1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS318N
    5. /
  5. 26
Page 126 / 414 Scroll up to view Page 121 - 125
Firewall Protection
126
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
the incoming packet is in response to an outgoing request, but true stateful packet inspection
goes far beyond NAT.
For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls
the exchange of traffic between the Internet, DMZ, and LAN.
Administrator Tips
Consider the following operational items:
1.
As an option, you can enable remote management if you have to manage distant sites
from a central location (see
Configure Authentication Domains, Groups, and Users
on
page 289 and
Configure Remote Management Access
on page 322).
2.
Although rules are the basic way of managing the traffic through your system (see
Overview
of Rules to Block or Allow Specific Kinds of Traffic
on page 126), you can further refine your
control using the following features and capabilities of the wireless VPN firewall:
-
Groups and hosts (see
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
on
page 64)
-
Services (see
Outbound Rules (Service Blocking)
on page 127 and
Inbound Rules
(Port Forwarding)
on page 130)
-
Schedules (see
Set a Schedule to Block or Allow Specific Traffic
on page 178)
-
Allowing or blocking sites (see
Configure Content Filtering
on page 174)
-
Source MAC filtering (see
Enable Source MAC Filtering
on page 179)
-
Port triggering (see
Configure Port Triggering
on page 185)
3.
Some firewall settings might affect the performance of the wireless VPN firewall. For more
information, see
Performance Management
on page 314.
4.
The firewall logs can be configured to log and then email denial of access, general attack,
and other information to a specified email address. For information about how to configure
logging and notifications, see
Configure Logging, Alerts, and Event Notifications
on
page 338.
Overview of Rules to Block or Allow Specific Kinds of
Traffic
Firewall rules are used to block or allow specific traffic passing through from one side to the
other. You can configure up to 800 firewall rules on the wireless VPN firewall (see the
following table). Inbound rules (WAN to LAN) restrict access by outsiders to private
resources, selectively allowing only specific outside users to access specific resources.
Outbound rules (LAN to WAN) determine what outside resources local users can have
access to.
Page 127 / 414
Firewall Protection
127
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
A firewall has two default rules, one for inbound traffic and one for outbound. The default
rules of the wireless VPN firewall are:
Inbound
. Block all access from outside except responses to requests from the LAN side.
Outbound
. Allow all access from the LAN side to the outside.
The firewall rules for blocking and allowing traffic on the wireless VPN firewall can be applied
to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic.
The rules to block or allow traffic are based on the traffic’s category of service:
Outbound rules (service blocking)
.
Outbound traffic is allowed unless you configure
the firewall to block specific or all outbound traffic.
Inbound rules (port forwarding)
. Inbound traffic is blocked unless the traffic is in
response to a request from the LAN side. You can configure the firewall to allow specific
or all inbound traffic.
Customized services
. You can add additional services to the list of services in the
factory defaults list. You can then define rules for these added services to either allow or
block that traffic (see
Add Customized Services
on page 168).
Quality of Service (QoS) priorities
. Each service has its own native priority that impacts
its quality of performance and tolerance for jitter or delays. You can change the QoS
priority, which changes the traffic mix through the system (see
Preconfigured Quality of
Service Profiles
on page 173).
Bandwidth profiles
. After you have a configured a bandwidth profile (see
Create
Bandwidth Profiles
on page 171), you can assign it to a rule.
Outbound Rules (Service Blocking)
The wireless VPN firewall allows you to block the use of certain Internet services by
computers on your network. This is called service blocking or port filtering.
Note:
See
Enable Source MAC Filtering
on page 179 for yet another way
to block outbound traffic from selected computers that would
otherwise be allowed by the firewall.
Table 31.
Number of supported firewall rule configurations
Traffic Rule
Maximum Number of
Outbound Rules
Maximum Number of
Inbound Rules
Maximum Number of
Supported Rules
LAN WAN
300
300
600
DMZ WAN
50
50
100
LAN DMZ
50
50
100
Total Rules
400
400
800
Page 128 / 414
Firewall Protection
128
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The following table describes the fields that define the rules for outbound traffic and that are
common to most Outbound Service screens (see
Figure 63
on page 138,
Figure 69
on
page 145, and
Figure 75
on page 152).
The steps to configure outbound rules are described in the following sections:
Configure LAN WAN Rules
Configure DMZ WAN Rules
Configure LAN DMZ Rules
Table 32.
Outbound rules overview
Setting
Description
Outbound Rules
Service
The service or application to be covered by this rule. If the service
or application does not display in the list, you need to define it
using the Services screen (see
Add Customized Services
on
page 168).
All rules
Action
The action for outgoing connections covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise allow
• ALLOW always
• ALLOW by schedule, otherwise block
Note:
Any outbound traffic that is not blocked by rules you create
is allowed by the default rule.
Note:
ALLOW rules are useful only if the traffic is already
covered by a BLOCK rule. That is, you wish to allow a subset of
traffic that is currently blocked by another rule.
All rules
Select Schedule
The time schedule (that is, Schedule1, Schedule2, or Schedule3)
that is used by this rule.
• This drop-down list is activated only when BLOCK by schedule,
otherwise allow or ALLOW by schedule, otherwise block is
selected as the action.
• Use the Schedule screen to configure the time schedules (see
Set a Schedule to Block or Allow Specific Traffic
on page 178).
All rules when
BLOCK by schedule,
otherwise allow or
ALLOW by schedule,
otherwise block is
selected as the
action.
LAN Users
The settings that determine which computers on your network are
affected by this rule. The options are:
Any
. All computers and devices on your LAN.
Single address
. Enter the required address in the Start field to
apply the rule to a single device on your LAN.
Address range
. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of devices.
Group
. Select the LAN group to which the rule applies. Use the
LAN Groups screen to assign computers to groups (see
Manage the Network Database
on page 65).Groups are
applicable only to IPv4 rules.
LAN WAN rules
LAN DMZ rules
Page 129 / 414
Firewall Protection
129
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
WAN Users
The settings that determine which Internet locations are covered
by the rule, based on their IP address. The options are:
Any
. All Internet IP address are covered by this rule.
Single address
. Enter the required address in the Start field.
Address range
. Enter the required addresses the Start and
Finish fields.
LAN WAN rules
DMZ WAN rules
DMZ Users
The settings that determine which DMZ computers on the DMZ
network are affected by this rule. The options are:
Any
. All computers and devices on your DMZ network.
Single address
. Enter the required address in the Start field to
apply the rule to a single computer on the DMZ network.
Address range
. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of DMZ computers.
DMZ WAN rules
LAN DMZ rules
QoS Priority
The priority assigned to IP packets of this service. The priorities
are defined by Type of Service (ToS) in the Internet Protocol Suite
standards, RFC 1349. The QoS profile determines the priority of
a service, which, in turn, determines the quality of that service for
the traffic passing through the firewall.
The wireless VPN firewall marks the Type of Service (ToS) field
as defined in the QoS profiles that you create. For more
information, see
Preconfigured Quality of Service Profiles
on
page 173.
Note:
The wireless VPN firewall has preconfigured default QoS
profiles; you cannot configure the QoS profiles. A QoS profile can
become active only when you apply it to a nonblocking inbound
or outbound firewall rule.
LAN WAN rules
DMZ WAN rules
Bandwidth Profile
Bandwidth limiting determines the way in which the data is sent to
and from your host. The purpose of bandwidth limiting is to
provide a solution for limiting the outgoing and incoming traffic,
thus preventing the LAN users from consuming all the bandwidth
of the Internet link. For more information, see
Create Bandwidth
Profiles
on page 171. For outbound traffic, you can configure
bandwidth limiting only on the WAN interface for a LAN WAN rule.
Note:
Bandwidth limiting does not apply to the DMZ interface.
IPv4 LAN WAN rules
Table 32.
Outbound rules overview (continued)
Setting
Description
Outbound Rules
Page 130 / 414
Firewall Protection
130
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Inbound Rules (Port Forwarding)
If you have enabled Network Address Translation (NAT), your network presents
one
IP
address only to the Internet, and outside users cannot directly access any of your local
computers (LAN users). (For information about configuring NAT, see
Network Address
Translation
on page 27.) However, by defining an inbound rule you can make a local server
(for example, a web server or game server) visible and available to the Internet. The rule
informs the firewall to direct inbound traffic for a particular service to one local server based
on the destination port number. This process is also known as port forwarding.
WARNING:
Allowing inbound services opens security holes in your network.
Enable only those ports that are necessary for your network.
Whether or not DHCP is enabled, how the computer accesses the server’s LAN address
impacts the inbound rules. For example:
If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address might change periodically as the DHCP lease expires. Consider using Dyamic
DNS so that external users can always find your network (see
Configure Dynamic DNS
on page 45).
If the IP address of the local server computer is assigned by DHCP, it might change when
the computer is rebooted. To avoid this, use the Reserved (DHCP Client) feature in the
Log
The setting that determines whether packets covered by this rule
are logged. The options are:
Always
. Always log traffic that matches this rule. This is useful
when you are debugging your rules.
Never
. Never log traffic that matches this rule.
All rules
NAT IP
The setting that specifies whether the source address of the
outgoing packets on the WAN should be assigned the address of
the WAN interface or the address of a different interface. You can
specify these settings only for outbound traffic of the WAN
interface. The options are:
WAN Interface Address
. All the outgoing packets on the WAN
are assigned to the address of the specified WAN interface.
Single Address
. All the outgoing packets on the WAN are
assigned to the specified IP address, for example, a secondary
WAN address that you have configured.
Note:
The NAT IP drop-down list is available only when the WAN
mode is NAT. If you select Single Address, the IP address
specified should fall under the WAN subnet.
IPv4 LAN WAN rules
IPv4 DMZ WAN rules
Table 32.
Outbound rules overview (continued)
Setting
Description
Outbound Rules

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top