Hi,
in the enhanced ruleset,
the 3rd rule for ICMP is 'BLOCK ICMP type 10 without notification' and the 4th is 'block all ICMP'.

So, if I delete the 3rd rule, the 'type 10' will still be blocked by the final rule (block all ICMP)

My question:
Is the rule on 'type 10' really necessary?

:) you will be notified.

another example:
the 'Block WinNuke" rule (blocking port 139 of my local machine).
If I delete this rule, port 139 is still be blocked by the final rule "Block all other TCP packets", since I have no rules to allow traffic through local port 139.:wacko:

IMHO: an ideal ruleset can be expressed as:
allow 1;
allow 2;
......
Block All

Any rules to block individual ports are redundant.

Plz correct if I am wrong.

Hi nuser :)

-{ Quote: "another example:
the 'Block WinNuke" rule (blocking port 139 of my local machine).
If I delete this rule, port 139 is still be blocked by the final rule "Block all other TCP packets", since I have no rules to allow traffic through local port 139.:wacko:

IMHO: an ideal ruleset can be expressed as:
allow 1;
allow 2;
......
Block All

Any rules to block individual ports are redundant.

Plz correct if I am wrong." }-

If you used the enhanced rule set instead of the "standard" these TCP packets for the port 139 will be blocked with the rule "Block incoming connections" since the port 139 in TCP is used for Printer sharing and is a kind of "server"...

Like I explain you in an other post, the best is to keep the rules at the minimum possible (with non "redundant" rules) but sometimes it's not possible and we have to accept some "redundancy".

The rules sets must be developped to fit to various configuration. Some rules are possibly useless for some and important for others configurations...

Thank you for your interest in LNS.

:)

thanks, Climenole,
Sorry for so many stupid questions.
As you indicated, the winnuke (port 139) is blocked by the 'block incoming connections' rule.
If I, (see attached), change this rule's 'stop condition' and continue to match the following rules, (I have allowed port 139).
Will port 139 be opened, or still blocked?

For these "redundant" rules ... so someone here mentions, they basically serve a purpose of blocking without logging for some of the common Internet traffic... This helps from being annoyed when trying to find something little more worthy on the Look 'n' Stop Log screen... ;)

I'm trully sorry for not saying that, but i assumed it was implicit.