1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 17
Page 81 / 218 Scroll up to view Page 76 - 80
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-7
v1.0, October 2008
Viewing the Firewall Rules
To view the firewall rules, go to
Security > Firewall
from the main. The LAN WAN Rules tab
displays.
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu as the last item in the list,
as shown in
Figure 5-1
. For any traffic attempting to pass through the firewall, the packet
information is subjected to the rules in the order shown in the Rules Table, beginning at the top and
proceeding to the bottom, before applying the default rule. In some cases, the order of precedence
of two or more rules may be important in determining the disposition of a packet. For example,
you should place the most strict rules at the top (those with the most specific services or
addresses). The
Up
and
Down
buttons allow you to relocate a defined rule to a new position in the
table.
Setting the Outbound Policy
The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can
then be applied to block specific types of traffic from going out from the LAN to the Internet
(Outbound). The default policy of Allow Always can be changed to block all outbound traffic
which then allows you to enable only specific services to pass through the firewall.
To change the default outbound policy, follow these steps:
1.
Go to the LAN WAN Rules tab, shown in
Figure 5-1
.
2.
Add the outbound rules you plan to use.
3.
Change the outbound policy
by choosing
Block Always
from the drop-down menu.
Figure 5-1
Page 82 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-8
Firewall Security and Content Filtering
v1.0, October 2008
4.
Click
Apply
.
Creating a LAN WAN Outbound Services Rule
An outbound rule will block or allow the selected application from an internal IP LAN address to
an external WAN IP address according to the schedule created in the Schedule menu.
You can also tailor these rules to your specific needs (see
“Administrator Tips” on page 5-27
).
To create a new outbound service rule in the LAN WAN Rules tab:
1.
Click
Add
under the Outbound Services Table. The
Add LAN WAN Outbound Service
screen is displayed.
2.
Configure the parameters and click
Apply
to save your changes and reset the fields on this
screen. The new rule will be listed on the
Outbound Services
table.
Creating a LAN WAN Inbound Services Rule
This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not
defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that
allowing inbound services opens holes in your firewall. Only enable those ports that are necessary
for your network.
To create a new inbound service rule in the LAN WAN Rules tab:
Note:
This feature is for Advanced Administrators only! Incorrect configuration will
cause serious problems.
Figure 5-2
Page 83 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-9
v1.0, October 2008
1.
Click
Add
under the Inbound Services Table. The
Add LAN WAN Inbound Service
screen is
displayed.
2.
Configure the parameters and click
Apply
to save your changes and reset the fields on this
screen. The new rule will be listed on the
Inbound Services
table.
Modifying Rules
To make changes to an existing outbound or inbound service rule:
1.
In the
Action
column adjacent to the rule, do the following:
Click
Edit
to make any changes to the rule definition of an existing rule. The Outbound
Service screen is displayed containing the data for the selected rule.
Click
Up
to move the rule up one position in the table rank.
Click
Down
to move the rule down one position in the table rank.
2.
Check the radio box adjacent to the rule, then do the following:
Click
Disable
to disable the rule. The “!” Status icon will change from green to grey,
indicating that the rule is disabled. (By default, when a rule is added to the table it is
automatically enabled.)
Click
Delete
to delete the rule.
3.
Click
Select All
to choose all rules.
Figure 5-3
Page 84 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-10
Firewall Security and Content Filtering
v1.0, October 2008
Attack Checks
This screen allows you to specify whether or not the firewall should be protected against common
attacks in the LAN and WAN networks. The various types of attack checks are listed on the
Attack Checks
screen and defined below:
WAN Security Checks
Respond To Ping On Internet Ports
. To allow the firewall to respond to a Ping request
from the Internet, click this check box. Ping can be used as a diagnostic tool. You shouldn't
check this box unless you have a specific reason to do so.
Enable Stealth Mode
. In stealth mode, the firewall will not respond to port scans from the
WAN, thus making it less susceptible to discovery and attacks.
Block TCP Flood
. A SYN flood is a form of denial of service attack in which an attacker
sends a succession of SYN requests to a target system. When the system responds, the
attacker doesn’t complete the connection, thus saturating the server with half-open
connections. No legitimate connections can then be made.
When blocking is enabled, the firewall will limit the lifetime of partial connections and
will be protected from a SYN flood attack.
LAN Security Checks
Block UDP flood.
A UDP flood is a form of denial of service attack that can be initiated
when one machine sends a large number of UDP packets to random ports on a remote
host. As a result, the distant host will (1) check for the application listening at that port, (2)
see that no application is listening at that port, and (3) reply with an ICMP Destination
Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker may also spoof the IP
address of the UDP packets, ensuring that the excessive ICMP return packets do not reach
him, thus making the attacker’s network location anonymous.
If flood checking is enabled, the firewall will not accept more than 20 simultaneous, active
UDP connections from a single computer on the LAN.
Disable Ping Reply on LAN Ports
. To prevent the firewall from responding to Ping
requests from the LAN, click this checkbox.
VPN Pass through.
When the firewall is in NAT mode, all packets going to the Remote VPN
Gateway are first filtered through NAT and then encrypted per the VPN policy.
Page 85 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-11
v1.0, October 2008
For example, if a VPN Client or Gateway on the LAN side of this firewall wants to connect to
another VPN endpoint on the WAN (placing this firewall between two VPN end points),
encrypted packets are sent to this firewall. Since this firewall filters the encrypted packets
through NAT, the packets become invalid unless VPN pass through is enabled.
When VPN pass through is enabled, the VPN tunnel will pass the VPN traffic without any
filtering. Tunnels can be: IPsec; PPTP; or L2TP
To enable the appropriate Attack Checks for your environment:
1.
Select
Security > Firewall
from the main/submenu.
2.
Click the
Attack Checks
tab and the Attack Checks screen displays.
.
3.
Select the Attack Checks you wish to initiate, and click
Apply
to save your settings
Inbound Rules Examples
LAN WAN Inbound Rule: Hosting A Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day.
In the example shown in
Figure 5-5
, unrestricted access is provided from the Internet to the local
Web server at LAN IP address 192.168.0.99.
Figure 5-4

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top