<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (X11; I; Linux 2.0.34 i586) [Netscape]">
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000FF" VLINK="#303030" ALINK="#FF0000">

<CENTER><FONT SIZE=+2>General concepts</FONT></CENTER>


<P>IP packet filter inspects network datagrams (IP packets) and decides
whether these packets
<BR>are allowed to pass the filter or not.

<P>The decision to let a filter restrict certain packets is based on set
of rules generated by DNi.
<BR>The order of the filter rules is important: only the first matching
rule is taken into account.
<CENTER></CENTER>
<P>
<P>
<CENTER><FONT SIZE=+2>How DNi works ?</FONT></CENTER>


<P><FONT SIZE=+1>step 1.</FONT> Flush all filter rules previously set by
DNi.

<P><I>Next DNi sets up the new set of filter rules.</I>

<P><FONT SIZE=+1>step 2.</FONT> Setup a default policy that applies if
packet don't match any of the following rules.

<P><FONT SIZE=+1>step 3.</FONT> Restrict the traffic through the system
by allowing or denying only packets
<BR>coming from a set of well known hosts or networks.

<P><FONT SIZE=+1>step 4.</FONT> Allow any traffic coming only from the
local host.
<BR>In other words, local user can initiate a session to a any
<BR>local service.

<P><FONT SIZE=+1>step 5.</FONT> Accept return tcp/udp traffic from the
remote hosts.
<BR>In other words, local user can initiate a session to a any
<BR>service on remote hosts.

<P><FONT SIZE=+1>step 6.</FONT> Define local services that accept or deny connections
from remote hosts.
<BR>Here DNi combines rules (by specifying multiple port numbers or service
names) as much as
<BR>possible, because checking filter rules for every IP packet uses some
CPU time.
<P>
<P>
</BODY>
</HTML>