Filter
Top Products
Chapter 19 Firewall
ZyWALL USG 1000 User’s Guide
279
The following table explains the default firewall rules for traffic going through the ZyWALL.
See Section 19.2.1.2 on page 279 for details on the firewall rules for traffic going to the
ZyWALL itself.
" If you enable intra-zone traffic blocking (see the chapter about zones), the
firewall automatically creates (implicit) rules to deny packet passage between
the interfaces in the specified zone.
" You also need to configure virtual servers (NAT port forwarding) to allow
computers on the WAN to access devices on the LAN. See Chapter 16 on
page 255 for more information.
19.2.1.1 Global Firewall Rules
If an interface or VPN tunnel is not included in a zone, only the global firewall rules (with
from any to any direction) apply to traffic going to and from that interface.
19.2.1.2 To-ZyWALL Rules
Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default,
the firewall allows any computer from the LAN zone to access or manage the ZyWALL. By
default, the ZyWALL drops most packets from the WAN or DMZ zone to the ZyWALL itself,
except for VRRP traffic for Device HA and ESP/AH/IKE/NATT/HTTPS services for VPN
tunnels, and generates a log.
When you configure a to-ZyWALL rule for packets destined for the ZyWALL itself, make
sure it does not conflict with your service control rule. See Chapter 43 on page 575 for more
information about service control (remote management).
Table 84 Default Firewall Rules
FROM ZONE TO ZONE STATEFUL PACKET INSPECTION
From LAN to LAN Traffic between interfaces in the LAN is allowed.
From LAN to WAN Traffic from the LAN to the WAN is allowed.
From LAN to DMZ Traffic from the LAN to the DMZ is allowed.
From WAN to LAN Traffic from the WAN to the LAN is dropped.
From WAN to WAN Traffic between interfaces in the WAN is dropped.
From WAN to DMZ Traffic from the WAN to the DMZ is allowed.
From WAN to ZyWALL Traffic from the WAN to the ZyWALL itself is dropped except for
the traffic types described in Section 19.2.1.2 on page 279.
From DMZ to LAN Traffic from the DMZ to the LAN is dropped.
From DMZ to WAN Traffic from the DMZ to the WAN is dropped.
From DMZ to DMZ Traffic between interfaces in the DMZ is dropped.