second rule. See Section 7.3, “SAT” for more information on this topic.Non-matching TrafficIncoming packets that do not match any rule in the rule set and that do not have an already openedmatching connection in the state table, will automatically be subject to a Drop action. Forexplicitness there should be a rule called DropAll as the final rule in the rule set with an action ofDrop with Source/Destination Network all-nets and Source/Destination Interface all.3.5.3. IP Rule ActionsA rule consists of two parts: the filtering parameters and the action to take if there is a match withthose parameters. As described above, the parameters of any NetDefendOS rule, including IP rulesare:• Source Interface• Source Network• Destination Interface• Destination Network• ServiceWhen an IP rule is triggered by a match then one of the following Actions can occur:Allow The packet is allowed to pass. As the rule is applied to only the opening of aconnection, an entry in the "state table" is made to record that a connection is open.The remaining packets related to this connection will pass through the NetDefendOS"stateful engine".FwdFast Let the packet pass through the D-Link Firewall without setting up a state for it in thestate table. This means that the stateful inspection process is bypassed and is thereforeless secure than Allow or NAT rules. Packet processing time is also slower than Allowrules since every packet is checked against the entire rule set.NAT This functions like an Allow rule, but with dynamic address translation (NAT) enabled(see Section 7.1, “NAT” in Chapter 7, Address Translation for a detailed description).SAT This tells NetDefendOS to perform static address translation. A SAT rule alwaysrequires a matching Allow, NAT or FwdFast rule further down the rule set (seeSection 7.3, “SAT” in Chapter 7, Address Translation for a detailed description).Drop This tells NetDefendOS to immediately discard the packet. This is an "impolite"version of Reject in that no reply is sent back to the sender. It is often preferable sinceit gives a potential attacker no clues about what happened to their packets.Reject This acts like Drop, but will return a "TCP RST" or "ICMP Unreachable message",informing the sending computer that the packet was disallowed. This is a "polite"version of the Drop action.Bi-directional ConnectionsA common mistake when setting up IP Rules is to define two rules, one rule for traffic in onedirection and another rule for traffic coming back in the other direction. In fact nearly all IP Rulestypes allow bi-directional traffic flow once the initial connection is set up. The Source Networkand Source Interface in the rule means the source of the initial connection request. If a connectionis permitted and then becomes established, traffic can flow in either direction over it.3.5.3. IP Rule Actions Chapter 3. Fundamentals104
