Note that the screen captures for this page are taken from an older version of the Firewall module and don't reflect recent GUI changes.
The Firewall service implements a Deny-By-Default design. This means that the only time a packet will be accepted is if you have explicitly granted permission for that service to be visible to clients in a zone. Everything else is blocked.
The only minor exclusion to that rule is that RTP traffic is always accepted, on every interface. RTP has almost zero attack surface, and having a large range of ports helps alleviate the only attack surface, which is spoofing audio streams. We urge you not to reduce the default RTP port range (10000-20000), and not to attempt to firewall the RTP ports by any other means.
The Smart Firewall continually monitors for changes to trunks and endpoints, and automatically grants permission to defined hosts and trunks. There is no need to do any extra configuration, simply configuring the trunk as normal will ensure that the peer has access to the protocol it is registered for.
Permissions to access various services are granted to zones, and then networks or hosts are linked to zones.
Let's step through setting up a remote network with unfiltered access to SIP, UCP, WebRTC and XMPP. We're assuming that all remote clients are going to want these services, so we'll grant these to 'Other', and leave 'External' (which is our network interface default zone) with only HTTPS and UCP access.
(Note that XMPP is on the 'Extra Services' tab)
We now assign a specific network to 'Other', in the Networks tab of the Zones page, and click on the green + symbol to add it.
You can also add hostnames, which, among other things, can be used for DDNS clients.
Note that changes are applied immediately.