User guide
Packet Filter Services
Reference Guide 57
DNS
Domain Name Service (DNS) maps host names to IP addresses. You will
probably not need to add a DNS service icon unless you maintain a public
DNS server behind the Firebox, since outgoing UDP traffic is enabled by
default. The DNS multi-service icon allows UDP DNS traffic, as well as
TCP zone transfers to occur as specified. All of the usual logging options
can be used with DNS.
Characteristics
• Protocol: Multi: TCP (for server-server zone transfers) and UDP (for
client-server lookups)
• Server Port(s): 53
• Client Port(s): ignore
•RFC: 883
Filtered-HTTP
The multi-service rule Filtered-HTTP combines configuration options for
incoming HTTP on port 80 with a rule allowing all outgoing TCP
connections by default. Using Filtered-HTTP will NOT result in applying
the HTTP proxy rule set to any traffic. To proxy HTTP traffic, use the
Proxied-HTTP service. We recommend that incoming HTTP be allowed
only to any public HTTP servers maintained behind the Firebox.
External hosts can be spoofed. WatchGuard cannot verify that these
packets were actually sent from the correct location. Configure
WatchGuard to add the source IP address to the Blocked Sites List
whenever an incoming HTTP connection is denied. All of the usual
logging options can be used with HTTP.
Characteristics
• Protocol: Multi (includes top and http)
• Client Port: ignore
• Port Number: 80