|
| Chapter 19 Firewall |
| Table 88 Firewall (continued) | |
| LABEL | DESCRIPTION |
| Allow | If an alternate gateway on the LAN has an IP address in the same subnet as the |
| Asymmetrical | ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is |
| Route | called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the |
|
| connection, as the connection has not been acknowledged. |
|
| Select this check box to have the ZyWALL permit the use of asymmetrical route |
|
| topology on the network (not reset the connection). |
|
| Note: Allowing asymmetrical routes may let traffic from the WAN go |
|
| directly to the LAN without passing through the ZyWALL. A |
|
| better solution is to use virtual interfaces to put the ZyWALL |
|
| and the backup gateway on separate subnets. See Section |
|
| 19.5 on page 283 for an example. |
|
|
|
| Maximum | Use this field to set the highest number of sessions that the ZyWALL will permit a |
| session per host | computer with the same IP address to have at one time. |
|
| When computers use peer to peer applications, such as file sharing applications, |
|
| they may use a large number of NAT sessions. If you do not limit the number of NAT |
|
| sessions a single client can establish, this can result in all of the available NAT |
|
| sessions being used. In this case, no additional NAT sessions can be established, |
|
| and users may not be able to access the Internet. |
|
| Each NAT session establishes a corresponding firewall session. Use this field to |
|
| limit the number of NAT/firewall sessions each client computer can establish |
|
| through the ZyWALL. |
|
| If your network has a small number of clients using peer to peer applications, you |
|
| can raise this number to ensure that their performance is not degraded by the |
|
| number of NAT sessions they can establish. If your network has a large number of |
|
| users using peer to peer applications, you can lower this number to ensure no single |
|
| client is using too many of the available NAT sessions. |
|
|
|
| From Zone | This is the direction of travel of packets. Select from which zone the packets come |
| To Zone | and to which zone the packets go. |
|
| Firewall rules are grouped based on the direction of travel of packets to which they |
|
| apply. For example, from LAN to LAN means packets traveling from a computer or |
|
| subnet on the LAN to either another computer or subnet on the LAN. |
|
| From any displays all the firewall rules for traffic going to a particular zone. |
|
| To any displays all the firewall rules for traffic coming from a particular zone. |
|
| From any to any displays all of the firewall rules. |
|
| To ZyWALL rules are for traffic that is destined for the ZyWALL and control which |
|
| computers can manage the ZyWALL. |
|
|
|
| The following | |
| selected packet direction. | |
|
|
|
| # | This is the index number of your firewall rule. It is not associated with a specific rule. |
|
|
|
| Priority | This is the position of your firewall rule in the global rule list (including all through- |
|
| ZyWALL and |
|
| applied in sequence. |
|
|
|
| Schedule | This field tells you the schedule object that the rule uses. none means the rule is |
|
| active at all times if enabled. |
|
|
|
| User | This is the user name or user group name to which this firewall rule applies. |
|
|
|
| Source | This displays the source address object to which this firewall rule applies. |
|
|
|
| Destination | This displays the destination address object to which this firewall rule applies. |
|
|
|
| Service | This displays the service object to which this firewall rule applies. |
|
|
|
| 285 |
ZyWALL USG 300 User’s Guide | |
|
|