1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS318N
    5. /
  5. 33
Page 161 / 414 Scroll up to view Page 156 - 160
Firewall Protection
161
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can also enable the wireless VPN firewall to log any attempt to use Instant Messenger
during the blocked period. See an example in the following figure.
Figure 84.
IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP
Site on the Internet
If you want to allow a group of DMZ users to access a particular FTP site on the Internet
during working hours, you can create an outbound rule to allow such traffic by specifying the
IPv6 DMZ start and finish addresses and the IPv6 WAN address. On the Schedule screen,
create a schedule that specifies working hours, and assign it to the rule.
You can also configure the QoS profile to maximize the throughput. See an example in the
following figure.
Page 162 / 414
Firewall Protection
162
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 85.
Configure Other Firewall Features
You can configure attack checks, set session limits, and manage the application level
gateway (ALG) for SIP sessions.
Attack Checks
The Attack Checks screen allows you to specify whether or not the wireless VPN firewall
should be protected against common attacks in the DMZ, LAN, and WAN networks. The
various types of IPv4 attack checks are listed on the Attack Checks
screen and defined in
Table 34
on page 163. For IPv6, the only options are to specify whether or not to allow a ping
on the WAN port and whether or not to allow VPN pass-through for IPSec.
Page 163 / 414
Firewall Protection
163
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 Attack Checks
To enable IPv4 attack checks for your network environment:
1.
Select
Security > Firewall > Attack Checks
.
In the upper right of the screen, the IPv4
radio button is selected by default. The Attack Checks screen displays the IPv4 settings:
Figure 86.
2.
Enter the settings as explained in the following table:
Table 34.
Attack Checks screen settings for IPv4
Setting
Description
WAN Security Checks
Respond to Ping on
Internet Ports
Select the
Respond to Ping on Internet Ports
check box to enable the wireless
VPN firewall to respond to a ping from the Internet to its IPv4 address. A ping can be
used as a diagnostic tool. Keep this check box cleared unless you have a specific
reason to enable the wireless VPN firewall to respond to a ping from the Internet.
Enable Stealth Mode
Select the
Enable Stealth Mode
check box (which is the default setting) to prevent
the wireless VPN firewall from responding to port scans from the WAN, thus making
it less susceptible to discovery and attacks.
Block TCP flood
Select the
Block TCP flood
check box (which is the default setting) to enable the
wireless VPN firewall to drop all invalid TCP packets and to protect the wireless VPN
firewall from a SYN flood attack.
A SYN flood is a form of denial of service attack in which an attacker sends a
succession of SYN (synchronize) requests to a target system. When the system
responds, the attacker does not complete the connections, thus leaving the
connection half open and flooding the server with SYN messages. No legitimate
connections can then be made.
Page 164 / 414
Firewall Protection
164
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
LAN Security Checks
Block UDP flood
Select the
Block UDP flood
check box (which is the default setting) to prevent the
wireless VPN firewall from accepting more than 20 simultaneous, active User
Datagram Protocol (UDP) connections from a single device on the LAN.
A UDP flood is a form of denial of service attack that can be initiated when one
device sends a large number of UDP packets to random ports on a remote host. As a
result, the distant host does the following:
1.
Checks for the application listening at that port.
2.
Sees that no application is listening at that port.
3.
Replies with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker might also spoof the
IP address of the UDP packets, ensuring that the excessive ICMP return packets do
not reach the attacker, thus making the attacker’s network location anonymous.
Disable Ping Reply
on LAN Ports
Select the
Disable Ping Reply on LAN Ports
check box to prevent the wireless
VPN firewall from responding to a ping on a LAN port. A ping can be used as a
diagnostic tool. Keep this check box cleared unless you have a specific reason to
prevent the wireless VPN firewall from responding to a ping on a LAN port.
VPN Pass through
IPSec
PPTP
L2TP
When the wireless VPN firewall functions in NAT mode, all packets going to the
remote VPN gateway are first filtered through NAT and then encrypted according to
the VPN policy. For example, if a VPN client or gateway on the LAN side of the
wireless VPN firewall wants to connect to another VPN endpoint on the WAN side
(placing the wireless VPN firewall between two VPN endpoints), encrypted packets
are sent to the wireless VPN firewall. Because the wireless VPN firewall filters the
encrypted packets through NAT, the packets become invalid unless you enable the
VPN Pass through feature.
To enable the VPN tunnel to pass the VPN traffic without any filtering, select any or
all of the following check boxes:
IPSec
. Disables NAT filtering for IPSec tunnels.
PPTP
. Disables NAT filtering for PPTP tunnels.
L2TP
. Disables NAT filtering for L2TP tunnels.
By default, all three check boxes are selected.
Multicast Pass through
Enable IGMP
IP multicast pass-through allows multicast packets that originate in the WAN, such
as packets from a media streaming or gaming application, to be forwarded to the
LAN subnet. Internet Group Management Protocol (IGMP) is used to support
multicast between IP hosts and their adjacent neighbors.
Select the
Enable IGMP
check box to enable IP multicast pass-through. By default,
IP multicast pass-through is disabled.
Table 34.
Attack Checks screen settings for IPv4 (continued)
Setting
Description
Page 165 / 414
Firewall Protection
165
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3.
Click
Apply
to save your settings.
IPv6 Attack Checks
To enable IPv6 attack checks for your network environment:
1.
Select
Security > Firewall > Attack Checks
.
2.
In the upper right of the screen, select the
IPv6
radio button. The Attack Checks screen
displays the IPv6 settings:
Figure 87.
3.
Configure the following settings:
Respond to Ping on Internet Port.
Select the
Respond to Ping on Internet Ports
check box to enable the wireless VPN firewall to respond to a ping from the Internet to
its IPv6 address. A ping can be used as a diagnostic tool. Keep this check box
cleared unless you have a specific reason to enable the wireless VPN firewall to
respond to a ping from the Internet.
IPsec
. Select the
IPsec
check box to enable IPSec VPN traffic that is initiated from
the LAN to reach the WAN, irrespective of the default firewall outbound policy and
custom firewall rules.
4.
Click
Apply
to save your settings.
Jumbo Frames
Enable Jumbo
Frame
Jumbo frames allow multiple smaller packets to be combined into a single larger
packet, reducing network overhead and increasing data transfer performance.
Jumbo frames are supported on ports 1, 2, 3, and 4 only.
Select the
Jumbo Frame
check box to enable jumbo frames. By default, jumbo
frames are disabled.
Note:
Jumbo frames are not supported on Fast Ethernet interfaces.
Table 34.
Attack Checks screen settings for IPv4 (continued)
Setting
Description

Rate

4.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top