The exception to this bi-directional flow is FwdFast rules. If the FwdFast action is used, the rule
will not allow traffic to flow from the destination back to the source. If bi-directional flow is
required then two FwdFast rules are needed, one for either direction. This is also the case if a
FwdFast rule is used with a SAT rule.
Using Reject
In certain situations the Reject action is recommended instead of the Drop action because a polite
reply is required from NetDefendOS. An example of such a situation is when responding to the
IDENT user identification protocol.
3.5.4. Editing IP rule set Entries
After adding various rules to the rule set editing any line can be achieved in the Web-UI by right
clicking on that line.
A context menu will appear with the following options:
Edit
This allows the contents of the rule to be changed.
Delete
This will remove the rule permanently from the rule set.
Disable/Enable
This allows the rule to be disabled but left in the rule set. While disabled the
rule set line will not affect traffic flow and will appear grayed out in the user
interface. It can be re-enabled at any time.
Move options
The last section of the context menu allows the rule to be moved to a
different position in the rule set and therefore have a different precedence
3.5.5. IP Rule Set Folders
In order to help organise large numbers of entries in IP rule sets, it is possible to create IP rule set
folders. These folders are just like a folder in a computer's file system. They are created with a given
name and can then be used to contain all the IP rules that are related together as a group.
Using folders is simply a way for the administrator to conveniently divide up IP rule set entries and
no special properties are given to entries in different folders. NetDefendOS continues to see all
entries as though they were in a single set of IP rules.
The folder concept is also used by NetDefendOS in the Address Book, where related IP address
objects can be grouped together in administrator created folders.
Example 3.17. Adding an Allow IP Rule
This example shows how to create a simple Allow rule that will allow HTTP connections to opened from the lannet
network on the lan interface to any network (all-nets) on the wan interface.
CLI
First, change the current category to be the main IP rule set:
gw-world:/> cc IPRuleSet main
Now, create the IP rule:
gw-world:/main> add IPRule Action=Allow Service=http SourceInterface=lan
SourceNetwork=lannet DestinationInterface=wan
DestinationNetwork=all-nets Name=lan_http
3.5.4. Editing IP rule set Entries
Chapter 3. Fundamentals
105
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...