1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv3
    5. /
  5. 11
Page 51 / 203 Scroll up to view Page 46 - 50
Chapter 4:
Firewall Protection and Content Filtering
|
51
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Inbound Rules Examples
LAN WAN Inbound Rule: Hosting a Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound
Web (HTTP) requests from any outside IP address to the IP address of your Web server at
any time of day. In the example shown in , unrestricted access is provided from the Internet to
the local Web server at LAN IP address 192.168.1.99.
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of
outside IP addresses, such as from a branch office, you can create an inbound rule. In the
example shown in , CU-SeeMe connections are allowed to a local host only from a specified
range of external IP addresses. Connections are blocked during the period specified by
Schedule 1.
Page 52 / 203
52
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping
If you arrange with your ISP to have more than one public IP address for your use, you can
use the additional public IP addresses to map to servers on your LAN. One of these public IP
addresses will be used as the primary IP address of the VPN firewall. This address will be
used to provide Internet access to your LAN PCs through NAT. The other addresses are
available to map to your servers.
In the example shown in , we have configured multi-NAT to support multiple public IP
addresses on one WAN interface.
The inbound rule instructs the VPN firewall to host an
additional public IP address (10.1.0.5) and to associate this address with the Web server on
the LAN (at 192.168.1.1). We also instruct the VPN firewall to translate the incoming HTTP
port number (port 80) to a different port number (port 8080).
This example uses the following addressing scheme:
VPN firewall FVS336Gv2
-
WAN1 primary public IP address: 10.1.0.1
-
WAN1 additional public IP address: 10.1.0.5
-
LAN IP address 192.168.1.1
Web server PC on the VPN firewall’s LAN
-
LAN IP address: 192.168.1.11
-
Port number for Web service: 8080
To test the connection from a PC on the WAN side, type
The home page of
the Web server should appear.
LAN WAN Inbound Rule: Specifying an Exposed Host
Specifying an exposed host allows you to set up a computer or server that is available to
anyone on the Internet for services that you have not yet defined.
Page 53 / 203
Chapter 4:
Firewall Protection and Content Filtering
|
53
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To expose one of the PCs on your LAN as this host:
1.
Create an inbound rule that allows all protocols.
2.
Place the new rule
below
all other inbound rules.
Note:
For security, NETGEAR strongly recommends that you avoid
creating an exposed host. When a computer on your LAN is
designated as the exposed host, it loses much of the protection of
the firewall and is exposed to many exploits from the Internet. If
compromised, the computer can be used to attack your network.
Outbound Rules Example
Outbound rules let you prevent users from using applications such as Instant Messenger,
Real Audio, or other non-essential services.
LAN WAN Outbound Rule: Blocking Instant Messenger
To block Instant Messenger usage by employees during working hours, you can create an
outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created on the Schedule screen. See the example
shown in .
You can also have the VPN firewall log any attempt to use Instant Messenger during that
blocked period.
Page 54 / 203
54
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Configuring Other Firewall Features
You can configure attack checks, set session limits, and manage the Application Level
Gateway (ALG) for SIP sessions.
Attack Checks
The Attack Checks screen allows you to specify whether or not the VPN firewall should be
protected against common attacks in the LAN and WAN networks. To enable the appropriate
Attack Checks for your environment:
1.
Select Security > Firewall from the menu and click
Attack Checks
to display the Attack
Checks screen (see ).
2.
Check the boxes for the Attack Checks you wish to monitor. The various types of attack
checks are listed and defined below.
3.
Click
Apply
to save your settings.
The various types of attack checks listed on the Attack Checks screen are:
WAN Security Checks
-
Respond To Ping On Internet Ports
. By default, the VPN firewall responds to an
ICMP Echo (ping) packet coming from the Internet or WAN side. Responding to a
ping can be a useful diagnostic tool when there are connectivity problems. If the ping
option is enabled, you can allow either any IP address or a specific IP address only to
respond to a ping. You can disable the ping option to prevent hackers from easily
discovering the VPN firewall via a ping.
-
Enable Stealth Mode
. In stealth mode, the VPN firewall will not respond to port scans
from the WAN or Internet, which makes it less susceptible to discovery and attacks.
-
Block TCP Flood
. A SYN flood is a form of denial of service attack in which an
attacker sends a succession of SYN requests to a target system. When the system
responds, the attacker does not complete the connection, thus saturating the server
with half-open connections. No legitimate connections can then be made.
Page 55 / 203
Chapter 4:
Firewall Protection and Content Filtering
|
55
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
When blocking is enabled, the VPN firewall will limit the lifetime of partial connections
and will be protected from a SYN flood attack.
LAN Security Checks.
-
Block UDP flood
. A UDP flood is a form of denial of service attack in which the
attacking machine sends a large number of UDP packets to random ports to the
victim host. As a result, the victim host will check for the application listening at that
port, see that no application is listening at that port, and reply with an ICMP
Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker may also spoof the IP
address of the UDP packets, ensuring that the excessive ICMP return packets do not
reach him, making the attacker’s network location anonymous.
If flood checking is enabled, the VPN firewall will not accept more than 20
simultaneous, active UDP connections from a single computer on the LAN.
-
Disable Ping Reply on LAN Ports
. To prevent the VPN firewall from responding to
ping requests from the LAN, click this checkbox.
VPN Pass through
. When the VPN firewall is in NAT mode, all packets going to the
Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN
policy.
If a VPN client or gateway on the LAN side of the VPN firewall wants to connect to
another VPN endpoint on the WAN, with the VPN firewall between the two VPN end
points, all encrypted packets will be sent to the VPN firewall. Since the VPN firewall filters
the encrypted packets through NAT, the packets become invalid.
IPSec, PPTP, and L2TP represent different types of VPN tunnels that can pass through
the VPN firewall. To allow the VPN traffic to pass through without filtering, enable those
options for the type of tunnel(s) that will pass through the VPN firewall.
Configuring Session Limits
To prevent one user or group from using excessive system resources, you can limit the total
number of IP sessions allowed through the VPN firewall for an individual or group. You can
specify the maximum number of sessions by either a percentage of maximum sessions or an
absolute number of maximum sessions. Session limiting is disabled by default.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top