Let me try this: Lets say you want to allow the following applications:
ssl, web-browsing, and dns and dont put in any service/ports. The firewall will allow traffic that is sees as DNS only on port 53, web-browsing only on port 80 and ssl only on port 443. If DNS tries to use any other port, it will be blocked.
if you put in a policy that allows applications: ssl, web-browsing, and dns and ports 53, 80, 443. Then the firewall will allow any of those applications over any of those ports, ie DNS over 443, 80, 53.
So by not using a specific service/port, you are making your security policy that much stronger. If you want to allow an application say DNS over port 443, you will need to have a special policy that allows that. The firewall reads policies top down, left to right. Once it finds a match, thats what it will use.
Hope that makes sense.
... View more