Page 61 / 149 Scroll up to view Page 56 - 60
Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall
Security
5-7
You may define additional rules that will specify exceptions to the default rules. By adding custom
rules, you can block or allow access based on the service or application, source or destination IP
addresses, and time of day. You can also choose to log traffic that matches or does not match the
rule you have defined.
To create a new rule, click the Add button.
To edit an existing rule, select its button on the left side of the table and click Edit.
To delete an existing rule, select its button on the left side of the table and click Delete.
To move an exisiting rule to a different position in the table, select its button on the left side of the
table and click Move. At the script prompt, enter the number of the desired new position and click
OK.
An example of the menu for defining or editing a rule is shown in
Figure 5-4
. The parameters are:
Service
From this list, select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Services
menu to add any additional services or applications that do not already appear.
Action
Choose how you would like this type of traffic to be handled. You can block or allow always,
or you can choose to block or allow according to the schedule you have defined in the
Schedule menu.
Source Address
Specify traffic originating on the LAN (outbound) or the WAN (inbound), and choose whether
you would like the traffic to be restricted by source IP address. You can select Any, a Single
address, or a Range. If you select a range of addresses, enter the range in the start and finish
boxes. If you select a single address, enter it in the start box.
Destination Address
The Destination Address will be assumed to be from the opposite (LAN or WAN) of the
Source Address. As with the Source Address, you can select Any, a Single address, or a Range
unless NAT is enabled and the destination is the LAN. In that case, you must enter a Single
LAN address in the start box.
Log
You can select whether the traffic will be logged. The choices are:
Never - no log entries will be made for this service.
Always - any traffic for this service type will be logged.
Page 62 / 149
Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall
5-8
Security
Match - traffic of this type which matches the parameters and action will be logged.
Not match - traffic of this type which does not match the parameters and action will be
logged.
Inbound Rules (Port Forwarding)
Because the NETGEAR ProSafe Firewall uses Network Address Translation (NAT), your network
presents only one IP address to the Internet, and outside users cannot directly address any of your
local computers. However, by defining an inbound rule you can can make a local server (for
example, a web server or game server) visible and available to the Internet. The rule tells the
firewall to direct inbound traffic for a particular service to one local server based on the destination
port number. This is also known as port forwarding. .
Remember that allowing inbound services opens holes in your firewall. Only enable those ports
that are necessary for your network. Following are two application examples of inbound rules:
Note:
Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically
check for servers and may suspend your account if it discovers any active services at
your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Page 63 / 149
Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall
Security
5-9
Inbound Rule Example: A Local Public Web Server
If you host a public web server on your local network, you can define a rule to allow inbound web
(HTTP) requests from any outside IP address to the IP address of your web server at any time of
day. This rule is shown in
Figure 5-4
:
Figure 5-4.
Rule example:
A Local Public Web Server
Page 64 / 149
Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall
5-10
Security
Inbound Rule Example: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in
Figure 5-5
, CU-SeeMe connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 5-5.
Rule example: Videoconference from Restricted Addresses
Considerations for Inbound Rules:
If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the
Advanced menus so that external users can always find your network.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
PC’s IP address constant.
Local PCs must access the local server using the PCs’ local LAN address (192.168.0.99 in this
example). Attempts by local PCs to access the server using the external WAN IP address will
fail.
Page 65 / 149
Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall
Security
5-11
Outbound Rules (Service Blocking)
The NETGEAR ProSafe Firewall allows you to block the use of certain Internet services by PCs
on your network. This is called service blocking or port filtering. You can define an outbound rule
to block Internet access from a local PC based on:
the IP address of the local PC (source address)
the IP address of the Internet site being contacted (destination address)
the time of day
the type of service being requested (service port number)
Following is an application example of outbound rules:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Figure 5-6.
Rule example: Blocking Instant Messenger

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top