1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVX538
    5. /
  5. 16
Page 76 / 240 Scroll up to view Page 71 - 75
ProSafe VPN Firewall 200 FVX538 Reference Manual
4-16
Firewall Protection and Content Filtering
v1.0, March 2009
2.
Complete the Outbound Service screen, and save the data (see
“Outbound Rules (Service
Blocking)” on page 4-3
).
3.
Click
Reset
to cancel your settings and return to the previous settings.
4.
Click
Apply
to save your changes and reset the fields on this screen. The new rule will be
listed on the
Outbound Services
table.
LAN DMZ Inbound Services Rules
To define an Inbound LAN DMZ Rule:
1.
Click
Add
under the
Inbound Services
table. The
Add LAN DMZ Inbound Service
screen
will display.
2.
Complete the Inbound Service screen and save the data (see
“Inbound Rules (Port
Forwarding)” on page 4-6
).
3.
Click
Reset
to cancel your settings and return to the previous settings.
4.
Click
Apply
to save your settings. The new rule will be added to the
Inbound Services table.
Attack Checks
This screen allows you to specify whether or not the router should be protected against common
attacks in the DMZ, LAN and WAN networks. The various types of attack checks are listed on the
Attack Checks
screen and defined below:
WAN Security Checks
Respond To Ping On Internet Ports
. If you want the router to respond to a “Ping” from
the Internet, click this check box. This can be used as a diagnostic tool. You shouldn't
check this box unless you have a specific reason to do so.
Enable Stealth Mode
. If enabled, the router will not respond to port scans from the WAN,
thus making it less susceptible to discovery and attacks.
Block TCP Flood.
A SYN flood is a form of denial of service attack in which an attacker
sends a succession of SYN requests to a target system. When the system responds, the
attacker doesn’t complete the connections, thus leaving the connection half-open and
flooding the server with SYN messages. No legitimate connections can then be made.
When enabled, the router will drop all invalid TCP packets and will be protected from a
SYN flood attack.
Page 77 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Firewall Protection and Content Filtering
4-17
v1.0, March 2009
LAN Security Checks.
A UDP flood is a form of denial of service attack that can be initiated
when one machine sends a large number of UDP packets to random ports on a remote host. As
a result, the distant host will (1) check for the application listening at that port, (2) see that no
application is listening at that port and (3) reply with an ICMP Destination Unreachable
packet.
When the victimized system is flooded, it is forced to send many ICMP packets, eventually
making it unreachable by other clients. The attacker may also spoof the IP address of the UDP
packets, ensuring that the excessive ICMP return packets do not reach him, thus making the
attacker’s network location anonymous.
If enabled, the router will not accept more than 20 simultaneous, active UDP connections from
a single computer on the LAN.
VPN Pass through
. When the router is in NAT mode, all packets going to the Remote VPN
Gateway are first filtered through NAT and then encrypted per the VPN policy.
For example, if a VPN Client or Gateway on the LAN side of this router wants to connect to
another VPN endpoint on the WAN (placing this router between two VPN end points),
encrypted packets are sent to this router. Since this router filters the encrypted packets through
NAT, the packets become invalid unless VPN Pass through is enabled.
When enabled, the VPN tunnel will pass the VPN traffic without any filtering. Tunnels can be:
IPSec
PPTP
L2TP
To enable the appropriate Attack Checks for your environment:
1.
Select
Security
from the main menu,
Firewall Rules
from the submenu and then the
Attack
Checks
tab. The
Attack Checks
screen will display.
2.
Check the radio boxes of the Attack Checks you wish to initiate.
3.
Click
Apply
to save your settings
Page 78 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
4-18
Firewall Protection and Content Filtering
v1.0, March 2009
.
Session Limit
Session Limit allows you to specify the total number of sessions allowed, per user, over an IP
(Internet Protocol) connection across the router. This feature is enabled on the
Session Limit
screen and shown below in
Figure 4-9
. Session Limit is disabled by default.
.
Figure 4-8
Figure 4-9
Page 79 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Firewall Protection and Content Filtering
4-19
v1.0, March 2009
To enable
Session Limit
:
1.
Click the
Yes
radio button under
Do you want to enable Session Limit
?
2.
From the
User Limit Parameter
drop-down list, define the maximum number of sessions per
IP either as a percentage of maximum sessions or as an absolute.
The percentage is computed on the total connection capacity of the device.
3.
Enter the
User Limit
. If the User Limit Parameter is set to
Percentage of Max Sessions
, this
is the maximum number of sessions allowed from a single source machine as a percentage of
the total connection capacity. (Session Limit is per machine based.) Otherwise, if the User
Limit Parameter is set to
Number of Sessions
, the user limit is an absolute value.
The
Total Number of Packets Dropped due to Session Limit
field shows total number of
packets dropped when session limit is reached.
4.
In the
Session Timeout
section, modify the TCP, UDP and ICMP timeout values as you
require. A session will expire if no data for the session is received for the duration of the
timeout value. The default timeout values are 1200 seconds for TCP sessions, 180 seconds for
UDP sessions, and 8 seconds for ICMP sessions.
5.
Click
Apply
to save your settings.
Note:
Some protocols (such as FTP or RSTP) create two sessions per connection
which should be considered when configuring Session Limiting.
Page 80 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
4-20
Firewall Protection and Content Filtering
v1.0, March 2009
Inbound Rules Examples
LAN WAN Inbound Rule: Hosting A Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day.
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule.
Figure 4-10
Figure 4-11

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top