Chapter 4:

Firewall Protection and Content Filtering

|

51

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Inbound Rules Examples

LAN WAN Inbound Rule: Hosting a Local Public Web Server

If you host a public Web server on your local network, you can define a rule to allow inbound

Web (HTTP) requests from any outside IP address to the IP address of your Web server at

any time of day. In the example shown in , unrestricted access is provided from the Internet to

the local Web server at LAN IP address 192.168.1.99.

LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses

If you want to allow incoming videoconferencing to be initiated from a restricted range of

outside IP addresses, such as from a branch office, you can create an inbound rule. In the

example shown in , CU-SeeMe connections are allowed to a local host only from a specified

range of external IP addresses. Connections are blocked during the period specified by

Schedule 1.

52

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping

If you arrange with your ISP to have more than one public IP address for your use, you can

use the additional public IP addresses to map to servers on your LAN. One of these public IP

addresses will be used as the primary IP address of the VPN firewall. This address will be

used to provide Internet access to your LAN PCs through NAT. The other addresses are

available to map to your servers.

In the example shown in , we have configured multi-NAT to support multiple public IP

addresses on one WAN interface.

The inbound rule instructs the VPN firewall to host an

additional public IP address (10.1.0.5) and to associate this address with the Web server on

the LAN (at 192.168.1.1). We also instruct the VPN firewall to translate the incoming HTTP

port number (port 80) to a different port number (port 8080).

This example uses the following addressing scheme:

•

VPN firewall FVS336Gv2

-

WAN1 primary public IP address: 10.1.0.1

-

WAN1 additional public IP address: 10.1.0.5

-

LAN IP address 192.168.1.1

•

Web server PC on the VPN firewall’s LAN

-

LAN IP address: 192.168.1.11

-

Port number for Web service: 8080

To test the connection from a PC on the WAN side, type

The home page of

the Web server should appear.

LAN WAN Inbound Rule: Specifying an Exposed Host

Specifying an exposed host allows you to set up a computer or server that is available to

anyone on the Internet for services that you have not yet defined.

Chapter 4:

Firewall Protection and Content Filtering

|

53

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

To expose one of the PCs on your LAN as this host:

1.

Create an inbound rule that allows all protocols.

2.

Place the new rule

below

all other inbound rules.

Note:

For security, NETGEAR strongly recommends that you avoid

creating an exposed host. When a computer on your LAN is

designated as the exposed host, it loses much of the protection of

the firewall and is exposed to many exploits from the Internet. If

compromised, the computer can be used to attack your network.

Outbound Rules Example

Outbound rules let you prevent users from using applications such as Instant Messenger,

Real Audio, or other non-essential services.

LAN WAN Outbound Rule: Blocking Instant Messenger

To block Instant Messenger usage by employees during working hours, you can create an

outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created on the Schedule screen. See the example

shown in .

You can also have the VPN firewall log any attempt to use Instant Messenger during that

blocked period.

54

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Configuring Other Firewall Features

You can configure attack checks, set session limits, and manage the Application Level

Gateway (ALG) for SIP sessions.

Attack Checks

The Attack Checks screen allows you to specify whether or not the VPN firewall should be

protected against common attacks in the LAN and WAN networks. To enable the appropriate

Attack Checks for your environment:

1.

Select Security > Firewall from the menu and click

Attack Checks

to display the Attack

Checks screen (see ).

2.

Check the boxes for the Attack Checks you wish to monitor. The various types of attack

checks are listed and defined below.

3.

Click

Apply

to save your settings.

The various types of attack checks listed on the Attack Checks screen are:

•

WAN Security Checks

-

Respond To Ping On Internet Ports

. By default, the VPN firewall responds to an

ICMP Echo (ping) packet coming from the Internet or WAN side. Responding to a

ping can be a useful diagnostic tool when there are connectivity problems. If the ping

option is enabled, you can allow either any IP address or a specific IP address only to

respond to a ping. You can disable the ping option to prevent hackers from easily

discovering the VPN firewall via a ping.

-

Enable Stealth Mode

. In stealth mode, the VPN firewall will not respond to port scans

from the WAN or Internet, which makes it less susceptible to discovery and attacks.

-

Block TCP Flood

. A SYN flood is a form of denial of service attack in which an

attacker sends a succession of SYN requests to a target system. When the system

responds, the attacker does not complete the connection, thus saturating the server

with half-open connections. No legitimate connections can then be made.

Chapter 4:

Firewall Protection and Content Filtering

|

55

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

When blocking is enabled, the VPN firewall will limit the lifetime of partial connections

and will be protected from a SYN flood attack.

•

LAN Security Checks.

-

Block UDP flood

. A UDP flood is a form of denial of service attack in which the

attacking machine sends a large number of UDP packets to random ports to the

victim host. As a result, the victim host will check for the application listening at that

port, see that no application is listening at that port, and reply with an ICMP

Destination Unreachable packet.

When the victimized system is flooded, it is forced to send many ICMP packets,

eventually making it unreachable by other clients. The attacker may also spoof the IP

address of the UDP packets, ensuring that the excessive ICMP return packets do not

reach him, making the attacker’s network location anonymous.

If flood checking is enabled, the VPN firewall will not accept more than 20

simultaneous, active UDP connections from a single computer on the LAN.

-

Disable Ping Reply on LAN Ports

. To prevent the VPN firewall from responding to

ping requests from the LAN, click this checkbox.

•

VPN Pass through

. When the VPN firewall is in NAT mode, all packets going to the

Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN

policy.

If a VPN client or gateway on the LAN side of the VPN firewall wants to connect to

another VPN endpoint on the WAN, with the VPN firewall between the two VPN end

points, all encrypted packets will be sent to the VPN firewall. Since the VPN firewall filters

the encrypted packets through NAT, the packets become invalid.

IPSec, PPTP, and L2TP represent different types of VPN tunnels that can pass through

the VPN firewall. To allow the VPN traffic to pass through without filtering, enable those

options for the type of tunnel(s) that will pass through the VPN firewall.

Configuring Session Limits

To prevent one user or group from using excessive system resources, you can limit the total

number of IP sessions allowed through the VPN firewall for an individual or group. You can

specify the maximum number of sessions by either a percentage of maximum sessions or an

absolute number of maximum sessions. Session limiting is disabled by default.