Firewall Rule Example Applications - ZyXEL Communications ZyWALL USG 200 Series User Manual

Chapter 24 Firewall
Firewall and Application Patrol
To use a service, make sure both the firewall and application patrol allow the
service's packets to go through the ZyWALL. The ZyWALL checks the firewall rules
before the application patrol rules for traffic going through the ZyWALL.
Firewall and VPN Traffic
After you create a VPN tunnel and add it to a zone, you can set the firewall rules
applied to VPN traffic. If you add a VPN tunnel to an existing zone (the LAN1 zone
for example), you can configure a new LAN1 to LAN1 firewall rule or use intra-
zone traffic blocking to allow or block VPN traffic transmitting between the VPN
tunnel and other interfaces in the LAN zone. If you add the VPN tunnel to a new
zone (the VPN zone for example), you can configure rules for VPN traffic between
the VPN zone and other zones or From VPN To-ZyWALL rules for VPN traffic
destined for the ZyWALL.
Session Limits
Accessing the ZyWALL or network resources through the ZyWALL requires a NAT
session and corresponding firewall session. Peer to peer applications, such as file
sharing applications, may use a large number of NAT sessions. A single client
could use all of the available NAT sessions and prevent others from connecting to
or through the ZyWALL. The ZyWALL lets you limit the number of concurrent NAT/
firewall sessions a client can use.
Finding Out More
• See Section 6.5.14 on page 106
screens.
• See Section 7.7.6 on page 154
of configuring user-aware access control
• See Section 7.11.3 on page 166
allow H.323 traffic from the WAN to the LAN.
• See Section 7.12.3 on page 169
allow web traffic from the WAN to a server on the DMZ.
• See Section 7.13.4 on page 174
allow SIP traffic for an IPPBX or SIP server on the DMZ.

24.1.3 Firewall Rule Example Applications

Suppose that your company decides to block all of the LAN users from using IRC
(Internet Relay Chat) through the Internet. To do this, you would configure a LAN
to WAN firewall rule that blocks IRC traffic from any source IP address from going
to any destination address. You do not need to specify a schedule since you need
456
for related information on the Firewall
for an example of creating firewall rules as part
(Section 7.7 on page
for an example of creating a firewall rule to
for an example of creating a firewall rule to
for an example of creating firewall rules to
ZyWALL USG 100/200 Series User's Guide
146).