropAll6 Action Drop Drop Source Iface any any Source Net all-nets all-nets6 Dest Iface any any Dest Net all-nets all-nets6 Service all_services all_services For further discussion of this topic, see Section 3.2, "IPv6 Support". Traffic Flow Needs an IP Rule and a Route As stated above, when NetDefendOS is started for the first time, the default IP rules drop all traffic so at least one IP rule must be added to allow traffic to flow. In fact, two NetDefendOS components need to be present: • A route must exist in a NetDefendOS routing table which specifies on which interface packets should leave in order to reach their destination. A second route must also exist that indicates the source of the traffic is found on the interface where the packets enter. • An IP rule in a NetDefendOS IP rule set which specifies the security policy that allows the packets from the source interface and network bound for the destination network to leave the NetDefend Firewall on the interface decided by the route. If the IP rule used is an Allow rule then this is bi-directional by default. The ordering of these steps is important. The route lookup occurs first to determine the exiting interface and then NetDefendOS looks for an IP rule that allows the traffic to leave on that interface. If a rule does not exist then the traffic is dropped. 137