What You Need To Know - ZyXEL Communications ISG50-ISDN User Manual

Chapter 23 Firewall

23.1.2 What You Need to Know

Stateful Inspection
The ISG50 has a stateful inspection firewall. The ISG50 restricts access by screening data packets
against defined access rules. It also inspects sessions. For example, traffic from one zone is not
allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces or VPN tunnels. Group the ISG50's interfaces into different zones
based on your needs. You can configure firewall rules for data passing between zones or even
between interfaces and/or VPN tunnels in a zone.
Default Firewall Behavior
Firewall rules are grouped based on the direction of travel of packets to which they apply. Here is
the default firewall behavior for traffic going through the ISG50 in various directions.
Table 113 Default Firewall Behavior
FROM ZONE TO ZONE
From WAN to Device
From WAN to any (other
than the ISG50)
From DMZ to Device
From DMZ to any (other
than the ISG50)
From ANY to ANY
To-Device Rules
Rules with Device as the To Zone apply to traffic going to the ISG50 itself. By default:
• The firewall allows only LAN or WAN computers to access or manage the ISG50.
• The ISG50 drops most packets from the WAN zone to the ISG50 itself, except for ESP/AH/IKE/
NATT/HTTPS services for VPN tunnels, and generates a log.
• The ISG50 drops most packets from the DMZ zone to the ISG50 itself, except for DNS and
NetBIOS traffic, and generates a log.
When you configure a firewall rule for packets destined for the ISG50 itself, make sure it does not
conflict with your service control rule. See
service control (remote management). The ISG50 checks the firewall rules before the service
control rules for traffic destined for the ISG50.
354
BEHAVIOR
Traffic from the WAN to the ISG50 itself is allowed for certain default
services described in To-Device Rules on page
ISG50 traffic is dropped.
Traffic from the WAN to any of the networks behind the ISG50 is
dropped.
Traffic from the DMZ to the ISG50 itself is allowed for certain default
services described in To-Device Rules on page
ISG50 traffic is dropped.
Traffic from the DMZ to any of the networks behind the ISG50 is
dropped.
Traffic that does not match any firewall rule is allowed. So for example,
LAN to WAN, LAN to DMZ traffic is allowed. This also includes traffic to
or from interfaces or VPN tunnels that are not assigned to a zone
(extra-zone traffic).
Chapter 52 on page 665
354. All other WAN to
354. All other DMZ to
for more information about
ISG50 User's Guide