1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 28
Page 136 / 469 Scroll up to view Page 131 - 135
Firewall Protection
136
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Overview of Rules to Block or Allow Specific Kinds of
Traffic
Outbound Rules (Service Blocking)
Inbound Rules (Port Forwarding)
Order of Precedence for Rules
Firewall rules are used to block or allow specific traffic passing through from one side to the
other. You can configure up to 600 firewall rules on the VPN firewall (see the following table).
Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively
allowing only specific outside users to access specific resources. Outbound rules (LAN to
WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default
rules of the VPN firewall are:
Inbound
. Block all access from outside except responses to requests from the LAN side.
Outbound
. Allow all access from the LAN side to the outside.
The firewall rules for blocking and allowing traffic on the VPN firewall can be applied to LAN
WAN traffic, DMZ WAN traffic, and LAN DMZ traffic.
The rules to block or allow traffic are based on the traffic’s category of service:
Outbound rules (service blocking)
.
Outbound traffic is allowed unless you configure
the firewall to block specific or all outbound traffic.
Inbound rules (port forwarding)
. Inbound traffic is blocked unless the traffic is in
response to a request from the LAN side. You can configure the firewall to allow specific
or all inbound traffic.
Customized services
. You can add additional services to the list of services in the
factory defaults list. You can then define rules for these added services to either allow or
block that traffic (see
Add Customized Services
on page
177).
Quality of Service (QoS) priorities
. Each service has its own native priority that impacts
its quality of performance and tolerance for jitter or delays. You can change the QoS
priority, which changes the traffic mix through the system (see
Create Quality of Service
Profiles for IPv4 Firewall Rules
on page
184 and
Quality of Service Priorities for IPv6
Firewall Rules
on page
186).
Table 32.
Number of supported firewall rule configurations
Traffic Rule
Maximum Number of
Outbound Rules
Maximum Number of
Inbound Rules
Maximum Number of
Combined Supported Rules
LAN WAN
300
300
600
DMZ WAN
50
50
100
LAN DMZ
50
50
100
Total Rules
400
400
800
Page 137 / 469
Firewall Protection
137
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Bandwidth profiles
. After you have a configured a bandwidth profile (see
Create
Bandwidth Profiles
on page
181), you can assign it to a rule.
Outbound Rules (Service Blocking)
The VPN firewall allows you to block the use of certain Internet services by computers on
your network. This is called service blocking or port filtering.
Note:
See
Enable Source MAC Filtering
on page
190 for yet another way
to block outbound traffic from selected computers that would
otherwise be allowed by the firewall.
The following table describes the fields that define the rules for outbound traffic and that are
common to most Outbound Service screens (see
Figure
77
on page
148,
Figure
83
on
page
154, and
Figure
89
on page
160).
The steps to configure outbound rules are described in the following sections:
Configure LAN WAN Rules
Configure DMZ WAN Rules
Configure LAN DMZ Rules
Table 33.
Outbound rules overview
Setting
Description
Outbound Rules
Service
The service or application to be covered by this rule. If the service
or application does not display in the list, you need to define it
using the Services screen (see
Add Customized Services
on
page
177).
All rules
Action
The action for outgoing connections covered by this rule:
BLOCK always
BLOCK by schedule, otherwise allow
ALLOW always
ALLOW by schedule, otherwise block
Note:
Any outbound traffic that is not blocked by rules you create
is allowed by the default rule.
Note:
ALLOW rules are useful only if the traffic is already covered
by a BLOCK rule. That is, you wish to allow a subset of traffic that
is blocked by another rule.
All rules
Page 138 / 469
Firewall Protection
138
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Select Schedule
The time schedule (that is, Schedule1, Schedule2, or Schedule3)
that is used by this rule.
This drop-down list is activated only when BLOCK by
schedule, otherwise allow or ALLOW by schedule, otherwise
block is selected as the action.
Use the Schedule screen to configure the time schedules (see
Set a Schedule to Block or Allow Specific Traffic
on page
189).
All rules when BLOCK
by schedule, otherwise
allow or ALLOW by
schedule, otherwise
block is selected as the
action
LAN Users
The settings that determine which computers on your network are
affected by this rule. The options are:
Any
. All computers and devices on your LAN.
Single address
. Enter the required address in the Start field
to apply the rule to a single device on your LAN.
Address range
. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of devices.
Group
. Select the LAN group to which the rule applies. Use
the LAN Groups screen to assign computers to groups (see
Manage the Network Database
on page
97). Groups apply
only to IPv4 rules.
IP Group
. Select the IP group to which the rule applies. Use
the IP Groups screen to assign IP addresses to groups. See
Create IP Groups
on page
179.
LAN WAN rules
LAN DMZ rules
WAN Users
The settings that determine which Internet locations are covered
by the rule, based on their IP address. The options are:
Any
. All Internet IP addresses are covered by this rule.
Single address
. Enter the required address in the Start field.
Address range
. Enter the required addresses the Start and
Finish fields.
IP Group
. Select the IP group to which the rule applies. Use
the IP Groups screen to assign IP addresses to groups. See
Create IP Groups
on page
179.
LAN WAN rules
DMZ WAN rules
DMZ Users
The settings that determine which DMZ computers on the DMZ
network are affected by this rule. The options are:
Any
. All computers and devices on your DMZ network.
Single address
. Enter the required address in the Start field
to apply the rule to a single computer on the DMZ network.
Address range
. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of DMZ computers.
DMZ WAN rules
LAN DMZ rules
Table 33.
Outbound rules overview (continued)
Setting
Description
Outbound Rules
Page 139 / 469
Firewall Protection
139
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
QoS Profile
or
QoS Priority
The priority assigned to IP packets of this service. The priorities
are defined by
Type of Service in the Internet Protocol Suite
standards
, RFC 1349. The QoS profile determines the priority of a
service, which, in turn, determines the quality of that service for the
traffic passing through the firewall.
The VPN firewall marks the Type of Service (ToS) field as defined
in the QoS profiles that you create. For more information, see
Create Quality of Service Profiles for IPv4 Firewall Rules
on
page
184 and
Quality of Service Priorities for IPv6 Firewall Rules
on page
186.
Note:
There are no default QoS profiles on the VPN firewall. After
you have created a QoS profile, it can become active only when
you apply it to a nonblocking inbound or outbound firewall rule.
Note:
QoS profiles and QoS priorities do not apply to LAN DMZ
rules.
QoS Profile:
IPv4 LAN WAN
rules
IPv4 DMZ WAN
rules
Qos Priority:
IPv6 LAN WAN
rules
IPv6 DMZ WAN
rules
Bandwidth Profile
Bandwidth limiting determines how the data is sent to and from
your host. The purpose of bandwidth limiting is to provide a
solution for limiting the outgoing and incoming traffic, thus
preventing the LAN users from consuming all the bandwidth of the
Internet link. For more information, see
Create Bandwidth Profiles
on page
181. For outbound traffic, you can configure bandwidth
limiting only on the WAN interface for a LAN WAN rule.
Note:
Bandwidth limiting does not apply to the DMZ interface.
IPv4 LAN WAN rules
Log
The setting that determines whether packets covered by this rule
are logged. The options are:
Always
. Always log traffic that matches this rule. This is useful
when you are debugging your rules.
Never
. Never log traffic that matches this rule.
All rules
NAT IP
The setting that specifies whether the source address of the
outgoing packets on the WAN is autodetected, is assigned the
address of the WAN interface, or is a different IP address. You can
specify these settings only for outbound traffic of the WAN
interface. The options are:
Auto
. The source address of the outgoing packets is
autodetected through the configured routing and load
balancing rules.
WAN Interface Address
. All the outgoing packets on the
WAN are assigned to the address of the specified WAN
interface.
Single Address
. All the outgoing packets on the WAN are
assigned to the specified IP address, for example, a
secondary WAN address that you have configured.
Note:
The NAT IP drop-down list is available only when the WAN
mode is NAT. If you select Single Address, the IP address
specified should fall under the WAN subnet.
IPv4 LAN WAN rules
IPv4 DMZ WAN rules
Table 33.
Outbound rules overview (continued)
Setting
Description
Outbound Rules
Page 140 / 469
Firewall Protection
140
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Inbound Rules (Port Forwarding)
If you have enabled Network Address Translation (NAT), your network presents
one
IP
address only to the Internet, and outside users cannot directly access any of your local
computers (LAN users). (For information about configuring NAT, see
Network Address
Translation
on page
29.) However, by defining an inbound rule you can make a local server
(for example, a web server or game server) visible and available to the Internet. The rule
informs the firewall to direct inbound traffic for a particular service to one local server based
on the destination port number. This process is also known as port forwarding.
WARNING:
Allowing inbound services opens security holes in your network.
Only enable those ports that are necessary for your network.
Whether or not DHCP is enabled, how the computer accesses the server’s LAN address
impacts the inbound rules. For example:
If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address might change periodically as the DHCP lease expires. Consider using Dynamic
DNS so that external users can always find your network (see
Configure Dynamic DNS
on page
49).
If the IP address of the local server computer is assigned by DHCP, it might change when
the computer is rebooted. To avoid this, use the Reserved (DHCP Client) feature in the
LAN Groups screen to keep the computer’s IP address constant (see
Set Up DHCP
Address Reservation
on page
101).
Local computers need to access the local server using the computers’ local LAN address.
Attempts by local computers to access the server using the external WAN IP address will
fail.
Note:
See
Configure Port Triggering
on page
197 for yet another way to
allow certain types of inbound traffic that would otherwise be blocked
by the firewall.
Note:
The VPN firewall always blocks denial of service (DoS) attacks. A
DoS attack does not attempt to steal data or damage your
computers, but overloads your Internet connection so you cannot
use it (that is, the service becomes unavailable).

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top