Packet Filter Policies
60
WatchGuard System Manager
Proxy Policies
This section reviews the proxy policies supplied by the WatchGuard® System Manager. A proxy policy
opens packets, strips out forbidden data types in the packet content, and assembles the packets again
using the source and destination headers of the proxy.
You configure and activate proxies the same way you add packet filter policies.
DNS-proxy
Domain Name Service (DNS) matches host names to IP addresses. The DNS proxy policy examines the
contents of DNS packets to help protect your DNS servers from hackers. It puts limits on the type of
operations allowed in a DNS query and can look for specified patterns in query names.
Characteristics
•
Internet Protocol(s): TCP, UDP
•
Port Number(s): TCP 53, UDP 53
FTP-proxy
File Transfer Protocol (FTP) is used to send files from one computer to a different computer over a TCP/
IP network. The FTP client is usually a computer. The FTP server can be a resource that keeps files on the
same network or on a different network. The FTP client can be in one of two modes for data transfer:
active or passive. In active mode, the server starts a connection to the client on source port 20. In
passive mode, the client uses a previously negotiated port to connect to the server. The Fireware FTP
proxy monitors and scans these FTP connections between your users and the FTP servers they
connect to.
Characteristics
•
Internet Protocol(s): TCP
•
Port Number: 21
H323-proxy
If you use Voice-over-IP (VoIP) in your organization, you can add an H.323 proxy policy to open the
ports necessary to enable VoIP through your Firebox. This proxy policy has been created to work in a
NAT environment to maintain security for privately addressed conferencing equipment behind the
Firebox.
H.323 is used commonly on older videoconferencing equipment and voice installations. With H.323,
the key component of call management is known as the “GateKeeper.” The H.323 proxy supports only
peer-to-peer connections.
Characteristics
•
Internet Protocol(s): TCP, UDP
•
Port Number(s): TCP 1720, UDP 1719