traverse the NetDefend Firewall (as well as allowing NetDefendOS to respond to ICMP Ping
requests), some IP rules must be defined by the administrator.
Each IP rule or IP policy that is added by the administrator will define the following basic filtering
criteria:
• From what interface to what interface traffic flows.
• From what network to what network the traffic flows.
• What kind of protocol is affected (the service).
• What action the rule will take when a match on the filter triggers.
Specifying Any Interface or Any Network
When specifying the filtering criteria in any of the policy rule sets, there are several useful
predefined configuration objects that can be used:
• For a source or destination network, the all-nets option is equivalent to the IP address
0.0.0.0/0 which will mean that any IP address is acceptable.
• For source or destination interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.
• The destination interface can be specified as core. This means that traffic, such as an ICMP
Ping, is destined for the NetDefend Firewall itself and NetDefendOS will respond to it.
New connections that are initiated by NetDefendOS itself do not need an explicit IP rule or IP
policy because they are allowed by default. For this reason, the interface core is not used as
the source interface. Such connections include those needed to connect to the external
databases needed for such NetDefendOS features as IDP and dynamic web content filtering.
• The Service can be specified as all_services which includes all possible protocols.
Creating a Drop All Rule/Policy
Traffic that does not match any Ip rule or IP policy in the IP rule set is, by default, dropped by
NetDefendOS. In order to be able to log the dropped connections, it is recommended that an
explicit IP rule or IP policy is defined that drops traffic for all source/destination
networks/interfaces is placed as the last item in the IP rule set. This is sometimes referred to as a
Drop All rule/policy.
Tip: Include the rule set name in the drop all name
There may be several IP rule sets in use. It is recommended to include the IP rule set name
in the name of the drop all rule so it can be easily identified in log messages.
For example, the drop all IP rule or IP policy for the main rule set should be called
main_drop_all or similar.
The IP Addresses in IP Rules or IP Policies can be IPv4 or IPv6
IP rules and IP policies support either IPv4 or IPv6 addresses as the source and destination
network in the filtering properties.
Chapter 3: Fundamentals
230
To Next Page
Loading...
