EasyManua.ls Logo

D-Link NetDefendOS

D-Link NetDefendOS
912 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
A Simple Multiple Rule Set Example
Below are two simple IP Rule set tables which illustrate how multiple rule sets might be used. The
main rule set contains a first Goto rule which will jump to the named administrator defined table
called ExtraRules.
The administrator defined rule set ExtraRules contains a NAT and SAT rule. If neither are triggered
then the final Return rule will cause the scanning process to go back to the entry in main which
follows the Goto rule. In this case it will be the second entry in main.
The main IP rule set
# Rule Type Src Iface Src Net Dest Iface Dest Net Service
1 Goto ExtraRules any all-nets core 172.16.40.0/24 all_services
2 Allow any 192.168.0.0/24 core 172.16.0.0/16 all_services
The ExtraRules IP rule set
# Rule Type Src Iface Src Net Dest Iface Dest Net Service
1 SAT any all-nets any 172.16.40.66 all_services
2 NAT If2 176.16.0.0/16 any all-nets all_services
3 RETURN If2 all-nets any all-nets all_services
Increasing IP Rule Set Lookup Speed
When the rule set main contains many thousands of rules, the speed of rule set lookup can
become impaired and this can degrade the overall throughput of the firewall. Typical symptoms
of this can be:
Consistently high CPU loads in the firewall.
Unusually long loading times for Web Interface pages (which is a result of high CPU loads).
The solution is to break up a large rule set and move rules into several new rule sets. Typically,
each new rule set will contain entries related to a particular type of traffic. A small number of
Goto rules can then be added to the rule set main and each can point to the rule set that is
related to a particular type of traffic.
For example, the IP rule set main may contain thousands of rules where the Destination Network
might be any one of the networks called dmznet, lannet or wannet. It can be much more efficient
to divide these rules based on the Destination Network and place each group in new rule sets
called dmz_rules, lan_rules and wan_rules.
Three Goto rules are placed in the main rule set to point to these new rule sets:
Goto rule set Src Iface Src Net Dest Iface Dest Net Service
dmz_rules any all-nets any dmznet all_services
lan_rules any all-nets any lannet all_services
wan_rules any all-nets any wannet all_services
Chapter 3: Fundamentals
237

Table of Contents

Related product manuals