Chapter 4:

Firewall Protection and Content Filtering

|

61

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

To edit a bandwidth profile:

1.

Click the

Edit

link adjacent to the profile you want to edit. The Edit Bandwidth Profile

screen is displayed. (This screen shows the same fields as the Add New Bandwidth

Profile screen.)

2.

Modify the settings that you wish to change.

3.

Click

Apply

. Your modified profile is displayed in the

Bandwidth Profile

table.

To remove an entry from the table, select the profile and click

delete

.

To remove all the profiles, click

select All

and then click

delete

.

Setting a Schedule to Block or Allow Specific Traffic

Schedules define the timeframes under which firewall rules may be applied. Select Security >

Schedules to display the following screen:

Three schedules, Schedule 1, Schedule 2 and Schedule3 can be defined, and any one of

these can be selected when defining firewall rules.

To invoke rules based on a schedule, follow these steps:

1.

Select Security > Schedule to display the Schedule 1 screen.

2.

Check the radio button for

All Days

or

Specific Days

. If you chose

Specific Days

,

check the radio button for each day you want the schedule to be in effect.

3.

Check the radio button to schedule the time of day:

All Day

, or

Specific Times

. If you

chose

Specific Times

, enter the

Start Time

and

End Time

fields (Hour, Minute,

AM/PM), which will limit access during certain times for the selected days.

4.

Click

Apply

to save your settings to Schedule 1.

5.

Repeat these steps to set to a schedule for Schedule 2 and Schedule 3.

62

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Blocking Internet Sites (Content Filtering)

To restrict internal LAN users from access to certain sites on the Internet, you can use the

VPN firewall’s Content Filtering and Web Components filtering. By default, these features are

disabled; all requested traffic from any website is allowed. If you enable one or more of these

features and users try to access a blocked site, they will see a “Blocked by NETGEAR”

message.

Several types of blocking are available:

•

Web Components blocking

. You can filter the following Web Component types: Proxy,

Java, ActiveX, and Cookies. For example, by enabling Java filtering, “Java” files will be

blocked. Certain commonly used web components can be blocked for increased security.

Some of these components are can be used by malicious Websites to infect computers

that access them.

-

Proxy

. A proxy server (or simply, proxy) allows computers to route connections to

other computers through the proxy, thus circumventing certain firewall rules. For

example, if connections to a specific IP address are blocked by a firewall rule, the

requests can be routed through a proxy that is not blocked by the rule, rendering the

restriction ineffective. Enabling this feature blocks proxy servers.

-

Java

. Blocks java applets from being downloaded from pages that contain them. Java

applets are small programs embedded in web pages that enable dynamic

functionality of the page. A malicious applet can be used to compromise or infect

computers. Enabling this setting blocks Java applets from being downloaded.

-

ActiveX

. Similar to Java applets, ActiveX controls install on a Windows computer

running Internet Explorer. A malicious ActiveX control can be used to compromise or

infect computers. Enabling this setting blocks ActiveX applets from being

downloaded.

-

Cookies

. Cookies are used to store session information by websites that usually

require login. However, several websites use cookies to store tracking information

and browsing habits. Enabling this option filters out cookies from being created by a

website.

Note:

Many websites require that cookies be accepted in order for the site

to be accessed properly. Blocking cookies may interfere with useful

functions provided by these websites.

•

Keyword Blocking

(Domain Name Blocking)

. You can specify up to 32 words that,

should they appear in the website name (URL) or in a newsgroup name, will cause that

site or newsgroup to be blocked by the VPN firewall.

You can apply the keywords to one or more groups. Requests from the PCs in the groups

for which keyword blocking has been enabled will be blocked. Blocking does not occur for

the PCs that are in the groups for which keyword blocking has not been enabled.

Chapter 4:

Firewall Protection and Content Filtering

|

63

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

You can bypass Keyword blocking for trusted domains by adding the exact matching

domain to the

Trusted Domains

table. Access to the domains or keywords in the

Trusted Domains

table by PCs, even those in the groups for which keyword blocking

has been enabled, will still be allowed without any blocking.

Keyword application examples:

•

If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is

blocked, as is the newsgroup alt.pictures.XXX.

•

If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu

or .gov) can be viewed.

•

To block all Internet browsing access, enter the keyword “.”.

To enable Content Filtering:

1.

Select Security > Block Sites to display the Block Sites screen.

64

|

Chapter 4:

Firewall Protection and Content Filtering

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

2.

Select

Yes

to enable content filtering.

3.

Click

Apply

to activate the screen controls.

4.

Select any

Web Components

you wish to block and click

Apply.

5.

Select the groups to which keyword blocking will apply, then click

Enable

to activate

keyword blocking (or disable to deactivate keyword blocking).

6.

Enter your list of blocked keywords or domain names in the

Blocked Keyword

fields.

After each entry, click

Add.

The keyword or domain name will be added to the

Blocked

Keywords

table. (You can also edit an entry by clicking

Edit

in the Action column

adjacent to the entry.)

7.

In the

Add Trusted Domain

section of the screen, enter the name(s) of any domain for

which the keyword filtering will be bypassed and click

Add

. The trusted domain will

appear in the

Trusted Domains

table and will be exempt from filtering.

Configuring Source MAC Filtering

Source MAC filtering will drop or allow the Internet-bound traffic received from PCs with

specified MAC addresses.

•

By default, the source MAC address filter is disabled. Traffic received from any MAC

address is allowed.

•

When the source MAC address filter is enabled, outbound Internet traffic will be filtered

using the

MAC Addresses

table on this screen. You can choose to block MAC addresses

in the table or to allow only those addresses in the table.

Note:

For additional ways of restricting outbound traffic, see

“Outbound

Rules (Service Blocking)”

on page 44

To enable MAC filtering and add MAC addresses to be blocked:

1.

Select Security > Address Filter from the menu.

Chapter 4:

Firewall Protection and Content Filtering

|

65

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

2.

Select the

Source MAC Filter

tab.

3.

Click

Yes

to enable Source MAC Filtering.

4.

Select the action to be taken on outbound traffic from the listed MAC addresses:

-

Block this list and permit all other MAC addresses.

-

Permit this list and block all other MAC addresses.

5.

Enter a MAC Address in the

Add Source MAC Address

checkbox and click

Add

. The

MAC address will appear in the

MAC Addresses

table. Repeat this process to add

additional MAC addresses.

A valid MAC address is six colon-separated pairs of hexadecimal digits (0 to 9 and a to f).

For example: 01:23:45:ab:cd:ef.

6.

Click

Apply

to save your settings.

You can edit the MAC address by clicking

Edit

in the Action column adjacent to the MAC

address.

To remove an entry from the table, select the MAC address entry and click

Delete

.

To select all the list of MAC addresses, click

Select All

.

A checkmark will appear in the box to

the left of each MAC address in the

MAC Addresses

table

.

Configuring IP/MAC Address Binding

You can configure the VPN firewall to drop packets and generate an alert when a device

appears to have hijacked or spoofed another device’s IP address. An IP address can be

bound to a specific MAC address either by using a DHCP reserved address (see

“Configuring DHCP Address Reservation”

on page 37) or by manually binding on the IP/MAC

Binding screen.