USG110 - Lack of understanding "ANY to WAN" vs. "ANY to ZyWall"

USG_User
USG_User Posts: 337
First Answer First Comment Friend Collector Fifth Anniversary
 Master Member
Just experiencing a lot of external DNS queries from Taiwan with abnormal UDP traffic where source port is zero. These packets will be dropped.
But in this connection we checked our policy rules and have a little lack of understanding.

When creating a security rule from "ANY" to "WAN" ... - from our point of view access will be granted for all internal zones (DMZ, LAN1, LAN2) to the internet (WAN).

But when creating a security rule from e.g. "ANY to ZyWall", ANY contains also the WAN zone in this case, isn't it.

So, the term "ANY" has different means depending on the "To" selection. Is this correct? We don't want to grant access for DNS queries from WAN to our internal zones. That's why we are discussing whether "ANY to WAN" is the correct choice. Or should we better create single rules for "LAN1 to WAN", "LAN2 to WAN", "OPT to WAN"?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,216
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member

    Hi @USG_User  

    The “any” is meaning all of the zones except “ZyWALL” zone.

    It will include: all of intra zones and WAN zone.

     

    The ZyWALL zone is means firewall itself.

    There are many build-in service: SSH/TELNET/FTP/HTTP/HTTPS/DNS…..etc.

    You can allow or deny traffic those come from “Any” zone to access build-in service.

     

    In your case, if you would like to deny DNS query from WAN side.

    You can create this rule to block DNS query:

    From: WAN. To: ZyWALL, Service: DNS, Action: Deny.


  • USG_User
    USG_User Posts: 337
    First Answer First Comment Friend Collector Fifth Anniversary
     Master Member
    Hi Stan,
    Thanks for your reply. The obove mentioned rule is clear so far, but doesn't explain what I'm interested in. Further we don't maintain a "Deny strategy" where all is allowed until we define a Deny rule. With us, all is denied by a default rule until we allow traffic by a separate rule.

    When creating a rule "Any to WAN", does it includes "WAN to WAN", too? In our DNS example, does it mean that external DNS queries from Internet to our public IP will be redirected by USG back to the internet again? This would be the thinking, if you say "ANY" contains always also the WAN zone.

    When allowing DNS queries from all internal zones to the internet, I would like to use "Any to WAN" to save different single rules for all internal zones to WAN. But in that case "Any to WAN" should exclude "WAN to WAN" since "WAN" is already set as destination in "ANY to WAN", isn't it?

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,216
    100 Answers 1000 Comments Friend Collector Fifth Anniversary
     Guru Member

    Hi @USG_User  

    As your question: does it mean that external DNS queries from Internet to our public IP will be redirected by USG back to the internet again? 

    The answer is not. Because the public IP address of USG is belonging to USG itself.

    So it is “ZyWALL” zone but not WAN zone.

Security Highlight