ZyXEL Communications NXC2500 User Manual page 186

Chapter 16 Firewall
To-NXC Rules
Rules with EnterpriseWLAN as the To Zone apply to traffic going to the NXC itself. By default:
• The firewall allows any computers to access or manage the NXC.
When you configure a firewall rule for packets destined for the NXC itself, make sure it does not
conflict with your service control rule. The NXC checks the firewall rules before the service control
rules for traffic destined for the NXC.
You can configure a To-NXC firewall rule (with From Any To EnterpriseWLAN direction) for traffic
from an interface which is not in a zone.
Global Firewall Rules
Firewall rules with from any and/or to any as the packet direction are called global firewall rules.
The global firewall rules are the only firewall rules that apply to an interface that is not included in a
zone. The from any rules apply to traffic coming from the interface and the to any rules apply to
traffic going to the interface.
Firewall Rule Criteria
The NXC checks the schedule, user name (user's login name on the NXC), source IP address,
destination IP address and IP protocol type of network traffic against the firewall rules (in the order
you list them). When the traffic matches a rule, the NXC takes the action specified in the rule.
User Specific Firewall Rules
You can specify users or user groups in firewall rules. For example, to allow a specific user from any
computer to access a zone by logging in to the NXC, you can set up a rule based on the user name
only. If you also apply a schedule to the firewall rule, the user can only access the network at the
scheduled time. A user-aware firewall rule is activated whenever the user logs in to the NXC and
will be disabled after the user logs out of the NXC.
Session Limits
Accessing the NXC or network resources through the NXC requires a NAT session and corresponding
firewall session. Peer to peer applications, such as file sharing applications, may use a large number
of NAT sessions. A single client could use all of the available NAT sessions and prevent others from
connecting to or through the NXC. The NXC lets you limit the number of concurrent NAT/firewall
sessions a client can use.
Asymmetrical Routes
If an alternate gateway on the LAN has an IP address in the same subnet as the NXC's LAN IP
address, return traffic may not go through the NXC. This is called an asymmetrical or "triangle"
route. This causes the NXC to reset the connection, as the connection has not been acknowledged.
You can have the NXC permit the use of asymmetrical route topology on the network (not reset the
connection). However, allowing asymmetrical routes may let traffic from the WAN go directly to the
LAN without passing through the NXC.
NXC Series User's Guide
186