ZyXEL Communications ZyWALL 300 User Manual
Chapter 19 Firewall
ZyWALL USG 300 User’s Guide
279
The following table explains the default firewall rules for traffic going through the ZyWALL.
See
See
for details on the firewall rules for traffic going to the
ZyWALL itself.
"
If you enable intra-zone traffic blocking (see the chapter about zones), the
firewall automatically creates (implicit) rules to deny packet passage between
the interfaces in the specified zone.
firewall automatically creates (implicit) rules to deny packet passage between
the interfaces in the specified zone.
"
You also need to configure virtual servers (NAT port forwarding) to allow
computers on the WAN to access devices on the LAN. See
computers on the WAN to access devices on the LAN. See
for more information.
19.2.1.1 Global Firewall Rules
If an interface or VPN tunnel is not included in a zone, only the global firewall rules (with
from any to any direction) apply to traffic going to and from that interface.
from any to any direction) apply to traffic going to and from that interface.
Table 84 Default Firewall Rules
FROM ZONE TO ZONE
STATEFUL PACKET INSPECTION
From LAN to LAN
Traffic between interfaces in the LAN is allowed.
From LAN to WAN
Traffic from the LAN to the WAN is allowed.
From LAN to DMZ
Traffic from the LAN to the DMZ is allowed.
From LAN to WLAN
Traffic from the LAN to the WLAN is allowed.
From WAN to LAN
Traffic from the WAN to the LAN is dropped.
From WAN to WAN
Traffic between interfaces in the WAN is dropped.
From WAN to DMZ
Traffic from the WAN to the DMZ is allowed.
From WAN to ZyWALL
Traffic from the WAN to the ZyWALL itself is dropped except for
the traffic types described in
the traffic types described in
.
From WAN to WLAN
Traffic from the WAN to the WLAN is allowed.
From DMZ to LAN
Traffic from the DMZ to the LAN is dropped.
From DMZ to WAN
Traffic from the DMZ to the WAN is dropped.
From DMZ to DMZ
Traffic between interfaces in the DMZ is dropped.
From WLAN to LAN
Traffic from the WLAN to the LAN is rejected unless it is from an
authenticated wireless LAN user.
authenticated wireless LAN user.
From WLAN to DMZ
Traffic from the WLAN to the DMZ is rejected unless it is from
an authenticated wireless LAN user.
an authenticated wireless LAN user.
From WLAN to WAN
Traffic from the WLAN to the WAN is rejected unless it is DNS
UDP traffic or from an authenticated wireless LAN user or a
guest .
UDP traffic or from an authenticated wireless LAN user or a
guest .