Complete PDF manual Table of Contents Previous Next Index Search Knowledge Base
PDF of this chapter

Firewall Rules
Firewall rules block or allow specific traffic passing through from one side of the router to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the modem router are:
You can define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined.
You can change the order of precedence of rules so that the rule that applies most often takes effect first. See Order of Precedence for Rules for more details.
To access the rules configuration of the modem router, select Firewall Rules on the main menu. The Firewall Rules screen displays
 
Figure 3-4 
To configure firewall rules:
To move an existing rule to a different position in the table, select its button on the left side of the table, and click Move. At the prompt, enter the number of the desired new position and click OK.
Inbound Rules (Port Forwarding)
Because the modem router uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the modem router to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding.
 
Note:
Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active services at your location. If you are unsure, refer to the acceptable use policy of your ISP.
 
Remember that allowing inbound services opens holes in your firewall. Enable only those ports that are necessary for your network. Following are two application examples of inbound rules.
Inbound Rule Example: A Local Public Web Server
If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. An inbound rule is shown in the Inbound Services screen, which is accessible by clicking on Add under Inbound Services in the Firewall Rules screen.
Figure 3-5 
This screen allows you to configure the following settings:
Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Services screen to add any additional services or applications that do not already appear. See How to Define Services.
Action. Choose how you want this type of traffic to be handled. You can block or allow always, or you can block or allow according to the schedule you have defined in the Services screen:
ALLOW always. Traffic for the selected service is always allowed.
ALLOW by schedule, otherwise Block. Traffic for the selected service is allowed according to how the service is defined in the Services screen, but otherwise blocked.
BLOCK always. Traffic for the selected service is always blocked.
BLOCK by schedule, otherwise Allow. Traffic for the selected service is blocked according to how the service is defined in the Services screen, but otherwise allowed.
Send to LAN Server. Enter the IP address of the computer or server on your LAN that will receive the inbound traffic covered by this rule.
WAN Users. These settings determine which packets are covered by the rule, based on their source (WAN) IP address. Select the option that you want:
 
Any. All IP addresses are covered by this rule.
Single address. Enter the required start address in the Start field.
Address range. If this option is selected, you must enter the start and finish addresses in the Start and Finish fields.
 
Log. You can select whether the traffic will be logged. The choices are:
Never. No log entries will be made for this service.
Always. Any traffic for this service type will be logged.
Match. Traffic of this type that matches the settings and action will be logged.
Not match. Traffic of this type that does not match the settings and action will be logged.
Inbound Rule Example: Allowing Video conferencing
If you want to allow incoming video conferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in the following figure, CU-SeeMe connections are allowed only from a specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed settings.
 
Figure 3-6 
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address might change periodically as the DHCP lease expires. Consider using the Dynamic DNS screen so that external users can always find your network.
If the IP address of the local server computer is assigned by DHCP, it might change when the computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP Setup screen to keep the computer’s IP address constant.
Local computers must access the local server using the computer’s local LAN address (192.168.0.11 in the example in the previous figure). Attempts by local computers to access the server using the external WAN IP address will fail.
Outbound Rules (Service Blocking)
The modem router allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local computer based on the following:
Following is an application example of outbound rules.
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you create in the Schedule screen.You can specify that the modem router logs any attempt to use Instant Messenger during this blocked period. You can also open or close Instant Messenger ports: see the Firewall Rules screen in the “Order of Precedence for Rules” section on page 3‑12.
An outbound rule is shown in the Outbound Services screen, which is accessible by clicking on Add under Outbound Services in the Firewall Rules screen.
 
Figure 3-7 
This screen allows you to configure the following settings:
Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Add Custom Service button in the Services screen to add any additional services or applications that do not already appear. See How to Define Services.
Action. Choose how you want this type of traffic to be handled. You can block or allow always, or you can block or allow according to the schedule you have defined in the Services screen:
ALLOW always. Traffic for the selected service is always allowed.
ALLOW by schedule, otherwise Block. Traffic for the selected service is allowed according to how the service is defined in the Services screen, but otherwise blocked.
BLOCK always. Traffic for the selected service is always blocked.
BLOCK by schedule, otherwise Allow. Traffic for the selected service is blocked according to how the service is defined in the Services screen, but otherwise allowed.
LAN Users. These settings determine which packets are covered by the rule, based on their source LAN IP address. Select the option that you want:
Any. All IP addresses are covered by this rule.
Single address. Enter the required start address in the Start field.
Address range. If this option is selected, you must enter the start and finish addresses in the Start and Finish fields.
WAN Users. These settings determine which packets are covered by the rule, based on their destination WAN IP address. Select the option that you want:
 
Any. All IP addresses are covered by this rule.
Single address. Enter the required start address in the Start field.
Address range. If this option is selected, you must enter the start and finish addresses in the Start and Finish fields.
 
Log. You can select whether the traffic will be logged. The choices are:
Never. No log entries will be made for this service.
Always. Any traffic for this service type will be logged.
Match. Traffic of this type that matches the settings and action will be logged.
Not match. Traffic of this type that does not match the settings and action will be logged.
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Firewall Rules screen, as shown in the following figure:
Figure 3-8 
For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet. The Move button allows you to relocate a defined rule to a new position in the table.
The Firewall Rules screen also lets you easily open or close AOL or MSN Instant Messenger ports:
1.
Close IM Ports. Specifies to disable instant messaging traffic.
Open IM Ports. Specifies to enable instant messaging traffic. IM ports are open by default.
2.
Click Apply to save your changes.

Table of Contents Previous Next Index Search Knowledge Base
NETGEAR, Inc.
http://www.netgear.com