D-Link DFL-2560 Product Manual - Page 118
IP Rule Evaluation, Traffic Flow Needs an IP Rule and a Route
UPC - 790069335433
View all D-Link DFL-2560 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 118 highlights
3.5.2. IP Rule Evaluation Chapter 3. Fundamentals all source/destination networks/interfaces, and with logging enabled, is placed as the last rule in the IP rule set. This is often referred to as a drop all rule. Traffic Flow Needs an IP Rule and a Route As stated above, when NetDefendOS is started for the first time, the default IP rules drop all traffic so at least one IP rule must be added to allow traffic to flow. In fact, two NetDefendOS components need to be present: • A route must exist in a NetDefendOS routing table which specifies on which interface packets should leave in order to reach their destination. A second route must also exist that indicates the source of the traffic is found on the interface where the packets enter. • An IP rule in a NetDefendOS IP rule set which specifies the security policy that allows the packets from the source interface and network bound for the destination network to leave the NetDefend Firewall on the interface decided by the route. If the IP rule used is an Allow rule then this is bi-directional by default. The ordering of these steps is important. The route lookup occurs first to determine the exiting interface and then NetDefendOS looks for an IP rule that allows the traffic to leave on that interface. If a rule doesn't exist then the traffic is dropped. Figure 3.3. Simplified NetDefendOS Traffic Flow This description of traffic flow is an extremely simplified version of the full flow description found in Section 1.3, "NetDefendOS State Engine Packet Flow". For example, before the route lookup is done, NetDefendOS first checks that traffic from the source network should, in fact, be arriving on the interface where it was received. This is done by NetDefendOS performing a reverse route lookup which means that the routing tables are searched for a route that indicates the network should be found on that interface. This second route should logically exist if a connection is bi-directional and it must have a pair of routes associated with it, one for each direction. 3.5.2. IP Rule Evaluation When a new connection, such as a TCP/IP connection, is being established through the NetDefend 118