...
The only minor exclusion to that rule is that RTP traffic is always accepted, on every interface. RTP has almost zero attack surface, and having a large range of ports helps alleviate the only attack surface, which is spoofing audio streams. We urge you not to reduce the default RTP port range (10000-20000), and not to attempt to firewall the RTP ports by any other means.
Smart Firewall
The Smart Firewall continually monitors for changes to trunks and endpoints, and automatically grants permission to defined hosts and trunks. There is no need to do any extra configuration, simply configuring the trunk as normal will ensure that the peer has access to the protocol it is registered for.
Granting Access
Permissions to access various services are granted to zones, and then networks or hosts are linked to zones.
Walkthrough
Let's step through setting up a remote network with unfiltered access to SIP, UCP, WebRTC and XMPP. We're assuming that all remote clients are going to want these services, so we'll grant these to 'Other', and leave 'External' (which is our network interface default zone) with only HTTPS and UCP access.
...