Simplified Netdefendos Traffic Flow - D-Link NetDefend DFL-210 User Manual

3.5.1. Security Policies
When specifying the filtering criteria in any of the rule sets specified above there are three useful
pre-defined options that can be used:
• For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0
which will mean that any IP address is acceptable.
• For Source or Destination Interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.
• The Destination Interface can be specified as core. This means that traffic, such as an ICMP
Ping, is destined for the D-Link Firewall itself and NetDefendOS will respond to it.
IP Rules and the Default IP Rule Set
The IP rule set is the most important of these security policy rule sets. It determines the critical
packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through
the D-Link Firewall, and if necessary, how address translations like NAT are applied.
There are two possible approaches to how traffic traversing the D-Link Firewall could be dealt with:
• Everything is denied unless specifically permitted
• Or everything is permitted unless specifically denied
To provide the best security, the first of these approaches is adopted by NetDefendOS. This means
that when first installed and started, the NetDefendOS IP rule set drops all traffic. In order to allow
any traffic to traverse the D-Link Firewall (including NetDefendOS responding to ICMP Ping
requests), new IP rules must be defined by the administrator.
Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. For
logging purposes it is nevertheless recommended that an explicit IP rule with an action of Drop for
all source/destination networks/interfaces, and with logging enabled, is placed as the last rule in the
IP rule set.
Traffic Flow Needs an IP Rule and a Route
As stated above, when NetDefendOS is started for the first time, the default IP rules drop all traffic
so at least one IP rule must be added to allow traffic to flow. In fact, two NetDefendOS components
need to be present:
• A route must exist in a NetDefendOS routing table which specifies on which interface packets
should leave in order to reach their destination.
A second route must also exist that indicates the source of the traffic is found on the interface
where the packets enter.
• An IP rule in a NetDefendOS IP rule set which specifies the security policy that allows the
packets from the source interface and network bound for the destination network to leave the
D-Link Firewall on the interface decided by the route.
If the IP rule used is an Allow rule then this is bi-directional by default.
The ordering of these steps is important. The route lookup occurs first to determine the exiting
interface and then NetDefendOS looks for an IP rule that allows the traffic to leave on that interface.
If a rule doesn't exist then the traffic is dropped.
Figure 3.1. Simplified NetDefendOS Traffic Flow
102
Chapter 3. Fundamentals