Filter
Top Products
Chapter 19 Firewall
ZyWALL USG 300 User’s Guide
279
The following table explains the default firewall rules for traffic going through the ZyWALL.
See Section 19.2.1.2 on page 280 for details on the firewall rules for traffic going to the
ZyWALL itself.
" If you enable intra-zone traffic blocking (see the chapter about zones), the
firewall automatically creates (implicit) rules to deny packet passage between
the interfaces in the specified zone.
" You also need to configure virtual servers (NAT port forwarding) to allow
computers on the WAN to access devices on the LAN. See Chapter 16 on
page 255 for more information.
19.2.1.1 Global Firewall Rules
If an interface or VPN tunnel is not included in a zone, only the global firewall rules (with
from any to any direction) apply to traffic going to and from that interface.
Table 84 Default Firewall Rules
FROM ZONE TO ZONE STATEFUL PACKET INSPECTION
From LAN to LAN Traffic between interfaces in the LAN is allowed.
From LAN to WAN Traffic from the LAN to the WAN is allowed.
From LAN to DMZ Traffic from the LAN to the DMZ is allowed.
From LAN to WLAN Traffic from the LAN to the WLAN is allowed.
From WAN to LAN Traffic from the WAN to the LAN is dropped.
From WAN to WAN Traffic between interfaces in the WAN is dropped.
From WAN to DMZ Traffic from the WAN to the DMZ is allowed.
From WAN to ZyWALL Traffic from the WAN to the ZyWALL itself is dropped except for
the traffic types described in Section 19.2.1.2 on page 280.
From WAN to WLAN Traffic from the WAN to the WLAN is allowed.
From DMZ to LAN Traffic from the DMZ to the LAN is dropped.
From DMZ to WAN Traffic from the DMZ to the WAN is dropped.
From DMZ to DMZ Traffic between interfaces in the DMZ is dropped.
From WLAN to LAN Traffic from the WLAN to the LAN is rejected unless it is from an
authenticated wireless LAN user.
From WLAN to DMZ Traffic from the WLAN to the DMZ is rejected unless it is from
an authenticated wireless LAN user.
From WLAN to WAN Traffic from the WLAN to the WAN is rejected unless it is DNS
UDP traffic or from an authenticated wireless LAN user or a
guest .