beautypg.com

The ip rule set, Security policies, Section 3.5, “the ip rule set – D-Link DFL-2500 User Manual

Page 73

background image

3.5. The IP Rule Set

3.5.1. Security Policies

Policy Characteristics

NetDefendOS Security Policies designed by the administrator, regulate the way in which traffic can
flow through a D-Link Firewall. Policies in NetDefendOS are defined by different NetDefendOS
rule sets. These rule sets share a common means of specifying filtering criteria which determine the
type of traffic to which they will apply. This set of criteria consists of:

Source Interface

An Interface or Interface Group where the packet is received at
the D-Link Firewall. This can also be a VPN tunnel.

Source Network

The network that contains the source IP address of the packet.
This might be a NetDefendOS IP object which could define a
single IP address or range of addresses.

Destination Interface

An Interface or an Interface Group from which the packet
would leave the D-Link Firewall. This can also be a VPN tunnel.

Destination Network

The network to which the destination IP address of the packet
belongs. This might be a NetDefendOS IP object which could
define a single IP address or range of addresses.

Service

The protocol type to which the packet belongs. Service objects
define a protocol/port type. Examples might be HTTP or ICMP.
Custom services can also be defined.(see Section 3.2, “Services”
for more information.)

The NetDefendOS rule sets, all of which use the same five filtering parameters, include:

IP rules.

Pipe rules (see Section 10.1, “Traffic Shaping”).

Policy-based Routing rules (see Section 4.3, “Policy-based Routing”).

IDP rules (see Section 6.5, “Intrusion Detection and Prevention”).

Authentication rules (source net/interface only - see Chapter 8, User Authentication).

Specifying Any Interface or Network

When specifying the filtering criteria in any of the rule sets specified above there are three useful
pre-defined options that can be used :

For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0
which will mean that any IP address is acceptable.

For Source or Destination Interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.

The Destination Interface can be specified as core. This means that traffic, such as an ICMP
Ping is destined for the D-Link Firewall itself and it is NetDefendOS that will respond to it.

3.5. The IP Rule Set

Chapter 3. Fundamentals

73