1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 72
Page 356 / 944 Scroll up to view Page 351 - 355
Chapter 21 Authentication Policy
ZyWALL USG 50 User’s Guide
356
Page 357 / 944
ZyWALL USG 50 User’s Guide
357
C
HAPTER
22
Firewall
22.1
Overview
Use the firewall to block or allow services that use static port numbers. Use
application patrol (see
Chapter 28 on page 437
) to control services using flexible/
dynamic port numbers. The firewall can also limit the number of user sessions.
This figure shows the ZyWALL’s default firewall rules in action and demonstrates
how stateful inspection works. User
1
can initiate a Telnet session from within the
LAN1 zone and responses to this request are allowed. However, other Telnet traffic
initiated from the WAN or DMZ zone and destined for the LAN1 zone is blocked.
Communications between the WAN and the DMZ zones are allowed. The firewall
allows VPN traffic between any of the networks.
Figure 214
Default Firewall Action
22.1.1
What You Can Do in this Chapter
Use the
Firewall
screens (
Section 22.2 on page 365
) to enable or disable the
firewall and asymmetrical routes, and manage and configure firewall rules.
Use the
Session Limit
screens (see
Section 22.3 on page 370
) to limit the
number of concurrent NAT/firewall sessions a client can use.
Page 358 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
358
22.1.2
What You Need to Know
Stateful Inspection
The ZyWALL has a stateful inspection firewall. The ZyWALL restricts access by
screening data packets against defined access rules. It also inspects sessions. For
example, traffic from one zone is not allowed unless it is initiated by a computer in
another zone first.
Zones
A zone is a group of interfaces or VPN tunnels. Group the ZyWALL’s interfaces into
different zones based on your needs. You can configure firewall rules for data
passing between zones or even between interfaces and/or VPN tunnels in a zone.
Default Firewall Behavior
Firewall rules are grouped based on the direction of travel of packets to which they
apply. Here is the default firewall behavior for traffic going through the ZyWALL in
various directions.
To-ZyWALL Rules
Rules with
ZyWALL
as the
To Zone
apply to traffic going to the ZyWALL itself. By
default:
The firewall allows only LAN, or WAN computers to access or manage the
ZyWALL.
Table 103
Default Firewall Behavior
FROM ZONE TO ZONE
BEHAVIOR
From WAN to ZyWALL
Traffic from the WAN to the ZyWALL itself is allowed for certain
default services described in
To-ZyWALL Rules on page 358
. All
other WAN to ZyWALL traffic is dropped.
From WAN to any (other
than the ZyWALL)
Traffic from the WAN to any of the networks behind the
ZyWALL is dropped.
From DMZ to ZyWALL
Traffic from the DMZ to the ZyWALL itself is allowed for certain
default services described in
To-ZyWALL Rules on page 358
. All
other DMZ to ZyWALL traffic is dropped.
From DMZ to any (other
than the ZyWALL)
Traffic from the DMZ to any of the networks behind the
ZyWALL is dropped.
From ANY to ANY
Traffic that does not match any firewall rule is allowed. So for
example, LAN to WAN, LAN to DMZ traffic is allowed. This also
includes traffic to or from interfaces or VPN tunnels that are
not assigned to a zone (extra-zone traffic).
Page 359 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
359
The ZyWALL drops most packets from the WAN zone to the ZyWALL itself,
except for ESP/AH/IKE/NATT/HTTPS services for VPN tunnels, and generates a
log.
The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself,
except for DNS and NetBIOS traffic, and generates a log.
When you configure a firewall rule for packets destined for the ZyWALL itself,
make sure it does not conflict with your service control rule. See
Chapter 45 on
page 675
for more information about service control (remote management). The
ZyWALL checks the firewall rules before the service control rules for traffic
destined for the ZyWALL.
You can configure a To-ZyWALL firewall rule (with
From Any To ZyWALL
direction) for traffic from an interface which is not in a zone.
Global Firewall Rules
Firewall rules with
from any
and/or
to any
as the packet direction are called
global firewall rules. The global firewall rules are the only firewall rules that apply
to an interface or VPN tunnel that is not included in a zone. The
from any
rules
apply to traffic coming from the interface and the
to any
rules apply to traffic
going to the interface.
Firewall Rule Criteria
The ZyWALL checks the schedule, user name (user’s login name on the ZyWALL),
source IP address, destination IP address and IP protocol type of network traffic
against the firewall rules (in the order you list them). When the traffic matches a
rule, the ZyWALL takes the action specified in the rule.
User Specific Firewall Rules
You can specify users or user groups in firewall rules. For example, to allow a
specific user from any computer to access a zone by logging in to the ZyWALL, you
can set up a rule based on the user name only. If you also apply a schedule to the
firewall rule, the user can only access the network at the scheduled time. A user-
aware firewall rule is activated whenever the user logs in to the ZyWALL and will
be disabled after the user logs out of the ZyWALL.
Firewall and Application Patrol
To use a service, make sure both the firewall and application patrol allow the
service’s packets to go through the ZyWALL. The ZyWALL checks the firewall rules
before the application patrol rules for traffic going through the ZyWALL.
Page 360 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
360
Firewall and VPN Traffic
After you create a VPN tunnel and add it to a zone, you can set the firewall rules
applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone
for example), you can configure a new LAN1 to LAN1 firewall rule or use intra-
zone traffic blocking to allow or block VPN traffic transmitting between the VPN
tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new
zone (the VPN zone for example), you can configure rules for VPN traffic between
the VPN zone and other zones or
From VPN To-ZyWALL
rules for VPN traffic
destined for the ZyWALL.
Session Limits
Accessing the ZyWALL or network resources through the ZyWALL requires a NAT
session and corresponding firewall session. Peer to peer applications, such as file
sharing applications, may use a large number of NAT sessions. A single client
could use all of the available NAT sessions and prevent others from connecting to
or through the ZyWALL. The ZyWALL lets you limit the number of concurrent NAT/
firewall sessions a client can use.
Finding Out More
See
Section 6.5.14 on page 101
for related information on the
Firewall
screens.
See
Section 7.8 on page 136
for an example of creating firewall rules as part of
configuring user-aware access control (
Section 7.5 on page 122
).
See
Section 7.9.3 on page 142
for an example of creating a firewall rule to allow
H.323 traffic from the WAN to the LAN.
See
Section 7.10.3 on page 145
for an example of creating a firewall rule to
allow web traffic from the WAN to a server on the DMZ.
See
Section 7.11.4 on page 150
for an example of creating firewall rules to
allow SIP traffic for an IPPBX or SIP server on the DMZ.
22.1.3
Firewall Rule Example Applications
Suppose that your company decides to block all of the LAN users from using IRC
(Internet Relay Chat) through the Internet. To do this, you would configure a LAN
to WAN firewall rule that blocks IRC traffic from any source IP address from going
to any destination address. You do not need to specify a schedule since you need

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top