Multiple ip rule sets – Amer Networks E5Web GUI User Manual

types allow bi-directional traffic flow once the initial connection is set up. The Source Network
and Source Interface in the rule means the source of the initial connection request. If a
connection is permitted and then becomes established, traffic can flow in either direction over it.

The exception to this bi-directional flow is FwdFast rules. If the FwdFast action is used, the rule
will not allow traffic to flow from the destination back to the source. If bi-directional flow is
required then two FwdFast rules are needed, one for either direction. This is also the case if a
FwdFast rule is used with a SAT rule.

Using Reject

In certain situations the Reject action is recommended instead of the Drop action because a
"polite" reply is required from cOS Core. An example of such a situation is when responding to
the IDENT user identification protocol. Some applications will pause for a timeout if Drop is used
and Reject can avoid such processing delays.

3.6.4. Multiple IP Rule Sets

Overview

cOS Core allows the administrator to define multiple IP rule sets which can both simplify and
provide greater flexibility when defining security policies. The default IP rule set is known as main
and is always present in cOS Core. Additional rule sets can be defined as needed and are given a
name by the administrator.

Multiple IP rule sets offer many advantages, among them:

•

The administrator can break a single large IP rule set into multiple, smaller and more
manageable rule sets.

•

A single named IP rule set can be associated with a routing table. This makes implementing
Virtual Routing much simpler since each router can have a dedicated IP Rules-set associated
with it. See Section 4.5, “Virtual Routing” for more information about this topic.

•

IP rule lookup speed can be increased for large numbers of rules by breaking one large rule
set down into several smaller ones.

Searching Multiple rule sets

When multiple rule sets are defined, the way they are processed for a new connection is as
follows:

•

The primary main IP rule set is always searched first for matches of source/destination
interface/network.

•

User-defined rule sets are used in a rule look-up only when the action specified for a
matching rule in main is Goto. The Goto action must have a named, administrator defined IP
rule set associated with it and if the traffic matches the Goto rule then the rule look-up
continues from the beginning of that named rule set.

A Goto may never use the main rule set as its target.

•

If the search in the named rule set finds no match then the connection is dropped.

•

If a match is found in the named rule set then the action is executed. The action might be
another Goto in which case the rule scanning jumps to the beginning of another named rule
set.

Chapter 3: Fundamentals

197