Dmz zone firewall templates, 1 of 2 – Avaya 3.7 User Manual
Page 309
DMZ zone firewall templates
Issue 4 May 2005
309
DMZ zone firewall templates
The Demilitarized Zone (DMZ) network interface is typically used to allow Internet users access
to some corporate services without compromising the private network where sensitive
information is stored. For all the services setup in the DMZ, access is allowed from any network,
including Public, Private, Management and Semi-private. Because the DMZ is not a trusted
network, all outgoing traffic is blocked.
The same security rules are enforced for high security, medium security, and low security. The
DMZ high security rules are enforced for both incoming and outgoing packets as follows.
Incoming traffic from the DMZ zone is denied.
Outgoing traffic to the DMZ zone allowed includes
●
Packets from the following networks: private, management, semi-private, and the
destination is the servers with the common services.
InBoundSemiPri
vateAccessICM
P
Permit
Any
Semi-Private
-IP
ICMPDESTUNREACHAB
LE
ICMPTIMEEXCEEDED
In
Semi-Pri
vate
No
OutBoundSemi
PrivateAccessI
CMP
Permit
Semi-Privat
e-IP
Any
ICMPDESTUNREACHAB
LE
Out
Semi-Pri
vate
No
InBoundSemiPri
vateBlockAll
Block
Any
Any
Any
In
Semi-Pri
vate
No
OutBoundSemi
PrivateBlockAll
Block
Any
Any
Any
Out
Semi-Pri
vate
No
Table 40: Semi-private VPN-only security firewall rules (continued)
2 of 2
Table 41: DMZ high and medium security firewall rules
Rule Name
Action
Source
Destination
Service
Direction
Zone
Keep
State
Description
InBoundDMZ
ActiveFTPAc
cess
Permit
DMZNet
Any
ActiveFTP
In
DMZ
Yes
Permit active FTP
data connection
from FTP server
on DMZNet to any
FTP client on
INATERNET(this
works for both
NAT/Non NAT
setup)
InBoundDMZ
BlockAll
Deny
Any
Any
Any
In
DMZ
No
Deny the rest of
traffic
1 of 2