ZyXEL Communications 91-009-073003B 22.1.3Firewall Rule Example Applications

Chapter 22 Firewall

Firewall and VPN Traffic

After you create a VPN tunnel and add it to a zone, you can set the firewall rules applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone for example), you can configure a new LAN1 to LAN1 firewall rule or use intra- zone traffic blocking to allow or block VPN traffic transmitting between the VPN tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new zone (the VPN zone for example), you can configure rules for VPN traffic between the VPN zone and other zones or From VPN To-ZyWALLrules for VPN traffic destined for the ZyWALL.

Session Limits

Accessing the ZyWALL or network resources through the ZyWALL requires a NAT session and corresponding firewall session. Peer to peer applications, such as file sharing applications, may use a large number of NAT sessions. A single client could use all of the available NAT sessions and prevent others from connecting to or through the ZyWALL. The ZyWALL lets you limit the number of concurrent NAT/ firewall sessions a client can use.

Finding Out More

•See Section 6.5.14 on page 101 for related information on the Firewall screens.

•See Section 7.8 on page 136 for an example of creating firewall rules as part of configuring user-aware access control (Section 7.5 on page 122).

•See Section 7.9.3 on page 142 for an example of creating a firewall rule to allow H.323 traffic from the WAN to the LAN.

•See Section 7.10.3 on page 145 for an example of creating a firewall rule to allow web traffic from the WAN to a server on the DMZ.

•See Section 7.11.4 on page 150 for an example of creating firewall rules to allow SIP traffic for an IPPBX or SIP server on the DMZ.

22.1.3Firewall Rule Example Applications

Suppose that your company decides to block all of the LAN users from using IRC (Internet Relay Chat) through the Internet. To do this, you would configure a LAN to WAN firewall rule that blocks IRC traffic from any source IP address from going to any destination address. You do not need to specify a schedule since you need