I have a client using BorderManager 3.5 to control internet access byusers/groups and provide a firewall. They make frequent, temporary
changes to the ports that are open for access to gaming sites, etc.
When I originally setup the server, I controlled most of this with
filter exceptions, but now think it would be easier for them to use
access rules in the proxy to control this (manually adding filter
exceptions and packets is difficult for them). I have renamed
filters.cfg and re-created the default public interface filters usingbrdcfg. My confusion is over what you use proxy access rules for vs
filter exceptions. I thought that after adding the default filters
back, common services like icmp, dns, smtp/pop would pass OK. What I
found was that I had to manually add the filter exceptions for icmp to

ping, add the dns proxy for name resolution, and add smtp/pop stateful

filters for email (after adding these as access rules in the proxy
first) so it appears that filters are the first block to clear. When a

new software application needs port xx open, how do you make the
determination as to where to do this, in access rules, or packet
filters, or both? Or adding a generic proxy entry?