Security close
LAN WAN Rules
Firewall rules for traffic between the LAN and the WAN/Internet may be defined from this page.
The Default Outbound Policy allows all traffic from the LAN to pass through to the Internet. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the WAN.
The Default Inbound Policy is to block all inbound traffic to the LAN from the Internet (WAN) To allow computers from the WAN to access services on the LAN, a firewall rule for each service must be added.
Outbound Services
The default policy can be changed to block all outbound traffic and enable only specific services to pass through the router. To change the Default Outbound Policy, select Block Always from the drop-list and click Apply.
This Outbound Services table lists all the existing rules for outgoing traffic. A rule is defined by the following fields:
! (Status): A rule can be disabled if not in use and enabled as needed. A rule is disabled if the status light is grey and it is enabled if the status light is green. Disabling a rule does not delete the configuration, but merely de-activates the rule.
Service Name: This is a unique name assigned to the service. The name usually indicates the type of traffic the rule covers such as ftp, ssh, telnet, ping, etc. Services not already in the list can be added from the Services page.
Filter: Defines an action to be taken on the enabled rule. It can be:
v Block Always: Block selected service at all times.
v Enable Always: Allow selected service to pass through at all times.
v Block by schedule, otherwise allow: Works in conjunction with a schedule defined in the Schedule 1/2/3 pages. The selected service will be blocked during the schedule interval and will be allowed to pass through at other times.
v Allow by schedule, otherwise block: Works in conjunction with a schedule defined in the Schedule 1/2/3 pages. The selected service will be allowed to pass through during the schedule interval and will be blocked at other times.
LAN Users: Specifies whether one or more LAN IP addresses will be affected by the rule. This rule will affect packets for the selected service coming from the defined IP address or range of IP addresses on the LAN side.
v Any: All computers on the LAN are included in the rule.
v Single Address: A single LAN IP address that is affected by the rule.
v Address Range: A range of LAN IP addresses that are affected by the rule.
v Group: Computers that are part of the Group defined in the Network Database will be affected by the rule (groups are defined under the Network Configuration menu on the, LAN Groups page on the Edit Group Names tab).
WAN Users: Specifies whether one or more WAN IP address will be affected by the rule. This rule will affect packets for the selected service to the defined IP address or range of IP addresses on the WAN side.
v Any: All IP addresses on the WAN will be affected by the rule.
v Single Address: A single WAN IP address will be affected by the rule.
v Address Range: A range of IP addresses on the WAN will be affected by the rule.
Priority: The priority assigned to IP packets of this service. The priorities are defined by “Type of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below:
v Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0.
v Minimize-Cost: Used when data must be transferred over a link that has a lower "cost". The IP packets for services with this priority are marked with a TOS value of 1.
v Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 2.
v Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a TOS value of 4.
v Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a TOS value of 8.
Log: Specifies whether the packets for this rule should be logged or not. To log details for all packets that match this rule, select Always. Select Never to disable logging.
For example, if an outbound rule for a schedule is selected as Block Always, then for every packet that tries to make an outbound connection for that service, a message with the packet’s source address and destination address, along with other information will be recorded in the log.
Note: Enabling logging may generate a significant number of log messages and is recommended for debugging purposes only.
The actions that can be taken on the rules listed in the Rules table are:
Edit: Modify the configuration of the selected rule.
Select All: Selects all the rules in the table.
Delete: Deletes the selected policy or policies.
Enable: Enables the selected rule or rules.
Disable: Disables the selected rule or rules.
Add: Add a new rule.
Inbound Services
This table lists all the existing rules for incoming traffic. A rule is defined by the following fields:
! (Status): A rule can be disabled if not in use and enabled as needed. A rule is disabled if the status light is grey and it is enabled if the status light is green. Disabling a rule does not delete the configuration, but merely de-activates the rule.
Service Name: This is a unique name assigned to the service. The name usually indicates the type of traffic the rule covers such as ftp, ssh, telnet, ping, etc. Services not already in the list can be are added on the Services page.
Filter: Defines an action to be taken on the enabled rule. It can be:
v Block Always: Block selected service at all times.
v Enable Always: Allow selected service to pass through at all times.
v Block by schedule, otherwise allow: Works in conjunction with a schedule defined in the Schedule 1/2/3 pages. Selected service will be blocked during the scheduled interval and will be allowed to pass through at other times.
v Allow by schedule, otherwise block: Works in conjunction with a schedule defined in the Schedule 1/2/3 pages. Selected service will be allowed to pass through during the scheduled interval and will be blocked at other times.
LAN Server IP Address: An IP address and port number of a machine on the LAN which is hosting the server. It is displayed in the form: <IP address:port number>.
For example, if a machine with an IP address of 192.168.1.100 on the LAN side is running a telnet server on port 2000, then the table will display 192.168.10.100:2000. If the telnet server is running on the default port (port 23), then the table will display only the IP address.
Destination LAN Users: Specifies whether one or more IP addresses on the LAN will be affected by the rule. This field is only enabled when in routing mode since the LAN is accessible only in this mode.
v Any: All computers on the LAN will be affected by the rule.
v Single Address: A single IP address on the LAN will be affected by the rule.
v Address Range: A range of IP addresses on the LAN will be affected by the rule.
v Group: Computers that are part of the Group defined in the Network Database will be affected by the rule (groups are defined under the Network Configuration menu, LAN Groups page on the Edit Group Names tab).
WAN Users: Specifies whether all Internet addresses or specific IP addresses are included in the rule.
v Any: All IP addresses on the Internet are included in the rule.
v Single Address: A single Internet IP address that is affected by the rule.
v Address Range: A range of IP addresses that are affected by the rule.
Destination: The WAN IP address that will map to the incoming server. It can either be the address of the ADSL or WAN Ethernet port* or another WAN IP address.
Note: This field is only enabled when under NAT mode since the router needs to map traffic coming from a particular WAN port to a LAN machine.
*Your router may have a single WAN port. Please refer to the online Reference Manual for details.
Priority: The priority assigned to IP packets of this service. The priorities are defined by “Type of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below:
v Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0.
v Minimize-Cost: Used when data must be transferred over a link that has a lower "cost". The IP packets for services with this priority are marked with a TOS value of 1.
v Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a TOS value of 2.
v Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a TOS value of 4.
v Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a TOS value of 8.
Log: Specifies whether the packets for this rule should be logged or not. To log details for all packets that match this rule, select Always. Select Never to disable logging.
For example, if an inbound rule for a schedule is selected as Block Always, then for every packet that tries to make an outbound connection for that service, a message with the packet’s source and destination addresses, along with other information will be recorded in the log. Enabling logging may generate a significant volume of log messages and is recommended for debugging purposes only.
The actions that can be taken on rules are:
Edit: Modifies the configuration of the selected rule.
Select All: Selects all the rules in the table.
Delete: Delete the selected policy or policies.
Enable: Enables the selected rule or rules listed in the table.
Disable: Disables the selected rule or rules listed in the table.
Add: Adds a new rule.
 

2009 © Copyright NETGEAR®

close