LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

In a firewall's typical default ruleset, why does Inside → Outside (Internet) traffic already work without you adding a rule, while DMZ traffic is blocked until you write explicit rules?

This is a zone-based enterprise/lab firewall (here a Palo Alto PA-440 with three security zones: Inside, DMZ, Outside) — not a home/SOHO router, whose consumer firmware works differently. On such a firewall the default config already ships with a rule permitting all Inside → Outside connections, so internal clients can reach the Internet out of the box. The DMZ, by contrast, is "completely walled off" — every connection in or out of the DMZ must be explicitly allowed.

Why the difference — trust levels between zones:

The rule of thumb for a zone-based firewall is that traffic from a higher-trust zone to a lower-trust zone is permitted by default (or by a pre-built rule), while traffic into a higher-trust zone, or in/out of the semi-trusted DMZ, is denied until you author a rule. Inside is the trusted zone, Outside (Internet) is untrusted, and the DMZ is a semi-trusted middle ground that hosts public services — so it is locked down in both directions.

What the default config gives you:

"Für Verbindungen von Inside nach Outside besteht bereits eine Regel, welche standardmässig eingerichtet ist und alle Verbindungen erlaubt. Die DMZ jedoch ist komplett abgeschottet. Jede Verbindung nach innen und aussen muss explizit erlaubt werden."

Flow Default behavior Why
Inside → Outside Allowed by a pre-built rule Internal users normally need outbound Internet; convenient default
Outside → Inside Denied Unsolicited inbound is the classic attack vector
Inside ↔ DMZ Denied DMZ hosts public services and is treated as untrusted
Outside → DMZ Denied Must be explicitly published (e.g. web server on tcp/80)

The important nuance — outbound allow ≠ Internet works:

Even with the Inside→Outside firewall rule, internal clients still can't get replies from the Internet until SNAT is configured — the firewall rule permits the traffic, but without source translation the return packets are addressed to private IPs and dropped. Firewall policy and NAT are two separate gates; a packet must pass both.

Why the DMZ is the strict one:

The DMZ hosts the publicly reachable web server — exactly the box most likely to be compromised. Walling it off by default means a breached web server cannot reach the file server or staff PCs unless a rule explicitly allows it, containing the blast radius.

Tip: When a task says "make the web server reachable from the staff network" or "let the web server reach an external FTP server," that's because DMZ traffic is default-deny in both directions — you must author a rule for each required flow.

Go deeper:

  • doc DMZ (computing) (Wikipedia) — the default-deny DMZ posture that explains why the DMZ is walled off while outbound Inside traffic flows.

From Quiz: INTROL / Firewall Basics Lab (Palo Alto PA-440) | Updated: Jul 14, 2026