Ip rule actions – Amer Networks E5Web GUI User Manual
Page 195

which allows monitoring of opened and active connections passing through the Clavister
Security Gateway. If the action is Drop or Reject then the new connection is refused.
Tip: Rules in the wrong order sometimes cause problems
It is important to remember the principle that cOS Core searches the IP rule set from top
to bottom, looking for the first matching rule.
If a rule set entry seems to be ignored, check that some other rule above it is not being
triggered first.
Stateful Inspection
After initial rule evaluation of the opening connection, subsequent packets belonging to that
connection will not need to be evaluated individually against the rule set. Instead, a much faster
search of the state table is performed for each packet to determine if it belongs to an established
connection.
This approach to packet processing is known as stateful inspection and is applied not only to
stateful protocols such as TCP but is also applied to stateless protocols such as UDP and ICMP by
using the concept of "pseudo-connections" . This approach means that evaluation against the IP
rule set is only done in the initial opening phase of a connection. The size of the IP rule set
therefore has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom
is the one that decides how the connection will be handled.
The exception to this is SAT rules since these rely on a pairing with a second rule to function.
After encountering a matching SAT rule the search will therefore continue on looking for a
matching second rule. See Section 7.4, “SAT” for more information about this topic.
Non-matching Traffic
Incoming packets that do not match any rule in the rule set and that do not have an already
opened matching connection in the state table, will automatically be subject to a Drop action. As
mentioned above, to be able to log non-matching traffic, it is recommended to create an explicit
rule called DropAll as the final rule in the rule set with an action of Drop with Source/Destination
Network all-nets and Source/Destination Interface all. This allows logging to be turned on for
traffic that matches no IP rule.
3.6.3. IP Rule Actions
A rule consists of two parts: the filtering parameters and the action to take if there is a match
with those parameters. As described above, the parameters of any cOS Core rule, including IP
rules are:
•
Source Interface
•
Source Network
•
Destination Interface
•
Destination Network
Chapter 3: Fundamentals
195