ZyXEL Communications 310 User Manual page 266
Vpn firewall
Hide thumbs
Also See for 310:
- User manual (161 pages) ,
- User manual (199 pages) ,
- User manual (107 pages)
Table of Contents
Advertisement
Chapter 19 Firewall
Note: At the time of writing the ZyWALL's VPN and GRE tunnels support IPv4 traffic so
IPv6 firewall rules do not apply to IPSec, SSL VPN, and GRE tunnel traffic.
Table 97 Example Firewall Behavior
FROM ZONE TO ZONE
From any to ZyWALL
From LAN to any (other than
the ZyWALL)
From DMZ to WAN
From IPSec VPN to any (other
than the ZyWALL)
From SSL VPN to any (other
than the ZyWALL)
From TUNNEL to any (other
than the ZyWALL)
From LAN to ZyWALL
From DMZ to ZyWALL
From WAN to ZyWALL
From IPSec VPN to ZyWALL
From SSL VPN to ZyWALL
From TUNNEL to ZyWALL
From any to any
To-ZyWALL Rules
Rules with ZyWALL as the To Zone apply to traffic going to the ZyWALL itself. By default:
• The firewall allows only LAN, WLAN, or WAN computers to access or manage the ZyWALL.
• The ZyWALL allows DHCP traffic from any interface to the ZyWALL.
• The ZyWALL allows DHCPv6 and Default_Allow_ICMPv6_Group traffic from any interface to the
ZyWALL.
• The ZyWALL drops most packets from the DMZ zone to the ZyWALL itself and generates a log
except for DNS and NetBIOS traffic.
• The ZyWALL drops most packets from the WLAN zone to the ZyWALL itself and generates a log
except for BOOTP_SERVER, HTTP, HTTPS, and DNS traffic.
• The ZyWALL drops most packets from the WAN zone to the ZyWALL itself and generates a log
except for AH, ESP, GRE, HTTPS, IKE, NATT (NATT applies to IPv4 only), and VRRP traffic.
When you configure a firewall rule for packets destined for the ZyWALL itself, make sure it does not
conflict with your service control rule. See
service control (remote management). The ZyWALL checks the firewall rules before the service
control rules for traffic destined for the ZyWALL.
266
BEHAVIOR
DHCP traffic from any interface to the ZyWALL is allowed.
DHCPv6 and Default_Allow_ICMPv6_Group traffic from any interface to the
ZyWALL is allowed.
Traffic from the LAN to any of the networks connected to the ZyWALL is
allowed.
Traffic from the DMZ to the WAN is allowed.
Traffic from the IPSec VPN zone to any of the networks connected to the
ZyWALL is allowed.
Traffic from the SSL VPN zone to any of the networks connected to the
ZyWALL is allowed.
Traffic from the TUNNEL zone to any of the networks connected to the
ZyWALL is allowed.
Traffic from the LAN to the ZyWALL itself is allowed.
DNS and NetBIOS traffic from the DMZ to the ZyWALL itself is allowed.
The default services listed in
the WAN to the ZyWALL itself. All other WAN to ZyWALL traffic is dropped.
Traffic from the IPSec VPN zone to the ZyWALL itself is allowed.
Traffic from the SSL VPN zone to the ZyWALL itself is allowed.
Traffic from the TUNNEL zone to the ZyWALL itself is allowed.
Traffic that does not match any firewall rule is dropped. This includes traffic
from the DMZ or WAN to any of the networks behind the ZyWALL and traffic
other than DNS and NetBIOS from the DMZ to the ZyWALL.
This also includes traffic to or from interfaces or VPN tunnels that are not
assigned to a zone (extra-zone traffic).
Chapter 37 on page 443
To-ZyWALL Rules on page 266
for more information about
ZyWALL 110/310/1100 Series User's Guide
are allowed from
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Related Manuals for ZyXEL Communications 310
Related Products for ZyXEL Communications 310
- ZyXEL Communications Prestige 314 PLUS
- ZyXEL Communications ZyXEL Prestige 304
- ZyXEL Communications ZyXEL ZyWALL 30W
- ZyXEL Communications ZYWALL 35 - V4.04
- ZyXEL Communications PRESTIGE 324
- ZyXEL Communications Unified Security Gateway ZyWALL 300
- ZyXEL Communications Prestige 316
- ZyXEL Communications 35 Series