Chapter 11 Firewall

Table 48 SECURITY > FIREWALL > Default Rule (Router Mode) (continued)

LABEL

DESCRIPTION

From, To

The firewall rules are grouped by the direction of packet travel. This displays the

 

number of rules for each packet direction. Click the edit icon to go to a summary

 

screen of the rules for that packet direction.

 

Here are some example descriptions of the directions of travel.

 

From LAN To LAN means packets traveling from a computer on one LAN subnet to

 

a computer on another LAN subnet on the LAN interface of the ZyWALL or the

 

ZyWALL itself. The ZyWALL does not apply the firewall to packets traveling from a

 

LAN computer to another LAN computer on the same subnet.

 

From VPN means traffic that came into the ZyWALL through a VPN tunnel and is

 

going to the selected “to” interface. For example, From VPN To LAN specifies the

 

VPN traffic that is going to the LAN. The ZyWALL applies the firewall to the traffic

 

after decrypting it.

 

To VPN is traffic that comes in through the selected “from” interface and goes out

 

through any VPN tunnel. For example, From LAN To VPN specifies the traffic that

 

is coming from the LAN and going out through a VPN tunnel. The ZyWALL applies

 

the firewall to the traffic before encrypting it.

 

From VPN To VPN means traffic that comes in through a VPN tunnel and goes out

 

through (another) VPN tunnel or terminates at the ZyWALL. This is the case when

 

the ZyWALL is the hub in a hub-and-spoke VPN. This is also the case if you allow

 

someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage

 

the ZyWALL. The ZyWALL applies the firewall to the traffic after decrypting it.

 

Note: The VPN connection directions apply to the traffic going to or

 

from the ZyWALL’s VPN tunnels. They do not apply to other

 

VPN traffic for which the ZyWALL is not one of the gateways

 

(VPN pass-through traffic).

 

Use the drop-down list box to set the firewall’s default actions based on the direction

 

of travel of packets.

 

Select Drop to silently discard the packets without sending a TCP reset packet or

 

an ICMP destination-unreachable message to the sender.

 

Select Reject to deny the packets and send a TCP reset packet (for a TCP packet)

 

or an ICMP destination-unreachable message (for a UDP packet) to the sender.

 

Select Permit to allow the passage of the packets.

 

The firewall rules for the WAN port with a higher route priority also apply to the dial

 

backup connection.

 

 

Log

Select the check box next to a direction of packet travel to create a log when the

 

above action is taken for packets that are traveling in that direction and do not match

 

any of your customized rules.

 

 

Apply

Click Apply to save your changes back to the ZyWALL.

 

 

Reset

Click Reset to begin configuring this screen afresh.

11.8 Firewall Default Rule (Bridge Mode)

Click SECURITY > FIREWALL to open the Default Rule screen.

Use this screen to configure general firewall settings when the ZyWALL is set to bridge mode. See Section 11.1 on page 191 for more information about the firewall.

204

 

ZyWALL 2 Plus User’s Guide