Firewall

Overview

zWAN offers a basic stateful firewall for packet filtering. Packets can be filtered based on multiple conditions such as tuples, applications, time, fully qualified domain names (FQDNs), and web categories.

Functionality

The flow classifier module is used to configure firewall rules, determining whether to ACCEPT, DROP, REJECT, RETURN, or jump to a user-defined chain.

Rules can be configured for two types of traffic:

• SDWAN_INPUT – Rules determine which inbound traffic will be accepted or denied.
• SDWAN_FORWARD – Rules determine which forwarded traffic will be accepted or denied.

Users can also create custom chains and link them to the default chains mentioned above.

Add Chain

Add Rule

Action Types

• ACCEPT – Packets matching the filter are accepted and not checked against subsequent rules.
• DROP – Packets matching the filter are dropped without notifying the sender.
• RETURN – Packets are sent back to the originating chain for further rule processing.
• REJECT – Packets are rejected, and an error message is sent to the sender.
• CHAIN – Packets are forwarded to a custom chain for further rule processing.

Default Policy

If a packet does not match any firewall rules, the system applies the default policy for that chain, which is either ACCEPT or DROP. If a rule does not specify a target, it follows the default chain policy.

firewall_defaultpolicy_types.png” alt=”Default Policy” />

Established / Related Connections

The firewall tracks established connections to optimize processing:

• Established: Packets belong to an existing connection and are automatically allowed.
• Related: Packets are new but associated with an existing connection and are permitted.

Advanced Options

Users can enable or disable global firewall settings, such as:

• Blocking HTTP traffic
• Blocking ICMP ping on WAN interfaces
• Allowing local user interface traffic on WAN interfaces

Usage

The firewall is designed to prevent unauthorized access to or from an external network, ensuring secure communication.

Known Limitations

Some functionalities may be restricted based on the zWAN hardware or software configuration.