WatchGuard x1000 参考指南
CHAPTER 4: Types of Services
66
WatchGuard Firebox System
you must explicitly enable (by adding service icons) any outgoing services
you intend to use. If you do not, outgoing TCP connections won’t work
properly.
you intend to use. If you do not, outgoing TCP connections won’t work
properly.
Characteristics
•
Protocol: TCP
•
Server Port(s): 80 (although servers can be run on any port, a common
alternative is 8080, and Secure Socket Layer (SSL) connections are
generally served on port 443)
alternative is 8080, and Secure Socket Layer (SSL) connections are
generally served on port 443)
•
Client Port(s): greater than 1023
•
RFC: 1945
Common Scenarios
Scenario 1
Description
“Public” HTTP server on the optional network.
Icons in the Services Arena
An HTTP icon, with Incoming From Any to the HTTP server.
Scenario 2
Description
“Public” HTTP server on the trusted network.
Icons in the Services Arena
Even with dynamic NAT, the HTTP server must have a “public”
address. Configuration is exactly the same as in Scenario 1.
address. Configuration is exactly the same as in Scenario 1.
Proxied-HTTP
Proxied-HTTP combines configuration options for HTTP on port 80 with
a rule allowing all outgoing TCP connections by default. Using the
Proxied-HTTP rule ensures that all outgoing HTTP traffic, regardless of
port, will be proxied according to the HTTP proxy rules.
a rule allowing all outgoing TCP connections by default. Using the
Proxied-HTTP rule ensures that all outgoing HTTP traffic, regardless of
port, will be proxied according to the HTTP proxy rules.
WatchGuard recommends that you allow incoming HTTP only to any
public HTTP servers maintained behind the Firebox. External hosts can be
public HTTP servers maintained behind the Firebox. External hosts can be