Filter
Top Products
These rules determine the routing table to be used by traffic and are described in Section 4.3,
“Policy-based Routing”.
• Authentication Rules
These determine which traffic triggers authentication to take place (source net/interface only)
and are described in Chapter 8, User Authentication.
IP Rules and the Default main IP Rule Set
IP rule sets are the most important of these security policy rule sets. They determine the critical
packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through
the NetDefend Firewall, and if necessary, how address translations like NAT are applied. By
default, one NetDefendOS IP rule set always exist and this has the name main.
There are two possible approaches to how traffic traversing the NetDefend Firewall could be dealt
with:
• Everything is denied unless specifically permitted.
• Or everything is permitted unless specifically denied.
To provide the best security, the first of these approaches is adopted by NetDefendOS. This means
that when first installed and started, the NetDefendOS has no IP rules defined in the main IP rule set
and all traffic is therefore dropped. In order to permit any traffic to traverse the NetDefend Firewall
(as well as allowing NetDefendOS to respond to ICMP Ping requests), some IP rules must be
defined by the administrator.
Each IP rule that is added by the administrator will define the following basic filtering criteria:
• From what interface to what interface traffic flows.
• From what network to what network the traffic flows.
• What kind of protocol is affected (the service).
• What action the rule will take when a match on the filter triggers.
Specifying Any Interface or Network
When specifying the filtering criteria in any of the rule sets specified above there are three useful
predefined options that can be used:
• For a Source or Destination Network, the all-nets option is equivalent to the IP address 0.0.0.0/0
which will mean that any IP address is acceptable.
• For Source or Destination Interface, the any option can be used so that NetDefendOS will not
care about the interface which the traffic is going to or coming from.
• The Destination Interface can be specified as core. This means that traffic, such as an ICMP
Ping, is destined for the NetDefend Firewall itself and NetDefendOS will respond to it.
Creating a Drop All Rule
Traffic that does not match any rule in the IP rule set is, by default, dropped by NetDefendOS. For
logging purposes it is nevertheless recommended that an explicit IP rule with an action of Drop for
3.5.1. Security Policies Chapter 3. Fundamentals
117