ZyXEL Communications NXC5200 User Manual page 251

Chapter 18 Firewall
• The NXC drops most packets from the DMZ zone to the NXC itself, except for
DNS and NetBIOS traffic, and generates a log.
When you configure a firewall rule for packets destined for the NXC itself, make
sure it does not conflict with your service control rule. The NXC checks the firewall
rules before the service control rules for traffic destined for the NXC.
You can configure a To-NXC firewall rule (with From Any To NXC direction) for
traffic from an interface which is not in a zone.
Global Firewall Rules
Firewall rules with from any and/or to any as the packet direction are called
global firewall rules. The global firewall rules are the only firewall rules that apply
to an interface that is not included in a zone. The from any rules apply to traffic
coming from the interface and the to any rules apply to traffic going to the
interface.
Firewall Rule Criteria
The NXC checks the schedule, user name (user's login name on the NXC), source
IP address, destination IP address and IP protocol type of network traffic against
the firewall rules (in the order you list them). When the traffic matches a rule, the
NXC takes the action specified in the rule.
User Specific Firewall Rules
You can specify users or user groups in firewall rules. For example, to allow a
specific user from any computer to access a zone by logging in to the NXC, you
can set up a rule based on the user name only. If you also apply a schedule to the
firewall rule, the user can only access the network at the scheduled time. A user-
aware firewall rule is activated whenever the user logs in to the NXC and will be
disabled after the user logs out of the NXC.
Firewall and Application Patrol
To use a service, make sure both the firewall and application patrol allow the
service's packets to go through the NXC. The NXC checks the firewall rules before
the application patrol rules for traffic going through the NXC.
251
NXC5200 User's Guide