Table of Contents
Advertisement
Table 40: Semi-private VPN-only security firewall rules (continued)
InBoundSemiPri
vateAccessICM
P
OutBoundSemi
PrivateAccessI
CMP
InBoundSemiPri
vateBlockAll
OutBoundSemi
PrivateBlockAll
DMZ zone firewall templates
The Demilitarized Zone (DMZ) network interface is typically used to allow Internet users access
to some corporate services without compromising the private network where sensitive
information is stored. For all the services setup in the DMZ, access is allowed from any network,
including Public, Private, Management and Semi-private. Because the DMZ is not a trusted
network, all outgoing traffic is blocked.
The same security rules are enforced for high security, medium security, and low security. The
DMZ high security rules are enforced for both incoming and outgoing packets as follows.
Incoming traffic from the DMZ zone is denied.
Outgoing traffic to the DMZ zone allowed includes
Packets from the following networks: private, management, semi-private, and the
destination is the servers with the common services.
Table 41: DMZ high and medium security firewall rules
Rule Name
Action
InBoundDMZ
Permit
ActiveFTPAc
cess
InBoundDMZ
Deny
BlockAll
Permit
Any
Permit
Semi-Privat
e-IP
Block
Any
Block
Any
Source
Destination
Service
DMZNet
Any
ActiveFTP
Any
Any
Any
Semi-Private
ICMPDESTUNREACHAB
-IP
LE
ICMPTIMEEXCEEDED
Any
ICMPDESTUNREACHAB
LE
Any
Any
Any
Any
Direction
In
In
DMZ zone firewall templates
In
Semi-Pri
No
vate
Out
Semi-Pri
No
vate
In
Semi-Pri
No
vate
Out
Semi-Pri
No
vate
2 of 2
Zone
Keep
Description
State
DMZ
Yes
Permit active FTP
data connection
from FTP server
on DMZNet to any
FTP client on
INATERNET(this
works for both
NAT/Non NAT
setup)
DMZ
No
Deny the rest of
traffic
1 of 2
Issue 4 May 2005
309
Advertisement
Table of Contents
