Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Security

5-7

You may define additional rules that will specify exceptions to the default rules. By adding custom

rules, you can block or allow access based on the service or application, source or destination IP

addresses, and time of day. You can also choose to log traffic that matches or does not match the

rule you have defined.

To create a new rule, click the Add button.

To edit an existing rule, select its button on the left side of the table and click Edit.

To delete an existing rule, select its button on the left side of the table and click Delete.

To move an exisiting rule to a different position in the table, select its button on the left side of the

table and click Move. At the script prompt, enter the number of the desired new position and click

OK.

An example of the menu for defining or editing a rule is shown in

Figure 5-4

. The parameters are:

•

Service

From this list, select the application or service to be allowed or blocked. The list already

displays many common services, but you are not limited to these choices. Use the Services

menu to add any additional services or applications that do not already appear.

•

Action

Choose how you would like this type of traffic to be handled. You can block or allow always,

or you can choose to block or allow according to the schedule you have defined in the

Schedule menu.

•

Source Address

Specify traffic originating on the LAN (outbound) or the WAN (inbound), and choose whether

you would like the traffic to be restricted by source IP address. You can select Any, a Single

address, or a Range. If you select a range of addresses, enter the range in the start and finish

boxes. If you select a single address, enter it in the start box.

•

Destination Address

The Destination Address will be assumed to be from the opposite (LAN or WAN) of the

Source Address. As with the Source Address, you can select Any, a Single address, or a Range

unless NAT is enabled and the destination is the LAN. In that case, you must enter a Single

LAN address in the start box.

•

Log

You can select whether the traffic will be logged. The choices are:

•

Never - no log entries will be made for this service.

•

Always - any traffic for this service type will be logged.

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

5-8

Security

•

Match - traffic of this type which matches the parameters and action will be logged.

•

Not match - traffic of this type which does not match the parameters and action will be

logged.

Inbound Rules (Port Forwarding)

Because the NETGEAR ProSafe Firewall uses Network Address Translation (NAT), your network

presents only one IP address to the Internet, and outside users cannot directly address any of your

local computers. However, by defining an inbound rule you can can make a local server (for

example, a web server or game server) visible and available to the Internet. The rule tells the

firewall to direct inbound traffic for a particular service to one local server based on the destination

port number. This is also known as port forwarding. .

Remember that allowing inbound services opens holes in your firewall. Only enable those ports

that are necessary for your network. Following are two application examples of inbound rules:

Note:

Some residential broadband ISP accounts do not allow you to run any server

processes (such as a Web or FTP server) from your location. Your ISP may periodically

check for servers and may suspend your account if it discovers any active services at

your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Security

5-9

Inbound Rule Example: A Local Public Web Server

If you host a public web server on your local network, you can define a rule to allow inbound web

(HTTP) requests from any outside IP address to the IP address of your web server at any time of

day. This rule is shown in

Figure 5-4

:

Figure 5-4.

Rule example:

A Local Public Web Server

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

5-10

Security

Inbound Rule Example: Allowing Videoconference from Restricted Addresses

If you want to allow incoming videoconferencing to be initiated from a restricted range of outside

IP addresses, such as from a branch office, you can create an inbound rule. In the example shown

in

Figure 5-5

, CU-SeeMe connections are allowed only from a specified range of external IP

addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that

do not match the allowed parameters.

Figure 5-5.

Rule example: Videoconference from Restricted Addresses

Considerations for Inbound Rules:

•

If your external IP address is assigned dynamically by your ISP, the IP address may change

periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the

Advanced menus so that external users can always find your network.

•

If the IP address of the local server PC is assigned by DHCP, it may change when the PC is

rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the

PC’s IP address constant.

•

Local PCs must access the local server using the PCs’ local LAN address (192.168.0.99 in this

example). Attempts by local PCs to access the server using the external WAN IP address will

fail.

Reference Manual for the Model FR114P, FR114W and FM114P Cable/DSL ProSafe Firewall

Security

5-11

Outbound Rules (Service Blocking)

The NETGEAR ProSafe Firewall allows you to block the use of certain Internet services by PCs

on your network. This is called service blocking or port filtering. You can define an outbound rule

to block Internet access from a local PC based on:

•

the IP address of the local PC (source address)

•

the IP address of the Internet site being contacted (destination address)

•

the time of day

•

the type of service being requested (service port number)

Following is an application example of outbound rules:

Outbound Rule Example: Blocking Instant Messenger

If you want to block Instant Messenger usage by employees during working hours, you can create

an outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created in the Schedule menu. You can also have the

firewall log any attempt to use Instant Messenger during that blocked period.

Figure 5-6.

Rule example: Blocking Instant Messenger