Before a new connection is checked against the IP rule set, cOS Core checks the connection source against a set of Access Rules. Access Rules can be used to specify what traffic source is expected on a given interface and also to automatically drop traffic originating from specific sources. AccessRules provide an efficient and targeted initial filter of new connection attempts.
The Default Access Rule
Even if the administrator does not explicitly specify any custom Access Rules, an access rule is always in place which is known as the Default Access Rule. This default rule is not really a true rule but operates by checking the validity of incoming traffic by performing a reverse lookup in the cOS Core routing tables. This lookup validates that the incoming traffic is coming from a source that the routing tables indicate is accessible via the interface on which the traffic arrived. If this reverse lookup fails then the connection is dropped and a Default Access Rule log message will be generated.
For most configurations the Default Access Rule is sufficient and the administrator does not need to explicitly specify other rules. If Access Rules are explicitly specified, then the Default Access Rule is still applied if a new connection does not match any of the custom Access Rules.
Access rule settings
The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as well as the Action to take. If there is a match, the rule is triggered, and cOS Core will carry out the specified Action.
The Access Rule filtering fields used to trigger a rule are:
- Interface: The interface that the packet arrives on.
- Network: The IP span that the sender address should belong to.
The Access Rule actions that can be specified are:
- Drop: Discard the packets that match the defined fields.
- Accept: Accept the packets that match the defined fields for further inspection in the rule set.
- Expect: If the sender address of the packet matches the Network specified by this rule, the receiving interface is compared to the specified interface. If the interface matches, the packet is accepted in the same way as an Accept action. If the interfaces do not match, the packet is dropped in the same way as a Drop action.
Troubleshooting Access Rule Related Problems
It should be noted that Access Rules are a first filter of traffic before any other cOS Core modules can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely because of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly.