Brocade Communications Systems 5600 vRouter Configuration Manual page 18

FIGURE 2 Zone-based firewall overview
By default, all traffic coming into the router and originating from the router is allowed.
Note the following additional points about zone-based firewalls:
∙
An interface can be associated with only one zone.
∙
An interface that belongs to a zone cannot have a per-interface firewall rule set applied to it, and conversely.
∙
Traffic between interfaces that do not belong to any zone flows unfiltered, and per-interface firewall rule sets can be applied to
those interfaces.
∙
By default, all traffic to a zone is dropped unless explicitly allowed by a filtering policy for a source zone (from_zone) .
∙
Filtering policies are unidirectional; they are defined as a "zone pair" that identifies the zone from which traffic is sourced
(from_zone ) and the zone to which traffic is destined (to_zone ). In the preceding figure, these unidirectional policies can be
seen as follows:
– From private to DMZ
– From public to DMZ
– From private to public
– From DMZ to public
– From public to private
– From DMZ to private
18
Firewall Overview
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01