Netgear Dm111pspv2 Adsl2 Plus Ethernet Modem User Manual

							Security Settings
31  Broadband ADSL2+ Modem DM111PSPv2
(such as FTP and IRC servers) send replies back to multiple port numbers. By using the 
inbound rule function of your router, you can tell the router to open additional incoming ports 
when a particular outgoing port originates a session.
An example is Internet Relay Chat (IRC). Your computer connects to an IRC server at 
destination port 6667. The IRC server not only responds to your originating source port, but 
also sends an identify message to your computer on port 113. WIth inbound rules, you can 
tell the router, “When you initiate a session with destination port 6667, you have to also allow 
incoming traffic on port 113 to reach the originating computer.” Using steps similar to the 
preceding example, the following sequence shows the effects of the inbound rule you have 
defined:
1. You open an IRC client program to start a chat session on your computer. 
2. Your IRC client composes a request message to an IRC server using a destination port 
number of 6667, the standard port number for an IRC server process. Your computer then 
sends this request message to your router.
3. Your router creates an entry in its internal session table describing this communication 
session between your computer and the IRC server. Your router stores the original 
information, performs Network Address Translation (NAT) on the source address and port, 
and sends this request message through the Internet to the IRC server. 
4. Noting your inbound rule and having observed the destination port number of 6667, your 
router creates an additional session entry to send any incoming port 113 traffic to your 
computer.
5. The IRC server sends a return message to your router using the NAT-assigned source port 
(for example, port 33333) as the destination port. The IRC server also sends an identify 
message to your router with destination port 113.
6. Upon receiving the incoming message to destination port 33333, your router checks its 
session table to determine whether there is an active session for port number 33333. 
Finding an active session, the router restores the original address information replaced by 
NAT and sends this reply message to your computer.
7. Upon receiving the incoming message to destination port 113, your router checks its session 
table and learns that there is an active session for port 113, associated with your computer. 
The router replaces the message’s destination IP address with your computer’s IP address 
and forwards the message to your computer.
8. When you finish your chat session, your router eventually senses a period of inactivity in the 
communications. The router then removes the session information from its session table, 
and incoming traffic is no longer accepted on port numbers 33333 or 113.
To configure inbound rules, you need to know which inbound ports the application needs. 
Also, you need to know the number of the outbound port that will trigger the opening of the 
inbound ports. You can usually determine this information by contacting the publisher of the 
application, or the relevent user groups or newsgroups.
Note:  Only one computer at a time can use the triggered application. 
						

							Security Settings
32 Broadband ADSL2+ Modem DM111PSPv2 
Inbound Rules to Permit External Host Communications
In both of the preceding examples, your computer initiates an application session with a 
server computer on the Internet. However, you might need to allow a client computer on the 
Internet to initiate a connection to a server computer on your network. Normally, your router 
ignores any inbound traffic that is not a response to your own outbound traffic. You can 
configure exceptions to this default rule by using the inbound rules feature. 
A typical application of inbound rules can be shown by reversing the client-server relationship 
from the previous web server example. In this case, a remote computer’s browser needs to 
access a web server running on a computer in your local network. By using inbound rules, 
you can tell the router, “When you receive incoming traffic on port 80 (the standard port 
number for a web server process), forward it to the local computer at 192.168.1.123.” The 
following sequence shows the effects of the inbound rule you have defined:
1. The user of a remote computer opens a browser and requests a web page from 
www.example.com, which resolves to the public IP address of your router. The remote 
computer composes a web page request message with the following destination 
information:
Destination address. The IP address of www.example.com, which is the address of your 
router.
Destination port number. 80, which is the standard port number for a web server 
process.
The remote computer sends this request message through the Internet to your router.
2. Your router receives the request message and looks in its rules table for any rules covering 
the disposition of incoming port 80 traffic. Your inbound rule specifies that incoming port 80 
traffic should be forwarded to local IP address 192.168.1.123. Therefore, your router 
modifies the destination information in the request message:
The destination address is replaced with 192.168.1.123.
Your router then sends this request message to your local network.
3. Your web server at 192.168.1.123 receives the request and composes a return message 
with the requested web page data. Your web server then sends this reply message to your 
router.
4. Your router performs Network Address Translation (NAT) on the source IP address, and 
sends this request message through the Internet to the remote computer, which displays the 
web page from www.example.com.
To configure inbound rules, you need to know which inbound ports the application needs. You 
usually can determine this information by contacting the publisher of the application or the 
relevant user groups or newsgroups. 
						

							Security Settings33
 Broadband ADSL2+ Modem DM111PSPv2
How Inbound Rules Differ from Outbound Rules
The following points summarize the differences between inbound rules and\
 outbound rules:
•     Outbound rules can be used by any computer on your network, although onl\
y one 
computer can use them at a time.
•     Inbound rules are configured for a single computer on your network.
•      Outbound rules do not require that you know the computer’s IP address\
 in advance. The 
IP address is captured automatically.
•     Inbound rules require that you specify the computer’s IP address duri\
ng configuration,  and the IP address can never change.
•     Outbound rules require specific outbound traffic to open the inbound por\
ts, and the  outbound ports are closed after a period of no activity.
•     Inbound rules are always active and do not need to be made active.
Configure Firewall Rules
The Firewall Rules screen lets you configure custom rules to make except\
ions to the default 
rules. Exceptions can be based on the service or application, source or \
destination IP 
addresses, and time of day. You can log traffic that matches or does not\
 match the rule and 
change the order of rule precedence. See  Configure Services on page
  38 for information 
about services.
All traffic attempting to pass through the firewall is subjected to the \
rules in the order shown in 
the Rules table from the top (highest precedence) to the default rules\
 at the bottom. In some 
cases, the order of precedence is important to determine which communica\
tions are allowed 
into or out of the network.
To configure firewall rules:
1.  Select  Security >  Firewall Rules to display the following screen:
2. To add an inbound or outbound rule:
•     For an outbound rule, click Add under Outbound Services. 
						

							Security Settings
34 Broadband ADSL2+ Modem DM111PSPv2 
•     For an inbound rule, click Add under Inbound Services.
3. To edit or delete a rule, select its button on the left side, and click Edit or Delete.
4. To change the order of precedence:
a.Select its button on the left side of the table, and click Move. 
b. At the prompt, enter the number of the new position, and click OK.
5. To open or close instant messaging, select a radio button, and click Apply.
•     Close IM Ports. Disables instant messaging traffic.
•     Open IM Ports. Enables instant messaging traffic. IM ports are open by default.
6. Click Apply to save your settings.
Inbound Rules (Port Forwarding)
Because the modem uses Network Address Translation (NAT), your network presents only 
one IP address to the Internet, and outside users cannot directly address any of your local 
computers. However, by defining an inbound rule you can make a local server (for example, a 
web server or game server) visible and available to the Internet. 
The rule tells the modem to direct inbound traffic for a particular service to one local server 
based on the destination port number. This is also known as port forwarding. Allowing 
inbound services opens holes in your firewall. Enable only those ports that are necessary for 
your network. The following are two examples of inbound rules.
Note:  Some residential broadband ISP accounts do not let you run server 
processes (such as a web or FTP server) from your location. Your 
ISP might periodically check for servers and suspend your account if 
it discovers any active services at your location. If you are unsure, 
refer to the acceptable use policy of your ISP. 
						

							Security Settings35
 Broadband ADSL2+ Modem DM111PSPv2
Inbound Rule Example: A Local Public Web Server
If you host a public web server on your local network, you can define a \
rule to allow inbound 
web (HTTP) requests from any outside IP address to the IP address of y\
our web server at 
any time of day, as shown here and described following the figure:
Figure 7. Allow inbound web requests
Service. From this list, select the application or service you want to allow or\
 block. The list 
already displays many common services, but you are not limited to these \
choices. Use the 
Services screen to add any additional services or applications that do n\
ot already appear. 
See Configure Services on page
 38.
Action. Choose how you want to handle this type of traffic. You can block or a\
llow always, or 
you can block or allow according to the schedule you have defined in the\
 Schedule screen, 
described in Schedule Firewall Services on page  40.
Send to LAN Server. Enter the IP address of the computer or server on your LAN that 
receives the inbound traffic covered by this rule.
WAN Users. These settings determine which packets are covered by the rule, based \
on their 
source (WAN) IP address:  Any . All IP addresses are covered by this rule. 
Address range. When this option is selected, the Start and Finish fields are required\
. 
Single address. Enter the required address in the Start field. 
Log . You can select whether to log the traffic:
Never . No log entries are made for this service.
Always . Any traffic for this service type is logged.
Match. Traffic of this type that matches the settings and action is logged.
Not match. Traffic of this type that does not match the settings and action is lo\
gged. 
						

							Security Settings36
Broadband ADSL2+ Modem DM111PSPv2 
Inbound Rule Example: Allowing Video Conferencing
Create an inbound rule to allow incoming video conferencing to be initia\
ted from a restricted 
range of outside IP addresses, such as from a branch office. In the foll\
owing figure, 
CU-SeeMe connections are allowed from a specified range of external IP a\
ddresses only. In 
this case, logging of any incoming CU-SeeMe requests that do not match t\
he allowed 
settings is always allowed.
Figure 8. Allow inbound video conferencing
Considerations for Inbound Rules
•     If your external IP address is assigned dynamically by your ISP, the IP \
address might 
change periodically as the DHCP lease expires. Consider using the Dynami\
c DNS screen 
described in Dynamic DNS on page  56 so that external users can always find your 
network.
•      If the IP address of the local server computer is assigned by DHCP, it m\
ight change when 
the computer is rebooted. To avoid this, use the Reserved IP address fea\
ture in the LAN 
Setup screen to keep the computer’s IP address constant.
•     Local computers are required to access the local server using the comput\
er’s local LAN  address (192.168.0.11 in the example shown in  Figure  8, Allow inbound video 
conferencing). Attempts by local computers to access the server using the external \
WAN 
IP address fail.
Outbound Rules (Service Blocking)
The modem lets you block computers on your local network from using cert\
ain Internet 
services. This is called service blocking or port filtering. You can def\
ine an outbound rule to 
block Internet access from a local computer based on local computer, Int\
ernet site being 
contacted, time of day, and type of service being requested.  
						

							Security Settings37
 Broadband ADSL2+ Modem DM111PSPv2
To set up service blocking:
1. 
Select  Security > Firewall Rules  to display the following screen:
2. Under Outbound Services, click  Add.
3.  Fill in the settings as follows, and click Apply to save your settings.
Service. From this list, select the application or service to be allowed or blo\
cked. The list 
already displays many common services, but you are not limited to these \
choices. Use 
the Add Custom Service button in the Services screen described in Configure Services 
on page   38 to add any additional services or applications that do not already appe\
ar.
Action. Choose how to handle this type of traffic. You can block or allow alwa\
ys, or you 
can block or allow according to the schedule you defined, as described i\
n Schedule 
Firewall Services on page  40.
LAN Users . These settings determine which packets are covered by the rule, based \
on 
their source LAN IP address. Select the option that you want: 
Any . All IP addresses are covered by this rule. 
Address range. If this option is selected, fill in the Start and Finish fields. 
Single address. Enter the required address in the Start field. 
WAN Users. These settings determine which packets are covered by the rule, based \
on 
their destination WAN IP address. Select the option that you want:  Any . All IP addresses are covered by this rule. 
Address range. If this option is selected, fill in the Start and Finish fields. 
Single address. Enter the required address in the Start field. 
Log . You can select to log the traffic:
Never . No log entries are made for this service.
Always . Any traffic for this service type is logged.
Match. Traffic of this type that matches the settings and action is logged.
Not match. Traffic that does not match the settings and action is logged. 
						

							Security Settings38
Broadband ADSL2+ Modem DM111PSPv2 
Configure Services
Services are functions performed by server computers at the request of c\
lient computers. For 
example, web servers serve web pages, time servers serve time and date i\
nformation, and 
game hosts serve data about other players’ moves. When a computer on \
the Internet sends a 
request for service to a server computer, the requested service is ident\
ified by a service or 
port number. This number appears as the destination port number in the t\
ransmitted IP 
packets. For example, a packet that is sent with destination port number\
 80 is an HTTP (web 
server) request. 
The service numbers for many common protocols are defined by the Interne\
t Engineering 
Task Force (IETF at http://www.ietf.org/
) and published in RFC1700, “Assigned Numbers.” 
Service numbers for other applications are typically chosen from the ran\
ge 1024 to 65535 by 
the authors of the application. Although the broadband ADSL2+ modem alre\
ady holds a list 
of many service port numbers, you are not limited to these choices.
To create your own service definitions:
1.  Select  Security > Services  to display the following screen:
•     To create a new service, click the  Add Custom Service button to display the Add 
Services screen.
•      To edit a service, select its button on the left side of the table, and \
click  Edit Service.
•     To delete a service, select its button on the left side of the table, an\
d click  Delete 
Service.
2.  Use the following screen to define or edit a service.
‘
•     Name . Enter a meaningful name for the service. 
						

							Security Settings39
 Broadband ADSL2+ Modem DM111PSPv2
•     
Type . Select the correct type for this service. If in doubt, select  TCP/UDP. The options 
are TCP, UDP, TCP/UDP.
•     Start Port and End Port . If a port range is required, enter the range here. If a single 
port is required, enter the same value in both fields.
3.  Click  Apply to save your changes.
Set the Time Zone
The modem uses the Network Time Protocol (NTP) to obtain the current t\
ime and date from 
one of several network time servers on the Internet. You can check and s\
et (if needed) the 
time zone to ensure that time stamps match your local time.
To set the time zone:
1. Select  Security > Schedule to display the following screen:
2. Select your time zone. This setting determines the blocking schedule and\
 time-stamping of 
log entries. 
3.  If your time zone is in daylight savings time, select the  Adjust for Daylight Savings Time 
check box to add one hour to standard time.
Note:   If your region uses daylight savings time, select Adjust for Daylight 
Savings Time on the first day and clear it after the last day. 
						

							Security Settings40
Broadband ADSL2+ Modem DM111PSPv2 
4. 
The  modem  has a list of NETGEAR NTP servers. If you would prefer to use a particul\
ar 
NTP server as the primary server, select the Use this NTP Server check box, and enter its 
IP address.
5.  Click  Apply to save your settings.
Schedule Firewall Services
If you enabled services blocking in the Block Services screen or port fo\
rwarding in the Ports 
screen, you can set up a schedule for when blocking occurs or when acces\
s is not restricted. 
To schedule firewall services:
1. Select  Security > Schedule  to display the following screen:
2. To block Internet services based on a schedule, select  Every Day, or select one or more 
days. If you want to limit access completely for the selected days, sele\
ct All Day . Otherwise, 
to limit access during certain times for the selected days, enter times \
in the Start Time and 
End Time fields.
Note:   Enter the values in 24-hour time format. For example, 10:30 a.m. would 
be 10
  hours and 30 minutes, and 10:30 p.m. would be 22 hours and 30 
minutes. If you set the start time after the end time, the schedule is e\
ffective 
through midnight the next day.
3.  Click  Apply to save your settings.