4. Firewall Features

The 6tcw uses a Rules and Services firewall model with eighteen pre-configured services for you to choose from for making Outgoing and Incoming filter rules. The Outgoing rules (Figure 3) apply to all LAN and WLAN clients by default, but you can define a custom service (Figure 4) if you want to limit the allowed source and destination IP addresses for a service.

Figure 3: Outgoing Firewall
(click on the image for a full-sized view)

WatchGuard hasn't put a hard limit on the number of custom services that can be defined (although if you define enough you'll eventually run up against memory limits), but I wish they had included the port / protocol information for the pre-defined services to save having to look them up.

Figure 4: Custom Service example
(click on the image for a full-sized view)

Neither the Incoming nor Outgoing rules are schedulable and you can't control logging for rule matches. Outbound port triggering also isn't supported, nor is UPnP.

I was really confused by the DMZ / Pass-Through feature. I assumed it worked like any other DMZ - essentially placing one LAN IP address on the WAN side of the firewall. But when I tried it, I found Internet access was cut off for that machine. A look at the documentation said that only a public IP address could be used, which still has me scratching my head! As far as I can see, this feature doesn't work like a "normal" DMZ does.

The product also includes an IP address-based Blocked Sites feature - with no hard limit on the number of blocked sites - which you can replace or enhance by purchasing WatchGuard's optional WebBlocker package ($49), which will cover all 10 of the 6tcw's licensed "seats". WatchGuard also throws in a one year trial license (for one client only) to McAfee's VirusScan ASaP anti-virus service. If you like it, a 10 seat license will set you back $325.