Chapter 9 Firewalls
P-660HN-FxZ Series User’s Guide
157
The following table describes the labels in this screen.
9.3
The Firewall Rule Screen
"
The ordering of your rules is very important as rules are applied in turn.
Refer to
Section 9.5 on page 166
for more information.
Table 52
Security > Firewall > General
LABEL
DESCRIPTION
Active Firewall
Select this check box to activate the firewall. The ZyXEL Device performs access
control and protects against Denial of Service (DoS) attacks when the firewall is
activated.
Bypass Triangle
Route
If an alternate gateway on the LAN has an IP address in the same subnet as the
ZyXEL Device’s LAN IP address, return traffic may not go through the ZyXEL
Device. This is called an asymmetrical or “triangle” route. This causes the ZyXEL
Device to reset the connection, as the connection has not been acknowledged.
Select this check box to have the ZyXEL Device permit the use of asymmetrical
route topology on the network (not reset the connection).
Note: Allowing asymmetrical routes may let traffic from the WAN go
directly to the LAN without passing through the ZyXEL
Device. A better solution is to use IP alias to put the ZyXEL
Device and the backup gateway on separate subnets. See
Section 9.5.4.1 on page 169
for an example.
Packet Direction
This is the direction of travel of packets (
LAN to LAN / Router
,
LAN to WAN
,
WAN to WAN / Router
,
WAN to LAN)
.
Firewall rules are grouped based on the direction of travel of packets to which they
apply. For example,
LAN to LAN / Router
means packets traveling from a
computer/subnet on the LAN to either another computer/subnet on the LAN
interface of the ZyXEL Device or the ZyXEL Device itself.
Default Action
Use the drop-down list boxes to select the default action that the firewall is to take
on packets that are traveling in the selected direction and do not match any of the
firewall rules.
Select
Drop
to silently discard the packets without sending a TCP reset packet or
an ICMP destination-unreachable message to the sender.
Select
Reject
to deny the packets and send a TCP reset packet (for a TCP
packet) or an ICMP destination-unreachable message (for a UDP packet) to the
sender.
Select
Permit
to allow the passage of the packets.
Log
Select the check box to create a log (when the above action is taken) for packets
that are traveling in the selected direction and do not match any of your
customized rules.
Expand...
Click this to display more information.
Basic...
Click this to display less information.
Apply
Click this to save your changes.
Cancel
Click this to restore your previously saved settings.