28
Firewall
Policy
The Firewall Policy configuration section is the "heart" of the firewall. The policies are the
primary filter that is configured to allow or disallow certain types of network traffic through the
firewall. The policies also regulate how bandwidth management, traffic shaping, is applied to
traffic flowing through the WAN interface of the firewall.
When a new connection is being established through the firewall, the policies are
evaluated, top to bottom, until a policy that matches the new connection is found. The Action
of the rule is then carried out. If the action is Allow, the connection will be established and a
state representing the connection is added to the firewall's internal state table. If the action is
Drop, the new connection will be refused. The section below will explain the meanings of the
various action types available.
Policy modes
The first step in configuring security policies is to configure the mode for the firewall. The
firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-700 network
address translation to protect private networks from public networks. In NAT mode, you can
connect a private network to the internal interface, a DMZ network to the DMZ interface, and a
public network, such as the Internet, to the external interface. Then you can create NAT mode
policies to accept or deny connections between these networks. NAT mode policies hide the
addresses of the internal and DMZ networks from users on the Internet. In No NAT (Route)
mode you can also create routed policies between interfaces. Route mode policies accept or
deny connections between networks without performing address translation. To use NAT
mode select
Hide source addresses (many-to-one NAT)
and to use No NAT (Route) mode
choose
No NAT
.
Action Types
Drop –
Packets matching Drop rules will immediately be dropped. Such packets will be
logged if logging has been enabled in the Logging Settings page.
Reject –
Reject works basically the same way as Drop. In addition to this, the firewall
sends an ICMP UNREACHABLE message back to the sender or, if the rejected packet was a
TCP packet, a TCP RST message. Such packets will be logged if logging has been enabled
in the Logging Settings page.
Allow –
Packets matching Allow rules are passed to the stateful inspection engine, which
will remember that a connection has been opened. Therefore, rules for return traffic will not be
required as traffic belonging to open connections is automatically dealt with before it reaches
the policies. Logging is carried out if audit logging has been enabled in the Logging Settings
page.
Source and Destination Filter
Source Nets
– Specifies the sender span of IP addresses to be compared to the received
packet. Leave this blank to match everything.
Summary of Contents for DFL-700 - Security Appliance
Page 1: ...D Link DFL 700 Network Security Firewall Manual Building Networks for People 04 18 2005 TM ...
Page 102: ...102 5 Select Connect to the network at my workplace and click Next ...
Page 103: ...6 Select Virtual Private Network connection and click Next ...
Page 104: ...104 7 Name the connection MainOffice and click Next ...
Page 105: ...8 Select Do not dial the initial connection and click Next ...
Page 106: ...106 9 Type the IP address to the server 194 0 2 20 and click Next 10 Click Finish ...