Well I can say from experience that Checkpoint, FireWall-1 product is
very robust in this area. Their firewall, which employs stateful packet
inspection, uses a scripting language called INSPECT that is compiled
into the firewall kernel. This language is very easy to learn and you
can do anything with it. In fact if you go to
http://www.checkpoint.com/products/supported/netshow.html there is an
example to modify the FireWall to allow NetShow packets. Another
company I work with doesn't even use the GUI tools and writes their own
rules with INSPECT. Check it out.
>From: Wadzinski, Tom IS [SMTP:Tom .
>Sent: Tuesday, April 15, 1997 4:01 PM
>To: firewalls @
>Subject: opening arbitrary ports- bad idea, or acceptable?
>I have a question about TCP/UDP services not supported by a given
>firewall. When I search for the right firewall for our org, I often ask
>vendors about what happens if I have a service that their firewall don't
>support. With most vendors, they'll say, " Simple, create a "rule" that
>says, basically: Open port xxx for whatever external(untrusted) sites
>you want to be able to communicate with whatever internal(trusted)sites
>you want." They act like this is no big deal, but isnt' this really a
>large security risk, just allowing any traffic on a particular port to
>My main goal is to create a fairly secure method of having remote user's
>(who are running NT Workstation 4.0, etc..) access an NT domain through
>a firewall. If anyone has had success with users using dial-up
>networking to login into to an NT domain through a firewall, I would
>love to hear about it.