Filter
Top Products
Issue 4 May 2005 297
Appendix B: Firewall rules template
General
The security gateway contains a powerful multi-layer inspection engine to provide extensive
filtering capabilities, essential for a full-time connection to the Internet. You can configure your
own rules, but, as a convenience in setting up the Firewall on the security gateway, predefined
general firewall rules (templates) can be selected to protect the public, private, semi-private,
DMZ, and maintenance zones.
These predefined firewall rules are grouped into security levels of high, medium, and low. One
firewall security level is applied to the security gateway, and the rules for each zone are
enforced according to the type of zone being protected. How the template rules are applied to a
zone are described in this appendix.
The Firewall engine uses a rule-based method of packet filtering, where the priority of the rule is
determined by its position in the list (first is highest priority).
Note:
Note: The common services referred to in this appendix include all of the following:
● Ping
● FTP control, Passive Data FTP
● SSH, TELNET
● HTTP, HTTPS
● POPS, IMAP, SMTP, and NNTP
High Security. - Selecting high security enforces a set of rules that try to protect the security
gateway itself and the internal network zones. For high security the following policy is defined:
● Private networks and management networks are considered internal networks, and can
initiate connections to access common services on the Internet.
● Except for access to the DMZ zone, traffic initiated from the Internet is denied.
● VPN outgoing and incoming traffic is allowed.
● DMZ common services can be accessed from all interfaces. The DMZ network cannot
initiate any traffic.
● The semi-private zone is not considered completely trusted. Access from semi-private to
private zones is allowed only if it is VPN traffic. All other incoming traffic is blocked.