Nortel 4134 Guia Do Utilizador
Firewall Overview
23
Outside of the internet zone, all other zones on the router are trusted zones.
No traffic is allowed into a trusted zone unless a session is initiated from
within that zone.
No traffic is allowed into a trusted zone unless a session is initiated from
within that zone.
By default, all outbound connections from the trusted zone are allowed and
all inbound connections are denied.
all inbound connections are denied.
There is one default trusted zone, named corp. You can create additional
zones as required to meet the needs of your network. All additional zones
that you create are trusted zones.
zones as required to meet the needs of your network. All additional zones
that you create are trusted zones.
Transit policies on trusted zones only
Transit policies allow traffic to flow through the firewall. In order for traffic
from the untrusted zone to flow back into the trusted zone, the session must
be initiated from within the trusted zone. To configure rules for this traffic,
you must configure transit policies on the trusted zones.
from the untrusted zone to flow back into the trusted zone, the session must
be initiated from within the trusted zone. To configure rules for this traffic,
you must configure transit policies on the trusted zones.
Each trusted zone has a database of incoming and outgoing policies.
Outgoing policies are applied to traffic flowing from the trusted interfaces to
the Internet. Incoming policies are applied to traffic flowing from the Internet
to the trusted interface in the Virtual Firewall.
Outgoing policies are applied to traffic flowing from the trusted interfaces to
the Internet. Incoming policies are applied to traffic flowing from the Internet
to the trusted interface in the Virtual Firewall.
In addition, to allow traffic between trusted zones, you must configure the
trusted zones to allow the transit traffic to pass. If desired, you can globally
disable firewall processing between the trusted zones.
trusted zones to allow the transit traffic to pass. If desired, you can globally
disable firewall processing between the trusted zones.
No transit policies on internet untrusted zone
Policies in the internet zone do not deal with transit traffic.
The primary use for the internet zone is to mark your untrusted interfaces.
The secondary use for the internet zone is to allow connections to the
SR4134 itself from the Internet (for example, to allow for a Telnet connection
to the router from the Internet). Policies in the internet zone deal only
with traffic destined to or sourced from an interface in the internet zone
(or ’internet-self’ traffic). These "self" policies are the only type of policy
supported in the untrusted zone.
SR4134 itself from the Internet (for example, to allow for a Telnet connection
to the router from the Internet). Policies in the internet zone deal only
with traffic destined to or sourced from an interface in the internet zone
(or ’internet-self’ traffic). These "self" policies are the only type of policy
supported in the untrusted zone.
You cannot configure the internet zone with policies for traffic passing
through the router. If you want to allow connections from the internet to
travel into the trusted side, then you must configure an inbound policy in
a trusted zone (like "corp").
through the router. If you want to allow connections from the internet to
travel into the trusted side, then you must configure an inbound policy in
a trusted zone (like "corp").
The internet zone is not involved in governing transit traffic.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.