Ok, so I asked for that -- don't ask the right question,
don't get the answer you expect :)
Let me put this another way....
Lets say we have a PC-based network, servers and
workstations. You want to give the user community access to
the Internet from their PC Workstations for things like,
FTP, Telnet, Gopher, Mosaic, Finger, Ping (All of which will
be windows apps). People will not be running X, it will be
against policy to run a host on the network (at least for a
user to run a host, there will be servers of course).
It would be -easy- to firewall *IF* all telnets were on port
23 and all gophers were on port 70, but they are not :(
I'm looking for the easist (and safest) way to give people
access to "all" telnets and gophers without having to allow
individual ports for each non-standard telnet/gopher out
there. The simple solution (security issues aside) would
seem to be to allow outbound "well-known" ports (ones they
should have access to) below 1023 as well as all ports above
1024 while at the same time blocking all inbound ports below
1023. Of course the simplist solution is usually not the
I'm trying to come up with ideas as to what is the "best"
all around solution... provides security, provides users
with what they want and is not an undue burden on staff.