D-Link DFL-500 user manual Configuring policy lists, Policy matching in detail

Adding a Transparent mode Int ->Ext policy

Configuring policy lists

The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general.

For example, the default policy is a very general policy because it matches all connection attempts. To create exceptions to this policy, they must be added to the policy list above the default policy. No policy below the default policy will ever be matched.

This section describes:

•Policy matching in detail

•Changing the order of policies in a policy list

•Enabling and disabling policies

Policy matching in detail

When the firewall receives a connection attempt at an interface, it must match the connection attempt to a policy in either the Int ->Ext or Ext ->Int policy list. The firewall starts at the top of the policy list for the interface that received the connection attempt and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and date at which the connection attempt was received. The first policy that matches is applied to the connection attempt. If no policy matches, the connection is dropped.

The default policy accepts all connection attempts from the internal network to the Internet. From the internal network, users can browse the web, use POP3 to get email, use FTP to download files through the firewall, and so on. If the default policy is at the top of the Int ->Ext policy list, the firewall allows all connections from the internal network to the Internet because all connections match the default policy.

A policy that is an exception to the default policy, for example, a policy to block FTP connections, must be placed above the default policy in the Int ->Ext policy list. In this example, all FTP connection attempts from the internal network would then match the FTP policy and be blocked. Connection attempts for all other kinds of services would not match with the FTP policy but they would match with the default policy. Therefore, the firewall would still accept all other connections from the internal network.