Ip Rule Evaluation - D-Link DFL-260E User Manual
Network security firewall netdefendos version 2.27.03
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (589 pages)
Table of Contents
Advertisement
3.5.2. IP Rule Evaluation
This description of traffic flow is an extremely simplified version of the full flow description found
in Section 1.3, "NetDefendOS State Engine Packet Flow".
For example, before the route lookup is done, NetDefendOS first checks that traffic from the source
network should, in fact, be arriving on the interface where it was received. This is done by
NetDefendOS performing a reverse route lookup which means that the routing tables are searched
for a route that indicates the network should be found on that interface.
This second route should logically exist if a connection is bi-directional and it must have a pair of
routes associated with it, one for each direction.
3.5.2. IP Rule Evaluation
When a new connection, such as a TCP/IP connection, is being established through the NetDefend
Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters
of the new connection is found. The first matching rule's Action is then performed.
If the action allows it then the establishment of the new connection will go ahead. A new entry or
state representing the new connection will then be added to the NetDefendOS internal state table
which allows monitoring of opened and active connections passing through the NetDefend Firewall.
If the action is Drop or Reject then the new connection is refused.
Stateful Inspection
After initial rule evaluation of the opening connection, subsequent packets belonging to that
connection will not need to be evaluated individually against the rule set. Instead, a highly efficient
algorithm searches the state table for each packet to determine if it belongs to an established
connection.
This approach is known as stateful inspection and is applied not only to stateful protocols such as
TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This
approach means that evaluation against the IP rule set is only done in the initial opening phase of a
connection. The size of the IP rule set consequently has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom is
the one that decides how the connection will be handled.
The exception to this is SAT rules since these rely on a pairing with a second rule to function. After
encountering a matching SAT rule the search will therefore continue on looking for a matching
second rule. See Section 7.4, "SAT" for more information about this topic.
Non-matching Traffic
Incoming packets that do not match any rule in the rule set and that do not have an already opened
matching connection in the state table, will automatically be subject to a Drop action. To have
control over non-matching traffic it is recommended to create an explicit rule called DropAll as the
final rule in the rule set with an action of Drop with Source/Destination Network all-nets and
Source/Destination Interface all. This allows logging to be turned on for traffic that matches no IP
Tip: Rules in the wrong order sometimes cause problems
It is important to remember the principle that NetDefendOS searches the IP rules from
top to bottom, looking for the first matching rule.
If an IP rule seems to be ignored, check that some other rule above it is not being
triggered first.
124
Chapter 3. Fundamentals
- Quick Links:
- The Web Interface
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
