D-Link DFL-200 Product Manual - Page 26
Firewall, Policy, Policy modes, Action Types, Source and Destination Filter
 |
UPC - 790069268823
View all D-Link DFL-200 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 26 highlights
Firewall Policy The Firewall Policy configuration section is the "heart" of the firewall. The policies are the primary filter that is configured to allow or disallow certain types of network traffic through the firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall. When a new connection is being established through the firewall, the policies are evaluated, top to bottom, until a policy that matches the new connection is found. The Action of the rule is then carried out. If the action is Allow, the connection will be established and a state representing the connection is added to the firewall's internal state table. If the action is Drop, the new connection will be refused. The section below will explain the meanings of the various action types available. Policy modes The first step in configuring security policies is to configure the mode for the firewall. The firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-200 network address translation to protect private networks from public networks. In NAT mode, you can connect a private network to the internal interface, a DMZ network to the DMZ interface, and a public network, such as the Internet, to the external interface. Then you can create NAT mode policies to accept or deny connections between these networks. NAT mode policies hide the addresses of the internal and DMZ networks from users on the Internet. In No NAT (Route) mode you can also create routed policies between interfaces. Route mode policies accept or deny connections between networks without performing address translation. To use NAT mode select Hide source addresses (many-to-one NAT) and to use No NAT (Route) mode choose No NAT. Action Types Drop - Packets matching Drop rules will immediately be dropped. Such packets will be logged if logging has been enabled in the Logging Settings page. Reject - Reject works basically the same way as Drop. In addition to this, the firewall sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a TCP packet, a TCP RST message. Such packets will be logged if logging has been enabled in the Logging Settings page. Allow - Packets matching Allow rules are passed to the stateful inspection engine, which will remember that a connection has been opened. Therefore, rules for return traffic will not be required as traffic belonging to open connections is automatically dealt with before it reaches the policies. Logging is carried out if audit logging has been enabled in the Logging Settings page. Source and Destination Filter Source Nets - Specifies the sender span of IP addresses to be compared to the received packet. Leave this blank to match everything. 26
-
1 -
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21 -
22 -
23 -
24 -
25 -
26 -
27 -
28 -
29 -
30 -
31 -
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
 |
 |
