Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Customize Firewall Protection 210 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Overview of Rules to Block or Allow Specific Kinds of Traffic The following sections provide overviews of rules to block and allow specific kinds of traffic: •Firewall Rules •Outbound Rules — Service Blocking •Settings for Outbound Rules •Inbound Rules — Port Forwarding •Settings for Inbound Rules Firewall Rules The following sections provide information about firewall rule concepts: •Firewall Rules Overview •Default LAN WAN Rules •Default DMZ WAN Rules •Default LAN DMZ Rules •Number of Rules Supported •Categories of Service •Order of Precedence Firewall Rules Overview Firewall rules (also referred to as service rules) are used to block or allow specific traffic passing through from one side to the other. You can apply the firewall rules for blocking and allowing traffic on the VPN firewall to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic. Inbound rules (WAN to LAN or DMZ) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN or DMZ to WAN) determine what outside resources local users can have access to. Default LAN WAN Rules The VPN firewall has two default LAN WAN rules, one for inbound traffic and one for outbound traffic: •Inbound. Block all access from the Internet (the WAN) except responses to requests from the LAN. •Outbound. Allow all access from the LAN to the Internet. For information about changing the default LAN WAN outbound rule, see Change the Default Outbound Policy for LAN WAN Traffic on page 220.
Customize Firewall Protection 211 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Default DMZ WAN Rules For DMZ WAN traffic, the default policy is to block all traffic from and to the Internet. You can change the default policy by adding DMZ WAN firewall rules that allow specific types of traffic to go out from the DMZ to the Internet (outbound) or to come in from the Internet to the DMZ (inbound). Alternately, for outbound traffic, you can allow all outbound traffic and then block only specific services from passing through the VPN firewall. (Do not use this approach for inbound traffic.) Default LAN DMZ Rules For LAN DMZ traffic, the default policy is to block all traffic between the LAN and the DMZ. You can change the default policy by adding LAN DMZ firewall rules that allow specific types of traffic to go out from the LAN to the DMZ (outbound) or to come in from the DMZ to the LAN (inbound). Alternately, for outbound traffic, you can allow all outbound traffic and then block only specific services from passing through the VPN firewall. (Do not use this approach for inbound traffic.) Number of Rules Supported You can configure up to 600 firewall rules on the VPN firewall. Categories of Service The rules to block or allow traffic are based on the traffic’s category of service: •Outbound rules (service blocking). Outbound traffic is allowed unless you configure the firewall to block specific or all outbound traffic. •Inbound rules (port forwarding). Inbound traffic is blocked unless the traffic is in response to a request from the LAN side. You can configure the firewall to allow specific or all inbound traffic. •Customized services. You can add additional services to the list of services in the factory defaults list. You can then define rules for these added services to either allow or block that traffic (see Manage Customized Services on page 280). •Quality of Service (QoS) priorities. Each service has its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change the QoS priority, which changes the traffic mix through the system (see Manage Quality of Service Table 4. Number of supported firewall rule configurations Traffic RuleMaximum Number of Outbound RulesMaximum Number of Inbound RulesMaximum Number of Combined Supported Rules LAN WAN 300 300 600 DMZ WAN 50 50 100 LAN DMZ 50 50 100 Total Rules 400 400 800
Customize Firewall Protection 212 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Profiles for IPv4 Firewall Rules on page 293 and Default Quality of Service Priorities for IPv6 Firewall Rules on page 298). •Bandwidth profiles. After you configure a bandwidth profile (see Manage Bandwidth Profiles for IPv4 Traffic on page 299), you can assign it to a rule. Order of Precedence When you define a new rule, the rule is added to the VPN firewall’s configuration and displayed in a table. For any traffic that attempts to pass through the VPN firewall, the packet information is subjected to the rules in the order that they are displayed in the table, beginning at the top of the table and proceeding to the bottom of the table. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet. For example, you must place the most strict rules (those with the most specific services or addresses) at the top of the table. For information about how change the order of precedence of rules, see Manage Existing Firewall Rules on page 250. Note:Inbound LAN WAN rules take precedence over inbound DMZ WAN rules. When an inbound packet matches an inbound LAN WAN rule, the VPN firewall does not match the packet against inbound DMZ WAN rules. Outbound Rules — Service Blocking The VPN firewall allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering. The VPN firewall has a default outbound LAN WAN rule, which allow all access from the LAN side to the outside, that is, outbound traffic is allowed. For information about changing the default outbound rule, see Change the Default Outbound Policy for LAN WAN Traffic on page 220. For more conceptual information about firewall protection, see Firewall Protection on page 209. Tip:For information about yet another way to block outbound traffic from selected computers that would otherwise be allowed by the firewall, see Enable Source MAC Filtering on page 312. Settings for Outbound Rules The following table describes the components that let you configure rules for outbound traffic. For information about the actual procedures to configure outbound rules, see the following sections: •Add LAN WAN Outbound Service Rules on page 223 •Add DMZ WAN Outbound Service Rules on page 233 •Add LAN DMZ Outbound Service Rules on page 242
Customize Firewall Protection 213 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 5. Outbound rules overview SettingDescriptionOutbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you must define it (see Manage Customized Services on page 280). All rules Action The action for outgoing connections covered by this rule. The options are as follows: • BLOCK always • BLOCK by schedule, otherwise allow • ALLOW always • ALLOW by schedule, otherwise block Note:Any outbound traffic that is not blocked by rules you create is allowed by the default rule. Note:ALLOW rules are useful only if the traffic is already covered by a BLOCK rule. That is, you wish to allow a subset of traffic that is blocked by another rule. All rules Select Schedule The time schedule (that is, Schedule1, Schedule2, or Schedule3) that is used by this rule. This menu is activated only when you select BLOCK by schedule, otherwise allow or ALLOW by schedule, otherwise block as the action. For information about how to configure time schedules, see Define a Schedule on page 292.All rules when BLOCK by schedule, otherwise allow or ALLOW by schedule, otherwise block is selected as the action LAN Users The settings that determine which computers on your network are affected by this rule. The options are as follows: • Any. All computers and devices on your LAN are covered by this rule. • Single address. Enter the required address in the Start field to apply the rule to a single device on your LAN. • Address range. Enter the required addresses in the Start and Finish fields to apply the rule to a range of devices. • Group. Select the LAN group to which the rule applies. For information about assigning devices to groups, see Manage the Network Database on page 133. Groups apply only to IPv4 rules. • IP Group. Select the IP group to which the rule applies. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. LAN WAN rules LAN DMZ rules
Customize Firewall Protection 214 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WAN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are as follows: • Any. All Internet IP addresses are covered by this rule. • Single address. Enter the required address in the Start field. • Address range. Enter the required addresses the Start and Finish fields. • IP Group. Select the IP group to which the rule applies. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. LAN WAN rules DMZ WAN rules DMZ Users The settings that determine which DMZ computers on the DMZ network are covered by this rule. The options are as follows: • Any. All computers and devices on your DMZ network are covered by this rule. • Single address. Enter the required address in the Start field to apply the rule to a single computer on the DMZ network. • Address range. Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers. DMZ WAN rules LAN DMZ rules QoS Profile or QoS PriorityThe priority assigned to IP packets of this service. The priorities are defined by Type of Service in the Internet Protocol Suite standards, RFC 1349. The QoS profile determines the priority of a service, which, in turn, determines the quality of that service for the traffic passing through the firewall. The VPN firewall marks the Type of Service (ToS) field as defined in the QoS profiles that you create. For more information, see Manage Quality of Service Profiles for IPv4 Firewall Rules on page 293 and Default Quality of Service Priorities for IPv6 Firewall Rules on page 298. Note:For IPv4 traffic, the VPN firewall does not provide default QoS profiles. That is, if you want to use QoS for IPv4 traffic, you must create QoS profiles. For IPv6 traffic, the VPN firewall does provide QoS profiles but you cannot change them. A QoS profile becomes active only when you apply it to a nonblocking inbound or outbound firewall rule. Note:When you apply a QoS profile to a firewall rule for the first time, the performance of the VPN firewall might be affected slightly. Note:QoS profiles and QoS priorities do not apply to LAN DMZ rules.QoS Profile: • IPv4 LAN WAN rules • IPv4 DMZ WAN rules Qos Priority: • IPv6 LAN WAN rules • IPv6 DMZ WAN rules Table 5. Outbound rules overview (continued) SettingDescriptionOutbound Rules
Customize Firewall Protection 215 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Inbound Rules — Port Forwarding The VPN firewall has a default inbound LAN WAN rule, which blocks all access from outside except responses to requests from the LAN side. If you have enabled Network Address Translation (NAT), your network presents one IP address only to the Internet, and outside users cannot directly access any of your local computers (LAN users). For information about configuring NAT, see Network Address Translation Overview on page 30. However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and available to the Internet. Bandwidth Profile Bandwidth limiting determines how the data is sent to and from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link. For more information, see Manage Bandwidth Profiles for IPv4 Traffic on page 299. For outbound traffic, you can configure bandwidth limiting only on the WAN interface for a LAN WAN rule. Note:When you enable a bandwidth profile, the performance of the VPN firewall might be affected slightly. Note:Bandwidth limiting does not apply to the DMZ interface.IPv4 LAN WAN rules Log The setting that determines whether packets covered by this rule are logged. The options are as follows: • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules. • Never. Never log traffic that matches this rule. All rules NAT IP The setting that specifies whether the source address of the outgoing packets on the WAN is autodetected, is assigned the address of the WAN interface, or is a different IP address. You can specify these settings only for outbound traffic of the WAN interface. The options are as follows: • Auto. The source address of the outgoing packets is autodetected through the configured routing and load balancing rules. • WAN Interface Address. All the outgoing packets on the WAN are assigned to the address of the specified WAN interface. • Single Address. All the outgoing packets on the WAN are assigned to the specified IP address, for example, a secondary WAN address that you have configured. Note:The NAT IP menu is available only when the WAN mode is NAT. Note:If you select Single Address from the NAT IP menu, the IP address specified must fall under the WAN subnet.IPv4 LAN WAN rules IPv4 DMZ WAN rules Table 5. Outbound rules overview (continued) SettingDescriptionOutbound Rules
Customize Firewall Protection 216 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This process is known as port forwarding. WARNING: Allowing inbound services opens security holes in your network. Enable only those ports that are necessary for your network. The VPN firewall always blocks denial of service (DoS) attacks. A DoS attack does not attempt to steal data or damage your computers but overloads your Internet connection so that you cannot use it (that is, the service becomes unavailable). By default, multiple concurrent connections of the same application from one host or IP address (such as multiple DNS queries from one computer) trigger the VPN firewall’s DoS protection. For information about changing this default behavior, see Manage Protection Against Common Network Attacks on page 266. Whether or not DHCP is enabled, how the computer accesses the server’s LAN address impacts the inbound rules. For example: •If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address might change periodically as the DHCP lease expires. Consider using Dynamic DNS so that external users can always find your network (see Manage Dynamic DNS Connections on page 63). •If the IP address of the local server computer is assigned by DHCP, it might change when the computer is rebooted. To avoid this situation, configure a reserved IP address that is bound to the MAC address of the server (see DHCP Address Reservation on page 133). •Local computers must access the local server by using the computers’ local LAN addresses. Attempts by local computers to access the server using the external WAN IP address fail. For more conceptual information about firewall protection, see Firewall Protection on page 209. Tip:For information about yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall, see Manage Port Triggering on page 325. Note:Some residential broadband ISP accounts do not allow you to run any server processes (such as a web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location. If you are unsure, see the acceptable use policy of your ISP.
Customize Firewall Protection 217 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Settings for Inbound Rules The following table describes the components that let you configure rules for inbound traffic. For information about the actual procedures to configure inbound rules, see the following sections: •Add LAN WAN Inbound Service Rules on page 228 •Add DMZ WAN Inbound Service Rules on page 237 •Add LAN DMZ Inbound Service Rules on page 246 Table 6. Inbound rules overview SettingDescriptionInbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you must define it (see Manage Customized Services on page 280). All rules Action The action for outgoing connections covered by this rule. The options are as follows: • BLOCK always • BLOCK by schedule, otherwise allow • ALLOW always • ALLOW by schedule, otherwise block Note:Any inbound traffic that is not blocked by rules you create is allowed by the default rule.All rules Select Schedule The time schedule (that is, Schedule1, Schedule2, or Schedule3) that is used by this rule. This menu is activated only when you select BLOCK by schedule, otherwise allow or ALLOW by schedule, otherwise block as the action. For information about how to configure time schedules, see Define a Schedule on page 292.All rules when BLOCK by schedule, otherwise allow or ALLOW by schedule, otherwise block is selected as the action Send to LAN Server The LAN server address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.) The options are as follows: • Single address. Enter the required address in the Start field to apply the rule to a single device on your LAN. • Address range. Enter the required addresses in the Start and Finish fields to apply the rule to a range of devices. IPv4 LAN WAN rules Send to DMZ Server The DMZ server address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.)IPv4 DMZ WAN rules Translate to Port NumberIf the LAN server or DMZ server that is hosting the service is using a port other than the default port for the service, you can select this setting and specify a port number. If the service is using the default port, you do not need to select this setting.IPv4 LAN WAN rules IPv4 DMZ WAN rules
Customize Firewall Protection 218 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WAN Destination IP AddressThe setting that determines the destination IP address applicable to incoming traffic. This is the public IP address that maps to the internal LAN server. This can be either the address of the WAN interface or another public IP address. You can also enter an address range. Enter the required addresses in the Start and Finish fields to apply the rule to a range of devices.IPv4 LAN WAN rules IPv4 DMZ WAN rules LAN Users These settings apply to a LAN WAN inbound rule when the WAN mode is classical routing and determine which computers on your network are covered by this rule. The options are as follows: • Any. All computers and devices on your LAN are covered by this rule. • Single address. Enter the required address in the Start field to apply the rule to a single device on your LAN. • Address range. Enter the required addresses in the Start and Finish fields to apply the rule to a range of devices. • Group. Select the LAN group to which the rule applies. For information about assigning devices to groups, see Manage the Network Database on page 133. Groups apply only to IPv4 rules. • IP Group. Select the IP group to which the rule applies. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. Note:For IPv4 LAN WAN inbound rules, this field does not apply when the WAN mode is NAT because your network presents only one IP address to the Internet.LAN WAN rules LAN DMZ rules WAN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are as follows: • Any. All Internet IP addresses are covered by this rule. • Single address. Enter the required address in the Start field. • Address range. Enter the required addresses in the Start and Finish fields. • IP Group. Select the IP group to which the rule applies. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. LAN WAN rules DMZ WAN rules Table 6. Inbound rules overview (continued) SettingDescriptionInbound Rules
Customize Firewall Protection 219 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 DMZ Users The settings that determine which DMZ computers on the DMZ network are covered by this rule. The options are as follows: • Any. All computers and devices on your DMZ network are covered by this rule. • Single address. Enter the required address in the Start field to apply the rule to a single computer on the DMZ network. • Address range. Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers. Note:For IPv4 DMZ WAN inbound rules, this field does not apply when the WAN mode is NAT because your network presents only one IP address to the Internet.DMZ WAN rules LAN DMZ rules QoS Profile The priority assigned to IP packets of this service. The priorities are defined by Type of Service in the Internet Protocol Suite standards, RFC 1349. The QoS profile determines the priority of a service, which, in turn, determines the quality of that service for the traffic passing through the firewall. The VPN firewall marks the Type of Service (ToS) field as defined in the QoS profiles that you create. For more information, see Manage Quality of Service Profiles for IPv4 Firewall Rules on page 293. Note:For IPv4 traffic, the VPN firewall does not provide default QoS profiles. That is, if you want to use QoS for IPv4 traffic, you must create QoS profiles. For IPv6 traffic, the VPN firewall does provide QoS profiles but you cannot change them. A QoS profile becomes active only when you apply it to a nonblocking inbound or outbound firewall rule. Note:When you apply a QoS profile to a firewall rule for the first time, the performance of the VPN firewall might be affected slightly. Note:QoS profiles do not apply to LAN DMZ rules.IPv4 LAN WAN rules IPv4 DMZ WAN rules Table 6. Inbound rules overview (continued) SettingDescriptionInbound Rules