1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS328
    5. /
  5. 14
Page 66 / 224 Scroll up to view Page 61 - 65
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
6-8
Protecting Your Network
December 2003, M-10041-01
Figure 6-4:
Rule example: a
local public Web server
The parameters are:
Service — select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add
Services menu as seen in
Figure 6-3
to add any additional services or applications.
Action — choose how you would like this type of traffic to be handled. You can block or
allow always, or block according to the schedule you defined in the Schedule menu.
Send to LAN Server —
enter the IP address of the PC or Server on your LAN which
will receive the inbound traffic covered by this rule.
WAN Users — t
hese settings determine which packets are covered by the rule,
based on their source (WAN) IP address. Select the desired option:
Any - All IP addresses are covered by this rule.
Address range - enter the "Start" and "Finish" fields.
Single address - enter the required address in the "Start" fields.
Log — you can select whether the traffic will be logged. The choices are:
Never - no log entries will be made for this service.
Always - any traffic for this service type will be logged.
Match - traffic that matches the parameters and action will be logged.
Not match - traffic that does not match the parameters and action will be logged.
Page 67 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Protecting Your Network
6-9
December 2003, M-10041-01
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown
in
Figure 6-5
, CU-SeeMe connections are allowed only from a specified range of external IP
addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that
do not match the allowed parameters.
Figure 6-5:
Rule example: Videoconferencing from Restricted Addresses
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address may change
periodically as the DHCP lease expires. Consider using the Dynamic DNS feature in the
Advanced menus so that external users can always find your network.
If the IP address of the local server is assigned by DHCP, it may change when the computer is
rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the
computer’s IP address constant.
Local computers must access the local server using the computers’ local LAN address
(192.168.0.11 in the example in
Figure 6-5
above). Attempts by local computers to access the
server using the external WAN IP address will fail.
Outbound Rule (Service Blocking) Example
The FVS328 allows you to block the use of certain Internet services by computers on your
network. This is called service blocking or port filtering. You can define an outbound rule to block
Internet access from a local computer based on:
Page 68 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
6-10
Protecting Your Network
December 2003, M-10041-01
IP address of the local computer (source address)
IP address of the Internet site being contacted (destination address)
Time of day
Type of service being requested (service port number)
The following is an application example of outbound rules to block Instant Messenger use:
If you want to block Instant Messenger usage by employees during working hours, you can create
an outbound rule to block that application from any internal IP address to any external address,
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Figure 6-6:
Rule example: blocking instant messenger
The parameters are:
Service — select the application or service to be allowed or blocked. The list already
displays many common services, but you are not limited to these choices. Use the Add
Services menu as seen in
Figure 6-3
to add any additional services or applications that do
not already appear.
Action — choose how you would like this type of traffic to be handled. You can block or
allow always, or you can choose to block or allow according to the schedule you have
defined in the Schedule menu.
Page 69 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Protecting Your Network
6-11
December 2003, M-10041-01
LAN Users —
these settings determine which packets are covered by the rule, based
on their source LAN IP address. Select the desired option:
Any: All IP addresses are covered by this rule.
Address range: If this option is selected, you must enter the "Start" and "Finish" fields.
Single address: Enter the required address in the "Start" fields.
WAN Users —
these settings determine which packets are covered by the rule,
based on their destination WAN IP address. Select the desired option:
Any - All IP addresses are covered by this rule.
Address range - If this option is selected, you must enter the "Start" and "Finish"
fields.
Single address - Enter the required address in the "Start" fields.
Log — select whether the traffic will be logged. The choices are:
Never - No log entries will be made for this service.
Always - Any traffic for this service type will be logged.
Match - Traffic of this type which matches the parameters and action will be logged.
Not match - Traffic of this type which does not match the parameters and action will
be logged.
Understanding the Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu. For any traffic attempting
to pass through the firewall, the packet information is subjected to the rules in the order shown in
the Rules Table, beginning at the top and proceeding to the default rules at the bottom. In some
cases, the order of precedence of two or more rules may be important in determining the
disposition of a packet. The Move button allows you to relocate a defined rule to a new position in
the table.
Page 70 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
6-12
Protecting Your Network
December 2003, M-10041-01
Regulating Access to Network Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
For more information on this topic please see
Appendix C, “Networks, Routing, and Firewall
Basics
.
Although the FVS328 already holds a list of many service port numbers, you are not limited to
these choices. Use the procedure below to create your own service definitions.
How to Define Services
1.
Log in to the firewall at its default LAN address of
with its default User
Name of
admin
, default password of
password
, or using whatever password and LAN
address you have chosen for the firewall.
2.
Click the Services link of the Security menu to display the menu shown below.
Figure 6-7:
Services menu
To create a new service, click the Add Custom Service button.
When there is an existing service, to edit the service, select the it from the list in the table
and click Edit Service.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top