D-Link DFL-800-AV-12 User Manual - Page 136
Access Rule Settings, Default Access Rule
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 136 highlights
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An Access Rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of another interface. In other words: • Any incoming traffic with a source IP address belonging to a local trusted host is NOT allowed. • Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed. The first point prevents an outsider from using a local host's address as its source address. The second point prevents any local host from launching the spoof. 6.1.3. Access Rule Settings The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as well as the Action to take. If there is a match, the rule is triggered, and NetDefendOS will carry out the specified Action. Access Rule Filtering Fields The Access Rule filtering fields used to trigger a rule are: • Interface: The interface that the packet arrives on. • Network: The IP span that the sender address should belong to. Access Rule Action The Access Rule actions that can be specified are: • Drop: Discard the packets that match the defined fields. • Accept: Accept the packets that match the defined fields for further inspection in the rule set. • Expect: If the sender address of the packet matches the Network specified by this rule, the receiving interface is compared to the specified interface. If the interface matches, the packet is accepted in the same way as an Accept action. If the interfaces do not match, the packet is dropped in the same way as a Drop action. Note Logging can be enabled on demand for these Actions. Turning Off Default Access Rule Messages If, for some reason, the "Default Access Rule" log message is continuously being generated by some source and needs to be turned off, then the way to do this is to specify an Access Rule for that source with an action of Drop. Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first filter of traffic before any other NetDefendOS modules can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely because of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel astablishment, from working properly. 136