Access rule settings – D-Link DFL-2500 User Manual

VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then
Access Rules can provide an anti-spoofing capability by providing an extra filter for source address
verification. An Access Rule can verify that packets arriving at a given interface do not have a
source address which is associated with a network of another interface. In other words:

•

Any incoming traffic with a source IP address belonging to a local trusted host is NOT allowed.

•

Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT
allowed.

The first point prevents an outsider from using a local host's address as its source address. The
second point prevents any local host from launching the spoof.

6.1.3. Access Rule Settings

The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as
well as the Action to take. If there is a match, the rule is triggered, and NetDefendOS will carry out
the specified Action.

Access Rule Filtering Fields

The Access Rule filtering fields used to trigger a rule are:

•

Interface: The interface that the packet arrives on.

•

Network: The IP span that the sender address should belong to.

Access Rule Action

The Access Rule actions that can be specified are:

•

Drop: Discard the packets that match the defined fields.

•

Accept: Accept the packets that match the defined fields for further inspection in the rule set.

•

Expect: If the sender address of the packet matches the Network specified by this rule, the
receiving interface is compared to the specified interface. If the interface matches, the packet is
accepted in the same way as an Accept action. If the interfaces do not match, the packet is
dropped in the same way as a Drop action.

Note

Logging can be enabled on demand for these Actions.

Turning Off Default Access Rule Messages

If, for some reason, the "Default Access Rule" log message is continuously being generated by some
source and needs to be turned off, then the way to do this is to specify an Access Rule for that
source with an action of Drop.

Troubleshooting Access Rule Related Problems

It should be noted that Access Rules are a first filter of traffic before any other NetDefendOS
modules can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely
because of this. It is always advisable to check Access Rules when troubleshooting puzzling
problems in case a rule is preventing some other function, such as VPN tunnel astablishment, from
working properly.

6.1.3. Access Rule Settings

Chapter 6. Security Mechanisms

136