1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 73
Page 361 / 944 Scroll up to view Page 356 - 360
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
361
the firewall rule to always be in effect. The following figure shows the results of
this rule.
Figure 215
Blocking All LAN to WAN IRC Traffic Example
Your firewall would have the following rules.
The first row blocks LAN access to the IRC service on the WAN.
The second row is the firewall’s default policy that allows all LAN1 to WAN traffic.
The ZyWALL applies the firewall rules in order. So for this example, when the
ZyWALL receives traffic from the LAN, it checks it against the first rule. If the
traffic matches (if it is IRC traffic) the firewall takes the action in the rule (drop)
and stops checking the firewall rules. Any traffic that does not match the first
firewall rule will match the second rule and the ZyWALL forwards it.
Now suppose that your company wants to let the CEO use IRC. You can configure
a LAN1 to WAN firewall rule that allows IRC traffic from the IP address of the
CEO’s computer. You can also configure a LAN to WAN rule that allows IRC traffic
from any computer through which the CEO logs into the ZyWALL with his/her user
name. In order to make sure that the CEO’s computer always uses the same IP
address, make sure it either:
Has a static IP address,
or
You configure a static DHCP entry for it so the ZyWALL always assigns it the
same IP address (see
DHCP Settings on page 268
for information on DHCP).
Table 104
Blocking All LAN to WAN IRC Traffic Example
#
USER
SOURCE
DESTINATION
SCHEDULE
SERVICE
ACTION
1
Any
Any
Any
Any
IRC
Deny
2
Any
Any
Any
Any
Any
Allow
Page 362 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
362
Now you configure a LAN1 to WAN firewall rule that allows IRC traffic from the IP
address of the CEO’s computer (192.168.1.7 for example) to go to any destination
address. You do not need to specify a schedule since you want the firewall rule to
always be in effect. The following figure shows the results of your two custom
rules.
Figure 216
Limited LAN to WAN IRC Traffic Example
Your firewall would have the following configuration.
The first row allows the LAN1 computer at IP address 192.168.1.7 to access the
IRC service on the WAN.
The second row blocks LAN1 access to the IRC service on the WAN.
The third row is the firewall’s default policy of allowing all traffic from the LAN1
to go to the WAN.
Alternatively, you configure a LAN1 to WAN rule with the CEO’s user name (say
CEO) to allow IRC traffic from any source IP address to go to any destination
address.
Your firewall would have the following configuration.
Table 105
Limited LAN1 to WAN IRC Traffic Example 1
#
USER
SOURCE
DESTINATION
SCHEDULE
SERVICE
ACTION
1
Any
192.168.1.7
Any
Any
IRC
Allow
2
Any
Any
Any
Any
IRC
Deny
3
Any
Any
Any
Any
Any
Allow
Table 106
Limited LAN1 to WAN IRC Traffic Example 2
#
USER
SOURCE
DESTINATION
SCHEDULE
SERVICE
ACTION
1
CEO
Any
Any
Any
IRC
Allow
2
Any
Any
Any
Any
IRC
Deny
3
Any
Any
Any
Any
Any
Allow
LAN1
Page 363 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
363
The first row allows any LAN1 computer to access the IRC service on the WAN
by logging into the ZyWALL with the CEO’s user name.
The second row blocks LAN1 access to the IRC service on the WAN.
The third row is the firewall’s default policy of allowing all traffic from the LAN1
to go to the WAN.
The rule for the CEO must come before the rule that blocks all LAN1 to WAN IRC
traffic. If the rule that blocks all LAN1 to WAN IRC traffic came first, the CEO’s IRC
traffic would match that rule and the ZyWALL would drop it and not check any
other firewall rules.
22.1.4
Firewall Rule Configuration Example
The following Internet firewall rule example allows Doom players from the WAN to
IP addresses 192.168.1.10 through 192.168.1.15 (Dest_1) on the LAN1.
1
Click
Configuration > Firewall
. In the summary of firewall rules click
Add
in the
heading row to configure a new first entry. Remember the sequence (priority) of
the rules is important since they are applied in order.
Figure 217
Firewall Example: Firewall Screen
2
At the top of the screen, click
Create new Object > Address
.
3
The screen for configuring an address object opens. Configure it as follows and
click
OK
.
Figure 218
Firewall Example: Create an Address Object
4
Click
Create new Object > Service
.
Page 364 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
364
5
The screen for configuring a service object opens. Configure it as follows and click
OK
.
Figure 219
Firewall Example: Create a Service Object
6
Select
From WAN
and
To LAN1
.
7
Enter the name of the firewall rule.
8
Select
Dest_1
is selected for the
Destination
and
Doom
is selected as the
Service
. Enter a description and configure the rest of the screen as follows. Click
OK
when you are done.
Figure 220
Firewall Example: Edit a Firewall Rule
Page 365 / 944
Chapter 22 Firewall
ZyWALL USG 50 User’s Guide
365
9
The firewall rule appears in the firewall rule summary.
Figure 221
Firewall Example: Doom Rule in Summary
22.2
The Firewall Screen
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the
ZyWALL’s LAN IP address, return traffic may not go through the ZyWALL. This is
called an asymmetrical or “triangle” route. This causes the ZyWALL to reset the
connection, as the connection has not been acknowledged.
You can have the ZyWALL permit the use of asymmetrical route topology on the
network (not reset the connection). However, allowing asymmetrical routes may
let traffic from the WAN go directly to the LAN without passing through the
ZyWALL. A better solution is to use virtual interfaces to put the ZyWALL and the
backup gateway on separate subnets. Virtual interfaces allow you to partition your
network into logical sections over the same interface. See the chapter about
interfaces for more information.
By putting LAN 1 and the alternate gateway (
A
in the figure) in different subnets,
all returning network traffic must pass through the ZyWALL to the LAN. The
following steps and figure describe such a scenario.
1
A computer on the LAN1 initiates a connection by sending a SYN packet to a
receiving server on the WAN.
2
The ZyWALL
reroutes the packet to gateway
A
, which is in
Subnet 2
.
3
The reply from the WAN goes to the ZyWALL.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top