Access to local services from zones
With local service ACL (Access Control List), you control access from custom and default zones to the management services of Sophos Firewall.
Here's the default configuration of the access control list. Allow access to the services from the zones listed here:
|HTTPS: TCP port 4444
Allows access to the web admin console.
SSH: TCP port 22
Allows access to the command-line console.
|HTTPS: TCP port 443
SSH: TCP port 22.
Captive portal: TCP port 8090
Client authentication: UDP port 6060
Allows the authentication of users and clients in the specified zones.
Allows ping requests to the WAN IP address of Sophos Firewall.
Allows DNS resolution requests when Sophos Firewall is the DNS server.
|Wireless protection: Allows access points in these zones to connect to Sophos Firewall.
Web proxy: Allows direct proxy traffic on port 3128.
In addition to acting as a transparent proxy, Sophos Firewall acts as a direct proxy by default. It listens to port 3128 for the configured browsers for the destination ports specified in Web > General settings.
SMTP relay: Allows hosts and networks from these zones to use Sophos Firewall for outbound mail relay.<
|SSL VPN: TCP port 8443
To change the port, go to VPN > Show VPN settings.
We recommend that you don't use this port for other services. Even when you turn off WAN access for other local services, they remain accessible from the WAN zone if they use the SSL VPN port.
|User portal: Allows users to access the user portal from this zone.
If you allow users to access the user portal from the WAN zone, it can compromise security.
|Dynamic routing: Sends and receives dynamic routing updates from the selected zones.
|SNMP: Select the zone in which the SNMP server is located.