EasyManua.ls Logo

D-Link NetDefendOS - Stateless Policy

D-Link NetDefendOS
912 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Service: all_services
3. Select OK
3.6.8. Stateless Policy
A Stateless Policy is equivalent to an IP Rule. Both can be used to define a stateless connection,
however, using a Stateless Policy is the recommended method.
A stateless connection means that packets pass through the NetDefend Firewall without a state
for the connection being set up in NetDefendOS's state table. Since the stateful inspection
process is bypassed, this is less secure than a stateful connection. The traffic processing is also
slower since every packet is checked against the entire rule set.
Generally, using a Stateless Policy or IP Rule with a FwdFast action is not recommended because
both will yield slower traffic throughput when compared with a normal stateful connection.
However, some scenarios with certain protocols might require a stateless connection.
Note that the Protocol property of the Service object used with a Stateless Policy does not need to
be set to anything. The Protocol property is ignored with a Stateless Policy.
Note: By default, logging is enabled for a Stateless Policy
Like other types of policy, logging is enabled by default for a Stateless Policy object.
Unfortunately, this means that a log message will be generated for each packet that
triggers the rule. This is usually undesirable so it is better to disable logging on the policy.
Example 3.38. Creating a Stateless Policy
In this example, TCP packets will be sent between the internal network lannet and the dmznet
network. This might be required in a real world situation because of certain traffic types causing
problems.
As with a FwdFast IP rule, two Stateless Policy objects are needed, one for each direction of traffic
flow. Instead of creating a custom Service object, this example will use the predefined object
all_tcp.
Command-Line Interface
Allow stateless TCP flow from lannet to dmznet:
gw-world:/> add StatelessPolicy SourceInterface=lan
SourceNetwork=lannet
DestinationInterface=dmz
DestinationNetwork=dmznet
Service=all_tcp
Name=stateless_lan_to_dmz
Action=Allow
Allow stateless TCP flow from dmznet to lannet:
gw-world:/> add StatelessPolicy SourceInterface=dmz
SourceNetwork=dmznet
Chapter 3: Fundamentals
251

Table of Contents

Related product manuals