source network should, in fact, be arriving on the interface where it was received. This is done by
NetDefendOS performing a reverse route lookup which means that the routing tables are
searched for a route that indicates the network should be found on that interface.
This second route should logically exist if a connection is bidirectional and it must have a pair of
routes associated with it, one for each direction.
3.6.2. IP Rule Set Evaluation
When a new connection, such as a TCP/IP connection, is being established through the
NetDefend Firewall, the IP rule set is scanned from the top to the bottom until an IP rule or IP
policy that matches the parameters of the new connection is found. The first matching rule or
policy's Action is then performed.
If the action allows it, the establishment of the new connection will go ahead. A new entry or
state representing the new connection will then be added to the NetDefendOS internal state
table which allows monitoring of opened and active connections passing through the
NetDefend Firewall. If the action is Drop or Reject then the new connection is refused.
Tip: Rules in the wrong order sometimes cause problems
It is important to remember the principle that NetDefendOS searches the IP rule set from
top to bottom, looking for the first matching IP rule or IP policy.
If a rule set entry seems to be ignored, check that some other rule above it is not being
triggered first.
Stateful Inspection
After initial rule evaluation of the opening connection, subsequent packets belonging to that
connection will not need to be evaluated individually against the rule set. Instead, a much faster
search of the state table is performed for each packet to determine if it belongs to an established
connection.
This approach to packet processing is known as stateful inspection and is applied not only to
stateful protocols such as TCP but is also applied to stateless protocols such as UDP and ICMP by
using the concept of "pseudo-connections" . This approach means that evaluation against the IP
rule set is only done in the initial opening phase of a connection. The size of the IP rule set
therefore has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom
is the one that decides how the connection will be handled.
The exception to this is SAT IP rules since these rely on a pairing with a second IP rule to function.
After encountering a matching SAT IP rule, the search will continue on looking for a matching
second IP rule. However, when implementing SAT with IP policies only a single IP Policy object is
required. See Section 7.4, “SAT” for more information about this topic.
Non-matching Traffic
Incoming packets that do not match any rule in the rule set and that do not have an already
opened matching connection in the state table, will automatically be subject to a Drop action. As
mentioned above, to be able to log non-matching traffic, it is recommended to create an explicit
rule called DropAll as the final rule in the rule set with an action of Drop with Source/Destination
Chapter 3: Fundamentals
232
To Next Page
Loading...
