ZyXEL p-660h-61 Guida Utente

Prestige 660H Series User’s Guide 

12-2 

Creating Custom Rules 

1.  Once the logic of the rule has been defined, it is critical to consider the security ramifications 

created by the rule: 

2.  Does this rule stop LAN users from accessing critical resources on the Internet? For example, if 

IRC is blocked, are there users that require this service? 

3.  Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, 

will a rule that blocks just certain users be more effective? 

4.  Does a rule that allows Internet users access to resources on the LAN create a security 

vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, 
Internet users may be able to connect to computers with running FTP servers. 

5.  Does this rule conflict with any existing rules? 

6.  Once these questions have been answered, adding rules is simply a matter of plugging the 

information into the correct fields in the Rules screen in the web configurator. 

Should the action be to Block or Forward? 

“Block” means the firewall silently discards the packet. 

Select the service from the Service scrolling list box. If the service is not listed, it is necessary to first 
define it. See section 12.5 for more information on predefined services. 

What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or 
a subnet? 

What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of 
IPs or a subnet? 

This section talks about configuring firewall rules for connections going from LAN to WAN and 
WAN to LAN in your firewall. 

The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access 
to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users 
from accessing certain services on the WAN. See the following figure.