Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual

							Customize Firewall Protection 
210 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
Overview of Rules to Block or Allow Specific Kinds of 
Traffic
The following sections provide overviews of rules to block and allow specific kinds of traffic:
•Firewall Rules
•Outbound Rules — Service Blocking
•Settings for Outbound Rules
•Inbound Rules — Port Forwarding
•Settings for Inbound Rules
Firewall Rules
The following sections provide information about firewall rule concepts:
•Firewall Rules Overview
•Default LAN WAN Rules
•Default DMZ WAN Rules
•Default LAN DMZ Rules
•Number of Rules Supported
•Categories of Service
•Order of Precedence
Firewall Rules Overview
Firewall rules (also referred to as service rules) are used to block or allow specific traffic 
passing through from one side to the other. You can apply the firewall rules for blocking and 
allowing traffic on the VPN firewall to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ 
traffic.
Inbound rules (WAN to LAN or DMZ) restrict access by outsiders to private resources, 
selectively allowing only specific outside users to access specific resources. Outbound rules 
(LAN or DMZ to WAN) determine what outside resources local users can have access to.
Default LAN WAN Rules
The VPN firewall has two default LAN WAN rules, one for inbound traffic and one for 
outbound traffic:
•Inbound. Block all access from the Internet (the WAN) except responses to requests 
from the LAN.
•Outbound. Allow all access from the LAN to the Internet.
For information about changing the default LAN WAN outbound rule, see Change the 
Default Outbound Policy for LAN WAN Traffic on page 220. 
						

							Customize Firewall Protection 
211  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
Default DMZ WAN Rules
For DMZ WAN traffic, the default policy is to block all traffic from and to the Internet. 
You can change the default policy by adding DMZ WAN firewall rules that allow specific types 
of traffic to go out from the DMZ to the Internet (outbound) or to come in from the Internet to 
the DMZ (inbound). Alternately, for outbound traffic, you can allow all outbound traffic and 
then block only specific services from passing through the VPN firewall. (Do not use this 
approach for inbound traffic.)
Default LAN DMZ Rules
For LAN DMZ traffic, the default policy is to block all traffic between the LAN and the DMZ. 
You can change the default policy by adding LAN DMZ firewall rules that allow specific types 
of traffic to go out from the LAN to the DMZ (outbound) or to come in from the DMZ to the 
LAN (inbound). Alternately, for outbound traffic, you can allow all outbound traffic and then 
block only specific services from passing through the VPN firewall. (Do not use this approach 
for inbound traffic.)
Number of Rules Supported
You can configure up to 600 firewall rules on the VPN firewall.
Categories of Service
The rules to block or allow traffic are based on the traffic’s category of service:
•Outbound rules (service blocking). Outbound traffic is allowed unless you configure 
the firewall to block specific or all outbound traffic.
•Inbound rules (port forwarding). Inbound traffic is blocked unless the traffic is in 
response to a request from the LAN side. You can configure the firewall to allow specific 
or all inbound traffic.
•Customized services. You can add additional services to the list of services in the 
factory defaults list. You can then define rules for these added services to either allow or 
block that traffic (see Manage Customized Services on page
 280).
•Quality of Service (QoS) priorities. Each service has its own native priority that impacts 
its quality of performance and tolerance for jitter or delays. You can change the QoS 
priority, which changes the traffic mix through the system (see 
Manage Quality of Service 
Table 4.  Number of supported firewall rule configurations 
Traffic RuleMaximum Number of 
Outbound RulesMaximum Number of 
Inbound RulesMaximum Number of 
Combined Supported Rules
LAN WAN 300 300 600
DMZ WAN 50 50 100
LAN DMZ 50 50 100
Total Rules 400 400 800 
						

							Customize Firewall Protection 
212 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
Profiles for IPv4 Firewall Rules on page 293 and Default Quality of Service Priorities for 
IPv6 Firewall Rules on page 298).
•Bandwidth profiles. After you configure a bandwidth profile (see Manage Bandwidth 
Profiles for IPv4 Traffic on page 299), you can assign it to a rule. 
Order of Precedence
When you define a new rule, the rule is added to the VPN firewall’s configuration and 
displayed in a table. For any traffic that attempts to pass through the VPN firewall, the packet 
information is subjected to the rules in the order that they are displayed in the table, 
beginning at the top of the table and proceeding to the bottom of the table. In some cases, 
the order of precedence of two or more rules might be important in determining the 
disposition of a packet. For example, you must place the most strict rules (those with the 
most specific services or addresses) at the top of the table. For information about how 
change the order of precedence of rules, see 
Manage Existing Firewall Rules on page 250.
Note:Inbound LAN WAN rules take precedence over inbound DMZ WAN rules. 
When an inbound packet matches an inbound LAN WAN rule, the VPN 
firewall does not match the packet against inbound DMZ WAN rules.
Outbound Rules — Service Blocking
The VPN firewall allows you to block the use of certain Internet services by computers on 
your network. This is called service blocking or port filtering.
The VPN firewall has a default outbound LAN WAN rule, which allow all access from the LAN 
side to the outside, that is, outbound traffic is allowed. For information about changing the 
default outbound rule, see Change the Default Outbound Policy for LAN WAN Traffic on 
page  220.
For more conceptual information about firewall protection, see Firewall Protection on 
page 209.
Tip:For information about yet another way to block outbound traffic from 
selected computers that would otherwise be allowed by the firewall, 
see 
Enable Source MAC Filtering on page 312.
Settings for Outbound Rules
The following table describes the components that let you configure rules for outbound traffic. 
For information about the actual procedures to configure outbound rules, see the following 
sections:
•Add LAN WAN Outbound Service Rules on page
 223
•Add DMZ WAN Outbound Service Rules on page
 233
•Add LAN DMZ Outbound Service Rules on page 242 
						

							Customize Firewall Protection 
213  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
Table 5.  Outbound rules overview 
SettingDescriptionOutbound Rules
Service The service or application to be covered by this rule. If the service 
or application does not display in the list, you must define it (see 
Manage Customized Services on page
 280). All rules
Action The action for outgoing connections covered by this rule. The 
options are as follows: 
• BLOCK always
• BLOCK by schedule, otherwise allow
• ALLOW always
• ALLOW by schedule, otherwise block
Note:Any outbound traffic that is not blocked by rules you create 
is allowed by the default rule.
Note:ALLOW rules are useful only if the traffic is already covered 
by a BLOCK rule. That is, you wish to allow a subset of traffic that 
is blocked by another rule. All rules
Select Schedule  The time schedule (that is, Schedule1, Schedule2, or Schedule3) 
that is used by this rule. 
This menu is activated only when you select BLOCK by 
schedule, otherwise allow or ALLOW by schedule, otherwise 
block as the action. 
For information about how to configure time schedules, see Define 
a Schedule on page
 292.All rules when BLOCK 
by schedule, otherwise 
allow or ALLOW by 
schedule, otherwise 
block is selected as the 
action
LAN Users The settings that determine which computers on your network are 
affected by this rule. The options are as follows:
• Any. All computers and devices on your LAN are covered by 
this rule. 
• Single address. Enter the required address in the Start field 
to apply the rule to a single device on your LAN.
• Address range. Enter the required addresses in the Start and 
Finish fields to apply the rule to a range of devices.
• Group. Select the LAN group to which the rule applies. For 
information about assigning devices to groups, see 
Manage 
the Network Database on page 133. Groups apply only to IPv4 
rules.
• IP Group. Select the IP group to which the rule applies. For 
information about assigning IP addresses to groups, see 
Manage IP Address Groups on page 288.
LAN WAN rules
LAN DMZ rules 
						

							Customize Firewall Protection 
214 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
WAN Users The settings that determine which Internet locations are covered 
by the rule, based on their IP address. The options are as follows: 
• Any. All  Internet  IP  addresses  are  covered  by  this  rule. 
• Single address. Enter the required address in the Start field. 
• Address range. Enter the required addresses the Start and 
Finish fields.
• IP Group. Select the IP group to which the rule applies. For 
information about assigning IP addresses to groups, see 
Manage IP Address Groups on page 288.
LAN WAN rules
DMZ WAN rules
DMZ Users The settings that determine which DMZ computers on the DMZ 
network are covered by this rule. The options are as follows:
• Any. All computers and devices on your DMZ network are 
covered by this rule. 
• Single address. Enter the required address in the Start field 
to apply the rule to a single computer on the DMZ network. 
• Address range. Enter the required addresses in the Start and 
Finish fields to apply the rule to a range of DMZ computers. 
DMZ WAN rules
LAN DMZ rules
QoS Profile 
or 
QoS PriorityThe priority assigned to IP packets of this service. The priorities 
are defined by Type of Service in the Internet Protocol Suite 
standards, RFC 1349. The QoS profile determines the priority of a 
service, which, in turn, determines the quality of that service for the 
traffic passing through the firewall.
The VPN firewall marks the Type of Service (ToS) field as defined 
in the QoS profiles that you create. For more information, see 
Manage Quality of Service Profiles for IPv4 Firewall Rules on 
page  293 and Default Quality of Service Priorities for IPv6 Firewall 
Rules on page
 298.
Note:For IPv4 traffic, the VPN firewall does not provide default 
QoS profiles. That is, if you want to use QoS for IPv4 traffic, you 
must create QoS profiles. For IPv6 traffic, the VPN firewall does 
provide QoS profiles but you cannot change them. A QoS profile 
becomes active only when you apply it to a nonblocking inbound or 
outbound firewall rule.
Note:When you apply a QoS profile to a firewall rule for the first 
time, the performance of the VPN firewall might be affected slightly.
Note:QoS profiles and QoS priorities do not apply to LAN DMZ 
rules.QoS Profile:
• IPv4 LAN WAN 
rules
• IPv4 DMZ WAN 
rules
Qos Priority:
• IPv6 LAN WAN 
rules
• IPv6 DMZ WAN 
rules
Table 5.  Outbound rules overview (continued)
SettingDescriptionOutbound Rules 
						

							Customize Firewall Protection 
215  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
Inbound Rules — Port Forwarding 
The VPN firewall has a default inbound LAN WAN rule, which blocks all access from outside 
except responses to requests from the LAN side. 
If you have enabled Network Address Translation (NAT), your network presents one IP 
address only to the Internet, and outside users cannot directly access any of your local 
computers (LAN users). For information about configuring NAT, see 
Network Address 
Translation Overview on page 30. However, by defining an inbound rule you can make a 
local server (for example, a web server or game server) visible and available to the Internet. 
Bandwidth Profile Bandwidth limiting determines how the data is sent to and from 
your host. The purpose of bandwidth limiting is to provide a 
solution for limiting the outgoing and incoming traffic, thus 
preventing the LAN users from consuming all the bandwidth of the 
Internet link. For more information, see Manage Bandwidth 
Profiles for IPv4 Traffic on page  299. For outbound traffic, you can 
configure bandwidth limiting only on the WAN interface for a LAN 
WAN rule.
Note:When you enable a bandwidth profile, the performance of 
the VPN firewall might be affected slightly.
Note:Bandwidth limiting does not apply to the DMZ interface.IPv4 LAN WAN rules
Log The setting that determines whether packets covered by this rule 
are logged. The options are as follows:
• Always. Always log traffic that matches this rule. This is useful 
when you are debugging your rules.
• Never. Never log traffic that matches this rule.
All rules
NAT IP The setting that specifies whether the source address of the 
outgoing packets on the WAN is autodetected, is assigned the 
address of the WAN interface, or is a different IP address. You can 
specify these settings only for outbound traffic of the WAN 
interface. The options are as follows:
• Auto. The source address of the outgoing packets is 
autodetected through the configured routing and load 
balancing rules.
• WAN Interface Address. All the outgoing packets on the 
WAN are assigned to the address of the specified WAN 
interface.
• Single Address. All the outgoing packets on the WAN are 
assigned to the specified IP address, for example, a 
secondary WAN address that you have configured.
Note:The NAT IP menu is available only when the WAN mode is 
NAT. 
Note:If you select Single Address from the NAT IP menu, the IP 
address specified must fall under the WAN subnet.IPv4 LAN WAN rules
IPv4 DMZ WAN rules
Table 5.  Outbound rules overview (continued)
SettingDescriptionOutbound Rules 
						

							Customize Firewall Protection 
216 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
The rule informs the firewall to direct inbound traffic for a particular service to one local server 
based on the destination port number. This process is known as port forwarding.
WARNING:
Allowing inbound services opens security holes in your network. 
Enable only those ports that are necessary for your network.
The VPN firewall always blocks denial of service (DoS) attacks. A DoS attack does not 
attempt to steal data or damage your computers but overloads your Internet connection so 
that you cannot use it (that is, the service becomes unavailable). By default, multiple 
concurrent connections of the same application from one host or IP address (such as multiple 
DNS queries from one computer) trigger the VPN firewall’s DoS protection. For information 
about changing this default behavior, see 
Manage Protection Against Common Network 
Attacks on page 266.
Whether or not DHCP is enabled, how the computer accesses the server’s LAN address 
impacts the inbound rules. For example:
•If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP 
address might change periodically as the DHCP lease expires. Consider using Dynamic 
DNS so that external users can always find your network (see 
Manage Dynamic DNS 
Connections on page 63).
•If the IP address of the local server computer is assigned by DHCP, it might change when 
the computer is rebooted. To avoid this situation, configure a reserved IP address that is 
bound to the MAC address of the server (see 
DHCP Address Reservation on page 133).
•Local computers must access the local server by using the computers’ local LAN 
addresses. Attempts by local computers to access the server using the external WAN IP 
address fail.
For more conceptual information about firewall protection, see Firewall Protection on 
page 209.
Tip:For information about yet another way to allow certain types of 
inbound traffic that would otherwise be blocked by the firewall, see 
Manage Port Triggering on page 325. 
Note:Some residential broadband ISP accounts do not allow you to run any 
server processes (such as a web or FTP server) from your location. 
Your ISP might periodically check for servers and might suspend your 
account if it discovers any active servers at your location. If you are 
unsure, see the acceptable use policy of your ISP. 
						

							Customize Firewall Protection 
217  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
Settings for Inbound Rules
The following table describes the components that let you configure rules for inbound traffic. 
For information about the actual procedures to configure inbound rules, see the following 
sections:
•Add LAN WAN Inbound Service Rules on page
 228
•Add DMZ WAN Inbound Service Rules on page
 237
•Add LAN DMZ Inbound Service Rules on page 246
Table 6.  Inbound rules overview  
SettingDescriptionInbound Rules
Service The service or application to be covered by this rule. If the 
service or application does not display in the list, you must define 
it (see Manage Customized Services on page
 280). All rules
Action The action for outgoing connections covered by this rule. The 
options are as follows: 
• BLOCK always
• BLOCK by schedule, otherwise allow
• ALLOW always
• ALLOW by schedule, otherwise block
Note:Any inbound traffic that is not blocked by rules you create 
is allowed by the default rule.All rules
Select Schedule  The time schedule (that is, Schedule1, Schedule2, or 
Schedule3) that is used by this rule. 
This menu is activated only when you select BLOCK by 
schedule, otherwise allow or ALLOW by schedule, 
otherwise block as the action. 
For information about how to configure time schedules, see 
Define a Schedule on page
 292.All rules when BLOCK 
by schedule, 
otherwise allow or 
ALLOW by schedule, 
otherwise block is 
selected as the action
Send to LAN Server The LAN server address determines which computer on your 
network is hosting this service rule. (You can also translate this 
address to a port number.) The options are as follows:
• Single address. Enter the required address in the Start field 
to apply the rule to a single device on your LAN.
• Address range. Enter the required addresses in the Start 
and Finish fields to apply the rule to a range of devices.
IPv4 LAN WAN rules
Send to DMZ Server The DMZ server address determines which computer on your 
network is hosting this service rule. (You can also translate this 
address to a port number.)IPv4 DMZ WAN rules
Translate to Port 
NumberIf the LAN server or DMZ server that is hosting the service is 
using a port other than the default port for the service, you can 
select this setting and specify a port number. If the service is 
using the default port, you do not need to select this setting.IPv4 LAN WAN rules
IPv4 DMZ WAN rules 
						

							Customize Firewall Protection 
218 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
WAN Destination IP 
AddressThe setting that determines the destination IP address applicable 
to incoming traffic. This is the public IP address that maps to the 
internal LAN server.
This can be either the address of the WAN interface or another 
public IP address.
You can also enter an address range. Enter the required 
addresses in the Start and Finish fields to apply the rule to a 
range of devices.IPv4 LAN WAN rules
IPv4 DMZ WAN rules
LAN Users These settings apply to a LAN WAN inbound rule when the WAN 
mode is classical routing and determine which computers on 
your network are covered by this rule. The options are as 
follows:
• Any. All computers and devices on your LAN are covered by 
this rule. 
• Single address. Enter the required address in the Start field 
to apply the rule to a single device on your LAN.
• Address range. Enter the required addresses in the Start 
and Finish fields to apply the rule to a range of devices.
• Group. Select the LAN group to which the rule applies. For 
information about assigning devices to groups, see 
Manage 
the Network Database on page 133. Groups apply only to 
IPv4 rules.
• IP Group. Select the IP group to which the rule applies. For 
information about assigning IP addresses to groups, see 
Manage IP Address Groups on page 288.
Note:For IPv4 LAN WAN inbound rules, this field does not apply 
when the WAN mode is NAT because your network presents only 
one IP address to the Internet.LAN WAN rules
LAN DMZ rules
WAN Users The settings that determine which Internet locations are covered 
by the rule, based on their IP address. The options are as 
follows: 
• Any. All Internet IP addresses are covered by this rule. 
• Single address. Enter the required address in the Start 
field. 
• Address range. Enter the required addresses in the Start 
and Finish fields.
• IP Group. Select the IP group to which the rule applies. For 
information about assigning IP addresses to groups, see 
Manage IP Address Groups on page 288.
LAN WAN rules
DMZ WAN rules
Table 6.  Inbound rules overview (continued) 
SettingDescriptionInbound Rules 
						

							Customize Firewall Protection 
219  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
DMZ Users The settings that determine which DMZ computers on the DMZ 
network are covered by this rule. The options are as follows:
• Any. All  computers  and  devices  on  your  DMZ  network  are 
covered by this rule. 
• Single address. Enter the required address in the Start field 
to apply the rule to a single computer on the DMZ network. 
• Address range. Enter the required addresses in the Start 
and Finish fields to apply the rule to a range of DMZ 
computers. 
Note:For IPv4 DMZ WAN inbound rules, this field does not 
apply when the WAN mode is NAT because your network 
presents only one IP address to the Internet.DMZ WAN rules
LAN DMZ rules
QoS Profile The priority assigned to IP packets of this service. The priorities 
are defined by Type of Service in the Internet Protocol Suite 
standards, RFC 1349. The QoS profile determines the priority of 
a service, which, in turn, determines the quality of that service for 
the traffic passing through the firewall.
The VPN firewall marks the Type of Service (ToS) field as 
defined in the QoS profiles that you create. For more information, 
see Manage Quality of Service Profiles for IPv4 Firewall Rules 
on page  293.
Note:For IPv4 traffic, the VPN firewall does not provide default 
QoS profiles. That is, if you want to use QoS for IPv4 traffic, you 
must create QoS profiles. For IPv6 traffic, the VPN firewall does 
provide QoS profiles but you cannot change them. A QoS profile 
becomes active only when you apply it to a nonblocking inbound 
or outbound firewall rule.
Note:When you apply a QoS profile to a firewall rule for the first 
time, the performance of the VPN firewall might be affected 
slightly.
Note:QoS profiles do not apply to LAN DMZ rules.IPv4 LAN WAN rules
IPv4 DMZ WAN rules
Table 6.  Inbound rules overview (continued) 
SettingDescriptionInbound Rules