Chapter 19 Firewall
"
"
The following table explains the default firewall rules for traffic going through the ZyWALL. See Section 19.2.1.2 on page 279 for details on the firewall rules for traffic going to the ZyWALL itself.
Table 84 Default Firewall Rules
FROM ZONE TO ZONE | STATEFUL PACKET INSPECTION |
From LAN to LAN | Traffic between interfaces in the LAN is allowed. |
|
|
From LAN to WAN | Traffic from the LAN to the WAN is allowed. |
|
|
From LAN to DMZ | Traffic from the LAN to the DMZ is allowed. |
|
|
From WAN to LAN | Traffic from the WAN to the LAN is dropped. |
|
|
From WAN to WAN | Traffic between interfaces in the WAN is dropped. |
|
|
From WAN to DMZ | Traffic from the WAN to the DMZ is allowed. |
|
|
From WAN to ZyWALL | Traffic from the WAN to the ZyWALL itself is dropped except for |
| the traffic types described in Section 19.2.1.2 on page 279. |
|
|
From DMZ to LAN | Traffic from the DMZ to the LAN is dropped. |
|
|
From DMZ to WAN | Traffic from the DMZ to the WAN is dropped. |
|
|
From DMZ to DMZ | Traffic between interfaces in the DMZ is dropped. |
|
|
If you enable
You also need to configure virtual servers (NAT port forwarding) to allow computers on the WAN to access devices on the LAN. See Chapter 16 on page 255 for more information.
19.2.1.1 Global Firewall Rules
If an interface or VPN tunnel is not included in a zone, only the global firewall rules (with from any to any direction) apply to traffic going to and from that interface.
19.2.1.2
Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default, the firewall allows any computer from the LAN zone to access or manage the ZyWALL. By default, the ZyWALL drops most packets from the WAN or DMZ zone to the ZyWALL itself, except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a log.
When you configure a
| 279 |
ZyWALL USG 1000 User’s Guide | |
|
|