This made be shudder a little, but this is a request from a customer who's Firewall appliance I am currently in the middle of pre-configuring.
The customer has a very basic requirement, which does make sense. He'd like visiting contractors to be able to connect to his guest WiFi network and then be able to connect out to the internet without any restrictions at all. In all the years I've worked with Sidewinder (and it's predecessors) there hasn't really been a concept of an "any-any" rule that I've been aware of.
The understanding is that these users will be connected to a separate interface on the Firewall and will therefore have no visibility of the internal LAN or any DMZs for that matter. But they may be using all manner of VPN client solutions in order to be able to connect back to their own networks and will therefore require completely unobstructed access to the internet - the only thing we'll need to do is to apply NAT to the rule so that an appropriate public IP address is assigned as the traffic reaches the internet.
I've been looking at the Application list in v8 and there is an Infrastructure Service called <Any> - does this really mean anything? and if I were to create a rule from "Guest" zone to "external" zone using this "<Any>" service will that then allow unobtructed access to the internet?
If it doesn't mean this, how would you go about achieving this?
What I would recommend in this case is instead of using "<Any>" service, I would create a custom application and select all TCP and UDP ports. Using "<Any>" service might work, but I can see problems if someone tries to pass traffic that is not in the application database.
Matt - thanks for following-up on this.
My only observation is that as the customer's requirement is in part based around allowing this visiting guests free access to use VPN clients, it wouldn't simply be a case of allowing all TCP & UDP ports. Though, I guess, if this custom service were then accompanied by protocol 47 (for GRE) and protocols 50&51 (for IPSec), that does pretty much cover most eventualities doesn't it?
I've just got to explain to someone who has had Sidewinder forced upon them (the outgoing IT director made ordering this Firewall his last piece of business before leaving and the new IT director is much more familiar with Cisco & Juniper Firewalls) that an "any" protocol service doesn't really exist on Sidewinder.
You could make a Service Group with these services:
- a custom service on TCP and UDP ports 1-65535
- IPSec/ESP (proto 50)
- IPSec AH (proto 51)
- GRE (proto 47)
That first service would cover L2TP and PPTP also (1701/tcp/udp and 1723/tcp).
Further update -
I have implemented your suggestion and this does seem to work, based on my tests so far.
Connecting a test machine to the intended "Guest" interface on the Firewall, I have been able to:-
General web access.
POP3 mail access.
SMTP mail access.
Skype (something with a notoriously 'I don't care' attitude to which protocols it tries to use in order to get out).
TeamViewer Remote Support application (also know to be very port-agile).
PPTP client VPN connection back to the PPTP service I have running on my Firewall at home.
So, all in all, I'd consider that to be a more than reasonable success