1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 16
Page 76 / 218 Scroll up to view Page 71 - 75
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-2
Firewall Security and Content Filtering
v1.0, October 2008
A firewall incorporates the functions of a NAT (Network Address Translation) router, while
adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic
that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall
uses a process called stateful packet inspection to protect your network from attacks and
intrusions. NAT performs a very limited stateful inspection in that it considers whether the
incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far
beyond NAT.
Using Rules & Services to Block or Allow Traffic
Firewall rules and services are used to block or allow specific traffic passing through from one side
to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources,
selectively allowing only specific outside users to access specific resources. Outbound rules (LAN
to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound traffic. The default
rules of the SRXN3205 are:
Inbound
. Block all access from outside except responses to requests from the LAN side.
Outbound
. Allow all access from the LAN side to the outside.
User-defined firewall rules for blocking or allowing traffic on the firewall can be applied to
inbound or outbound traffic.
Services-Based Rules
The rules to block traffic are based on the traffic’s category of service.
Outbound Rules (service blocking)
. Outbound traffic is normally allowed unless the firewall
is configured to disallow it.
Inbound Rules (port forwarding)
. Inbound traffic is normally blocked by the firewall unless
the traffic is in response to a request from the LAN side. The firewall can be configured to
allow this otherwise blocked traffic.
Customized Services
. Additional services can be added to the list of services in the factory
default list. These added services can then have rules defined for them to either allow or block
that traffic (see
“Adding Customized Services” on page 5-15
.
Page 77 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-3
v1.0, October 2008
Quality of Service (QoS) priorities
. Each service at its own native priority that impacts its
quality of performance and tolerance for jitter or delays. You can change this QoS priority if
desired to change the traffic mix through the system (see
“Setting Quality of Service (QoS)
Priorities” on page 5-16
).
Outbound Rules (Service Blocking)
The SRXN3205 allows you to block the use of certain Internet services by PCs on your network.
This is called service blocking or port filtering.
Note:
See
“Enabling Source MAC Filtering (Address Filter)” on page 5-20
for yet
another way to block outbound traffic from selected PCs that would otherwise be
allowed by the firewall.
Table 5-1.
Outbound Rules
Item
Description
Service Name
Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the
Services menu (see
“Adding Customized Services” on page 5-15
).
Action (Filter)
Select the desired action for outgoing connections covered by this rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
Note
: Any outbound traffic which is not blocked by rules you create will be allowed by
the Default rule.
ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That
is, you wish to allow a subset of traffic that is currently blocked by another rule.
Action (Select
Schedule)
Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be
used by this rule.
This drop down menu gets activated only when “BLOCK by schedule, otherwise
Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
Use schedule page to configure the time schedules (see
“Setting Schedules to
Block or Allow Traffic” on page 5-17
).
Page 78 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-4
Firewall Security and Content Filtering
v1.0, October 2008
Inbound Rules (Port Forwarding)
When the SRXN3205 uses Network Address Translation (NAT), your network presents only one
IP address to the Internet and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a Web server or
game server) visible and available to the Internet. The rule tells the firewall to direct inbound
traffic for a particular service to one local server based on the destination port number. This is also
known as port forwarding.
Whether or not DHCP is enabled, how the PCs will access the server’s LAN address impacts the
Inbound Rules. For example:
LAN users
These settings determine which computers on your network are affected by this rule.
Select the desired options:
Any – All PCs and devices on your LAN.
Single address – Enter the required address and the rule will be applied to that
particular PC.
Address range – If this option is selected, you must enter the start and finish fields.
Groups – Select the Group to which this rule will apply. Use the LAN Groups screen
(under Network Configuration) to assign PCs to Groups. See
“Managing Groups
and Hosts (LAN Groups)” on page 3-4
.
WAN Users
These settings determine which Internet locations are covered by the rule, based on
their IP address. Select the desired option:
Any – All Internet IP address are covered by this rule.
Single address – Enter the required address in the start field.
Address range – If this option is selected, you must enter the start and end fields.
QoS Priority
This setting determines the priority of a service which, in turn, determines the quality
of that service for the traffic passing through the firewall. By default, the priority
shown is that of the selected service. The user can change it accordingly. If the user
does not make a selection (leaves it as Normal-Service), then the native priority of
the service will be applied to the policy. See
“Setting Quality of Service (QoS)
Priorities” on page 5-16
.
Log
This determines whether packets covered by this rule are logged. Select the desired
action:
Always – always log traffic considered by this rule, whether it matches or not. This
is useful when debugging your rules.
Never – never log traffic considered by this rule, whether it matches or not.
Table 5-1.
Outbound Rules (continued)
Item
Description
Page 79 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-5
v1.0, October 2008
If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address may change periodically as the DHCP lease expires. Consider using
Dyamic DNS
(under Network Configuration) so that external users can always find your network (see
“Configuring Dynamic DNS” on page 2-11
.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the
LAN Groups
menu (under
Network Configuration) to keep the PC’s IP address constant (see
“Configuring DHCP
Address Reservation” on page 3-4
.
Local PCs must access the local server using the server’s local LAN address. Attempts by
local PCs to access the server using the external WAN IP address will fail.
Note:
See
“Enabling Port Triggering” on page 5-23
for yet another way to allow
certain types of inbound traffic that would otherwise be blocked by the
firewall.
Table 5-2.
Inbound Rules
Item
Description
Service
Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the
Services menu (see
“Adding Customized Services” on page 5-15
).
Action (Filter)
Select the desired action for packets covered by this rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
Note
: Any inbound traffic which is not allowed by rules you create will be blocked by
the Default rule.
Schedule
Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be
used by this rule (see
“Setting Schedules to Block or Allow Traffic” on page 5-17
).
This drop down menu gets activated only when “BLOCK by schedule, otherwise
Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
Use schedule page to configure the time schedules.
Send to LAN Server
This LAN address determines which computer on your network is hosting this service
rule. (You can also translate this address to a port number.)
Translate to Port
Number
Check the “Translate to Port Number” and enter a port number if you want to assign
the LAN Server to a different service port number. Inbound traffic to the service port
will have the destination port number modified to the port number configured here.
Page 80 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-6
Firewall Security and Content Filtering
v1.0, October 2008
Remember that allowing inbound services opens holes in your firewall. Only enable those ports
that are necessary for your network. It is also advisable to turn on the server application security
and invoke the user password or privilege levels, if provided.
WAN Users
These settings determine which Internet locations are covered by the rule, based on
their IP addresses. Select the desired option:
Any – All Internet IP address are covered by this rule.
Single address – Enter the required address in the start field.
Address range – If this option is selected, you must enter the start and end fields.
WAN Destination IP
Address
This setting determines the destination IP address applicable to incoming traffic.
This is the public IP address that will map to the internal LAN server; it can either be
the address of the WAN1 or WAN2 ports or another public IP address
.
Log
This determines whether packets covered by this rule are logged. Select the desired
action:
Always – Always log traffic considered by this rule, whether it matches or not. This
is useful when debugging your rules.
Never – Never log traffic considered by this rule, whether it matches or not.
Note:
Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may
periodically check for servers and may suspend your account if it discovers any
active services at your location. If you are unsure, refer to the Acceptable Use
Policy of your ISP.
Table 5-2.
Inbound Rules (continued)
Item
Description

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top