ZyXEL Communications HW-D Series User Manual

P-662H/HW-D Series User’s Guide

Chapter 11 Firewall Configuration

183

4 Does a rule that allows Internet users access to resources on the LAN create a security 

vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the 
LAN, Internet users may be able to connect to computers with running FTP servers.

5 Does this rule conflict with any existing rules?

6 Once these questions have been answered, adding rules is simply a matter of plugging the 

information into the correct fields in the web configurator screens.

Should the action be to Drop, Reject or Permit? 

Note: “Drop” means the firewall silently discards the packet. “Reject” means the 

firewall discards packets and sends an ICMP destination-unreachable 
message to the sender.

Select the service from the Service scrolling list box. If the service is not listed, it is necessary 
to first define it. See 

for more information on predefined services.

What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of 
IPs or a subnet?

What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a 
range of IPs or a subnet?

This section describes examples for firewall rules for connections going from LAN to WAN 
and from WAN to LAN. Rules for the DMZ work in a similar fashion.

LAN to LAN/ Router, WAN to WAN/ Router and DMZ to DMZ/Router rules applies to 
packets coming in on the associated interface (LAN, WAN, or DMZ respectively). LAN to 
LAN/ Router means policies for LAN-to-ZyXEL Device (the policies for managing the 
ZyXEL Device through the LAN interface) and policies for LAN-to-LAN (the policies that 
control routing between two subnets on the LAN). Similarly, WAN to WAN/ Router and 
DMZ to DMZ/ Router polices apply in the same way to the WAN and DMZ ports.