What I would recommend in this case is instead of using "<Any>" service, I would create a custom application and select all TCP and UDP ports. Using "<Any>" service might work, but I can see problems if someone tries to pass traffic that is not in the application database.
Matt - thanks for following-up on this.
My only observation is that as the customer's requirement is in part based around allowing this visiting guests free access to use VPN clients, it wouldn't simply be a case of allowing all TCP & UDP ports. Though, I guess, if this custom service were then accompanied by protocol 47 (for GRE) and protocols 50&51 (for IPSec), that does pretty much cover most eventualities doesn't it?
I've just got to explain to someone who has had Sidewinder forced upon them (the outgoing IT director made ordering this Firewall his last piece of business before leaving and the new IT director is much more familiar with Cisco & Juniper Firewalls) that an "any" protocol service doesn't really exist on Sidewinder.
1 of 1 people found this helpful
You could make a Service Group with these services:
- a custom service on TCP and UDP ports 1-65535
- IPSec/ESP (proto 50)
- IPSec AH (proto 51)
- GRE (proto 47)
That first service would cover L2TP and PPTP also (1701/tcp/udp and 1723/tcp).
Many Thanks, Sam.
I'll give that a try.
Further update -
I have implemented your suggestion and this does seem to work, based on my tests so far.
Connecting a test machine to the intended "Guest" interface on the Firewall, I have been able to:-
General web access.
POP3 mail access.
SMTP mail access.
Skype (something with a notoriously 'I don't care' attitude to which protocols it tries to use in order to get out).
TeamViewer Remote Support application (also know to be very port-agile).
PPTP client VPN connection back to the PPTP service I have running on my Firewall at home.
So, all in all, I'd consider that to be a more than reasonable success