All IP traffic to be forwarded towards gateways specified in the Internet gateways section of the Net setup are evaluated to determine if it should be forwarded to its destination or blocked on the spot. The rules for this specific access right are collected in the Computer Rights and the User Rights settings.
- HOW IT WORKS
The principle behind the rule processing is fairly simple. For each IP packet:
- Find a rule.
- Apply it.
If no rule is found, the packet is blocked.
Each rule ends in a Priority setting with the following values: High, Medium, Low or Block. When a rule is found, applying the rule is straightforward: if Priority is Block, then the packed is blocked, otherwise it is forwarded to its destination.
The process of finding the rule to apply is more complicated. Rules are grouped into two sections: Computer Rights and User Rights. Computer Rights are enforced before User Rights. If a matching Computer Right is found, the User Rights setting is skipped. Computer Rights are independent of who is logged on to which computer onboard.
In order to find a rule to apply, information associated with the IP packets are compared to the Computer Rights setting. The settings to compare are: Method, Source (onboard) computer, Service and finally Destination IP masks.
Network Control will look for the most specific matching rule for each packet. Rules are evaluated from left to right through its settings (Method, Source computer, Service, Destination IP mask). A rule is considered matching if the information associated with the IP packets matches all fields of the rule. A blank setting means "any match is ok". A rule is considered more specific than another if it has a longer non-blank specification when evaluated from left to right. The user interface will sort the most specific rules on top, and more generic towards the bottom.
The Method field of the rule is compared to the method of the gateway on which the packets appear. Therefore, one particular IP packet can match different rules as it (through failover) is forwarded down the Internet gateway list.
The other fields of the rule are compared to information contained inside the IP packet.
- SOURCE COMPUTER
The Source computer field can be used to limit the rule to a specific onboard computer. It is compared directly to the originating computer of the IP packet (through the source field of the IP header), and they must be identical for the rule to match. A blank Source computer field will match any packet.
The Service field is used to limit a rule to a certain Service. A Service is a technical Internet term used to define the combination of Internet Protocol (most commonly TCP and UDP) and port number. For a packet to match a rule, the service indicated by the packet must match the Service in the rule configuration. A blank Service setting will match any packet.
The Destination IP mask field is used to limit the rule to packets with a certain destination on the Internet. Each IP packet carries a destination field in its header. This field tells which computer on the Internet the packet is directed at. Network Control compares this field to the Destination IP settings to determine if the rule is matching.
The Destination IP settings can contain a set of network masks given in the x.x.x.x/xx format (see figure below). A rule is considered matching if the destination field of the packet falls within any of the masks in the setting. A blank field will match any packet.
Note also that for rules that are otherwise equal, the term of “more specific” is extended into the Destination IP setting. The most specific rule is the one that matches most bits (from left to right) with the destination of the IP packet (longest matching rule)