source network should, in fact, be arriving on the interface where it was received. This is done by
NetDefendOS performing a
reverse route lookup
which means that the routing tables are
searched for a route that indicates the network should be found on that interface.
This second route should logically exist if a connection is bidirectional and it must have a pair of
routes associated with it, one for each direction.
3.6.2. IP Rule Set Evaluation
When a new connection, such as a TCP/IP connection, is being established through the
NetDefend Firewall, the IP rule set is scanned from the top to the bottom until an IP rule or IP
policy that matches the parameters of the new connection is found. The first matching rule or
policy's
Action
is then performed.
If the action allows it, the establishment of the new connection will go ahead. A new entry or
state
representing the new connection will then be added to the NetDefendOS internal
state
table
which allows monitoring of opened and active connections passing through the
NetDefend Firewall. If the action is
Drop
or
Reject
then the new connection is refused.
Tip: Rules in the wrong order sometimes cause problems
It is important to remember the principle that NetDefendOS searches the IP rule set from
top to bottom, looking for the first matching IP rule or IP policy.
If a rule set entry seems to be ignored, check that some other rule above it is not being
triggered first.
Stateful Inspection
After initial rule evaluation of the opening connection, subsequent packets belonging to that
connection will not need to be evaluated individually against the rule set. Instead, a much faster
search of the state table is performed for each packet to determine if it belongs to an established
connection.
This approach to packet processing is known as
stateful inspection
and is applied not only to
stateful protocols such as TCP but is also applied to stateless protocols such as UDP and ICMP by
using the concept of "pseudo-connections" . This approach means that evaluation against the IP
rule set is only done in the initial opening phase of a connection. The size of the IP rule set
therefore has negligible effect on overall throughput.
The First Matching Principle
If several rules match the same parameters, the first matching rule in a scan from top to bottom
is the one that decides how the connection will be handled.
The exception to this is
SAT
IP rules since these rely on a pairing with a second IP rule to function.
After encountering a matching
SAT
IP rule, the search will continue on looking for a matching
second IP rule. However, when implementing SAT with IP policies only a single
IP Policy
object is
required. See
for more information about this topic.
Non-matching Traffic
Incoming packets that do not match any rule in the rule set and that do not have an already
opened matching connection in the state table, will automatically be subject to a
Drop
action. As
mentioned above, to be able to log non-matching traffic, it is recommended to create an explicit
rule called DropAll as the final rule in the rule set with an action of
Drop
with Source/Destination
Chapter 3: Fundamentals
232
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...