1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRXN3205
    5. /
  5. 18
Page 86 / 218 Scroll up to view Page 81 - 85
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-12
Firewall Security and Content Filtering
v1.0, October 2008
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule.
In the example shown in
Figure 5-6
, CU-SeeMe connections are allowed to a local host only from
a specified range of external IP addresses. Connections are blocked during the period specified by
Schedule 1.
LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping
If you arrange with your ISP to have more than one public IP address for your use, you can use the
additional public IP addresses to map to servers on your LAN. One of these public IP addresses
will be used as the primary IP address of the firewall. This address will be used to provide Internet
access to your LAN PCs through NAT. The other addresses are available to map to your servers.
Figure 5-5
Figure 5-6
Page 87 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-13
v1.0, October 2008
In the example shown in
Figure 5-7
, we have configured multi-NAT to support multiple public IP
addresses on one WAN interface.
The inbound rule instructs the firewall to host an additional
public IP address (10.1.0.5) and to associate this address with the Web server on the LAN (at
192.168.0.2). We also instruct the firewall to translate the incoming HTTP port number (port 80)
to a different port number (port 8080).
The following addressing scheme is used in this example:
firewall SRXN3205
WAN primary public IP address: 10.1.0.1
WAN additional public IP address: 10.1.0.5
LAN IP address 192.168.1.1
Web server PC on the firewall’s LAN
LAN IP address: 192.168.1.11
Port number for Web service: 8080
To test the connection from a PC on the WAN side, type
The home page of the
Web server should appear.
LAN WAN Inbound Rule: Specifying an Exposed Host
Specifying an exposed host allows you to set up a computer or server that is available to anyone on
the Internet for services that you have not yet defined.
To expose one of the PCs on your LAN as this host:
1.
Create an inbound rule that allows all protocols.
Figure 5-7
Page 88 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-14
Firewall Security and Content Filtering
v1.0, October 2008
2.
Place the new rule
below
all other inbound rules.
Outbound Rules Example
Outbound rules let you prevent users from using applications such as Instant Messenger, Real
Audio, or other non-essential services.
LAN WAN Outbound Rule: Blocking Instant Messenger
To block Instant Messenger usage by employees during working hours, you can create an
outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Enabling Session Limits
This page allows you to specify total number sessions per user (IP) allowed across the router.
Session limiting is disabled by default. When enabling session limiting you can give the maximum
number of sessions per IP either in percentage of maximum sessions or absolute number of
maximum sessions. If you want to give the maximum number of sessions per IP in percentage
check “yes” radio button otherwise check “No” radio button. The percentage is computed on the
total connection capacity of the device. “User Limit” specifies the maximum number of sessions
that should be allowed via router from a single source machine (i.e. session limiting is per machine
based) as percentage of total connection capacity. Note that some protocols like ftp, rstp create two
sessions per connection which should be considered when configuring session limiting. The label
“Total Number of Packets Dropped due to Session Limit:” shows total number of packets dropped
when session limit is reached
The Session TimeOut table displays the TCP, UDP and ICMP Timeout values. Default Timeout
values are 1200 seconds for Tcp,180 seconds for Udp and 8 seconds for Icmp. Timeout values can
also be configured with user defined values. The maximum value for timeout is 43200 seconds.
Note:
For security, NETGEAR strongly recommends that you avoid creating an exposed
host. When a computer on your LAN is designated as the exposed host, it loses
much of the protection of the firewall and is exposed to many exploits from the
Internet. If compromised, the computer can be used to attack your network.
Page 89 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
Firewall Security and Content Filtering
5-15
v1.0, October 2008
Adding Customized Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the SRXN3205 already holds a list of many service port numbers, you are not limited to
these choices. Use the Services screen to add additional services and applications to the list for use
in defining firewall rules. The Services menu shows a list of services that you have defined, as
shown in
Figure 5-8
.
To define a new service, first you must determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups or newsgroups. When you have the port number information, you
can enter it on the
Services
screen.
To add a custom service:
1.
Select
Security > Services
from the main/submenu and the Services screen displays.
2.
In the
Add Custom Services
section, enter a descriptive name for the service (this name is for
your convenience).
3.
Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP.
4.
Enter the first TCP or UDP port of the range that the service uses.
5.
Enter the last port of the range that the service uses. If the service only uses a single port
number, enter the same number in both fields.
Figure 5-8
Page 90 / 218
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual
5-16
Firewall Security and Content Filtering
v1.0, October 2008
6.
Click
Add
. The new custom service will be added to the Custom Services Table.
Modifying a Service
To edit the parameters of an existing service:
1.
In the Custom Services Table, click the
Edit
button adjacent to the service you want to edit.
The
Edit Service
screen is displayed.
2.
Modify the parameters you wish to change.
3.
Click
Apply
to confirm your changes. The modified service is displayed in the Custom
Services Table.
Setting Quality of Service (QoS) Priorities
The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn,
determines the quality of that service for the traffic passing through the firewall. The user can
change this priority:
On the
Services
screen in the Custom Services Table for customized services (see
Figure 5-8
)
[
Security > Services
].
On the
LAN WAN Outbound Services
screen (see
Figure 5-2
) [
Security > Firewall > LAN
WAN Rules
and click
Add
to the Outbound Services].
The QoS priority definition for a service determines the queue that is used for the traffic passing
through the firewall. A priority is assigned to IP packets using this service. Priorities are defined
by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349. A ToS priority
for traffic passing through the VPN firewall is one of the following:
Normal-Service.
No special priority given to the traffic. The IP packets for services with this
priority are marked with a ToS value of 0.
Minimize-Cost.
Used when data has to be transferred over a link that has a lower “cost”. The
IP packets for services with this priority are marked with a ToS value of 1.
Maximize-Reliability.
Used when data needs to travel to the destination over a reliable link
and with little or no retransmission. The IP packets for services with this priority are marked
with a ToS value of 2.
Maximize-Throughput.
Used when the volume of data transferred during an interval is
important even if the latency over the link is high. The IP packets for services with this priority
are marked with a ToS value of 4.
Minimize-Delay.
Used when the time required (latency) for the packet to reach the destination
must be low. The IP packets for services with this priority are marked with a ToS value of 8.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top