Ordinary firewall rule sets are applied on a per-interface basis to act as a packet filter for the interface.

Firewall rule sets are assigned to traffic flowing in one direction between two zones. For example, firewall FW_A_TO_B is applied to traffic from ZONE_A to ZONE_B.

In a zone-based firewall, interfaces are grouped into security "zones", where each interface in a zone has the same security level.

Traffic flowing between interfaces includes within the same zone is not filtered; traffic flows freely because the interfaces share the same security level.

The following figure shows an example of a zone-based firewall implementation. This example has these characteristics:

• Three transit zones exist (that is, points where traffic transits the router): the private zone, the demilitarized zone (DMZ), and the public zone.
• The dp0p1p4 interface lies in the public zone; the dp0p1p1 and dp0p1p2 interfaces lie in the private zone; and the dp0p1p3 interface lies in the DMZ.
• The arrows from one zone to another zone represent traffic-filtering policies that are applied to traffic flowing between zones.
• Traffic flowing between LAN 1 and LAN 2 remains within a single security zone. Thus, traffic from LAN1 to LAN2, and conversely, flows unfiltered.

In addition to the three transit zones in the preceding figure, there is a fourth zone: the local zone. The local zone is the router itself. By default, all traffic coming into the router and originating from the router is allowed.

You can, however, configure traffic-filtering policies that allow traffic to the local zone from specific zones, and likewise from the local zone to only specific zones. As soon as you apply a filtering policy that explicitly allows traffic destined to the local zone from another zone, traffic from all other zones to the local zone is dropped unless explicitly allowed by a filtering policy. Similarly, as soon as you apply a filtering policy that allows traffic originating from the local zone to another zone, traffic to all other zones is dropped unless explicitly allowed by a filtering policy.

Note the following additional points about zone-based firewalls:

• An interface can be associated with only one zone.
• An interface that belongs to a zone cannot have an interface-based firewall rule set applied to it, not the converse.
• Traffic between interfaces that do not belong to any zone flows unfiltered, and interface-based firewall rule sets can be applied to those interfaces.
• Traffic between interfaces that do not belong to any zone is not filtered by a zone-based firewall.
• Traffic between interfaces where only one interface is in a zone is always dropped.
• By default, all traffic to a zone is dropped unless explicitly allowed by a filtering policy for a source zone (from_zone).
• Filtering policies are unidirectional; they are defined as a “zone pair” that identifies the zone from which traffic is sourced (from_zone ) and the zone to which traffic is destined (to_zone ). In the preceding figure, these unidirectional policies can be seen as follows:
  • From private to DMZ
  • From public to DMZ
  • From private to public
  • From DMZ to public
  • From public to private
  • From DMZ to private