Skip to content

Firewall Zones

Introduction

About this Document

In this document we explain the various AXS Guard network zones, the default firewall behavior which applies to traffic between these zones and special cases where advanced firewall rules are required to bypass the default behavior of the AXS Guard firewall.

About the AXS Guard Firewall

The AXS Guard firewall is based on iptables. Detailed information about iptables is beyond the scope of this document. See the appropriate online references for tutorials and additional information.

Knowlegde of iptables is only required to configure advanced firewall rules on the system. Most rules and policies can be configured via the web-based administrator tool of the AXS Guard appliance. See the AXS Guard firewall manual for instructions.

Network Zones

Introduction

A network zone can be defined as a physical network to which the AXS Guard appliance is connected. There are 3 distinct network zones: the secure zone, the Internet zone and the DMZ. Each zone can consist of multiple networks, e.g. you can have more than 1 secure LAN or DMZ. Each zone is connected to the AXS Guard appliance via a dedicated network (eth) device.

Network Zones

Network Zone Description

Secure Zone (SEC)

The combination of all secure LAN and Virtual Private Network devices, e.g. IPsec, PPTP and OpenVPN devices. Hosts that are connected to the AXS GUARD appliance via a VPN connection are considered part of the secure zone. Devices in the secure zone have private IP addresses as defined in RFC 1918.

Internet Zone (INT)

All network devices that are connected to the Internet. Devices in the Internet zone have public IP addresses in most cases, except in NAT setups where private IPs are used.

Demilitarized Zone (DMZ)

Neutral zone where public and private services meet. This zone is directly accessible from the Internet, but strictly separated from the secure zone . It is typically used to host public services, such as web servers and SMTP servers. Devices in the DMZ can either have public or private IPs.

Default Firewall Behavior

By default, the following zone (network device) combinations are not allowed by the AXS Guard firewall because they are inherently insecure. To bypass this behavior, advanced firewall rules must be used.

  • Internet to secure zone

  • Internet to Internet

  • DMZ to secure zone

From / To

to SEC

to DMZ

to INT

From SEC

allowed

allowed

allowed

From DMZ

advanced firewall rules

allowed

allowed

From INT

advanced firewall rules

allowed (dmzf)

advanced firewall rules

Important

VPN tunnel devices, such as IPsec, PPTP and OpenVPN devices are part of the secure (SEC) zone.

Network Address Translation

While network packets travel from a source address to a destination address, routers such as the AXS Guard appliance which use NAT (Network Address Translation), alter the source and destination headers of the IP packets. In case of UDP and TCP, the source and destination ports can also be altered.

The different NAT types are explained in the AXS Guard system administrator guide.

Default NAT Actions

The AXS Guard applies pre-defined masquerading in the following order by default:

In Interface Out Interface Masquerading applied?

DMZ

Internet

No

Secure LAN

DMZ

Yes

Secure LAN

Internet

Yes

Predefined Masquerading Rules

If none of the above combinations match, the packet is either:

  • not masqueraded

  • blocked by the firewall

From To Action

LAN

LAN

ACCEPT

LAN

DMZ

MASQ

LAN

Internet

MASQ

DMZ

LAN

DROP

DMZ

DMZ

ACCEPT

DMZ

Internet

ACCEPT only if DMZ has public IP

Internet

LAN

DROP

Internet

DMZ

ACCEPT

Internet

Internet

DROP

Important

In some situations, the predefined masquerading rules do not suffice. Traffic towards the Internet originating from hosts with private IP addresses in the DMZ will be discarded if no masquerading is applied, because private IPs are reserved for hosts in private networks and are considered "non-routable".

In such cases, specific masquerade rules must be configured to allow traffic originating from these hosts to be routed over the Internet. See the system administrator manual for instructions.

Firewall Troubleshooting

Firewall Troubleshooting Flow Chart

Important

The IPS may still be blocking traffic allowed by the firewall. Check and update your IPS configuration if necessary.

Back to top