Chapter 19 Firewall

Firewall and VPN Traffic

After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure a new LAN to LAN firewall rule or use intra-zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALLrules for VPN traffic destined for the ZyWALL.

Finding Out More

See Section 5.4.12 on page 117 for related information on the Firewall screens.

See Section 6.5.6 on page 153 for an example of creating firewall rules as part of configuring user-aware access control (Section 6.5 on page 148).

See Section 6.8.3 on page 161 for an example of creating a firewall rule to allow H.323 traffic from the WAN to LAN1.

19.1.3Firewall Rule Example Applications

Suppose that your company decides to block all of the LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN1 to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need the firewall rule to always be in effect. The following figure shows the results of this rule.

Figure 238 Blocking All LAN to WAN IRC Traffic Example

Your firewall would have the following configuration.

Table 110 Blocking All LAN1 to WAN IRC Traffic Example

#

USER

SOURCE

DESTINATION

SCHEDULE

SERVICE

ACTION

1

Any

Any

Any

Any

IRC

Deny

 

 

 

 

 

 

 

Default

Any

Any

Any

Any

Any

Allow

 

 

 

 

 

 

 

• The first row blocks LAN1 access to the IRC service on the WAN.

338

 

ZyWALL USG 100/200 Series User’s Guide