stalker
February 2nd, 2004, 02:05 PM
HelloI posted this topic separated, cause in my opinion is very essential, must say also, it is related to LowWaterMark's topic "Zone Alarm Plus/Pro Program Options"
I am pretty "educated" about how to set firewall settings (already "studied" NPF, ZA, etc.), and I completely understand all about it (what are ports, protocols, source/destination, etc.)
But here is the question: I am confused about "priority"/"hierarchy" of rules enforcement. For example I understand (as it says in help file), that Firewall/Zone Expert Rules are enforced before Zone Rules (general Trusted/Internet zone rules), and also before any Program Rules (expert or general), so therefor are global. And it says aslo, that first rule matching is enforced while the others are ignored. One the other hand, Program (Access) Expert rules are executed depending on rank number.
So to the main question. I must say here that I don't undestand one thing - what are (only talking about Program Rules here) then Allow, Block, and Ask (red cross, question mark, green mark) ??
1.) If I for example:
Set "Block All Access" (red cross), for one program, but then make (only one) expert rule which allows all (all ports, protocols, all sources/destinations) - which one will be used/applied ??
The same on the other hand, if I set "Allow All Access" for one program (green mark), but then make (only one) expert rule whcih blocks all (all ports, protocols, all sources/destinations) - which one will be used/applied ??
Here is another important question, in which matter to set rules for some program (IE, Outlook, or p2p sharing program), which has basicaly lot of comunications permitted ??
To set it to "Block All Access" (red cross), and then allow some of comunications, ports, etc. in Expert Rules ??
or ...
To set it to "Allow All Access" (green mark), and then block some of comunications, ports, etc. in Expert Rules ??
So generaly I understand relationship between Zone and Program "General" vs. "Expert Rules", but not relationship between settings made by those marks (green, red, blue), and Program Expert Rules.
2.) There are also other possible "incompatibilites" or "one rule-overiding other rule"
Like for example:
"Program Expert rules" permitting or blocking port/protocol and permitting or blocking port/protocol in "Firewall - Custom - High/Medium security for Internet/Trusted Zone - Allow/Block Incoming/Outgoing TCP Ports" ...
And there are many, so there is obvious that "priority"/"hierarchy" is essential here.
3.) LowWaterMark wrote in his topic: http://www.wilderssecurity.com/showthread.php?t=3899
"Since OE never needs "server rights", I have also blocked those capabilities."
... but I must say, that in my case both IE, OE (Outlook Explorer), and also alg.exe (application layer gateway), and svchost.exe (generic host process for Win32 services), all require "Server" permittion from time to time, IE, OE more frequently, and alg.exe, svchost.exe rarely ...
3.) LowWaterMark I have one more question for you:
In your picture (OE-ExpertRules1-SummaryScreen.gif), I noticed, that you create expert rules for each port new rule. My question is - could I set all this in one rule ??
Meaning under "Modify" - "Add Protocol", you could set all rules, one after another, for which you create separated indipendant rules. Just add new protocol (let say TCP, port pop3), after setting rule for TCP protocol, smtp port, etc. And there are also exist "Groups" of protocol rules ...
Your way: (like in screenshot)
Rank 1: Allow pop3 (TCP), My Computer, Trusted
Rank 2: Allow smtp (TCP), My Computer, Trusted
My way:
Rank 1: Allow pop3, smtp (TCP), DNS (UDP), My Computer, Trusted
Tip: I rather than puting all my mail servers to Trusted Zone, put servers here under "Destination" tab.
Thanks for any explanation, tip, etc.
I am pretty "educated" about how to set firewall settings (already "studied" NPF, ZA, etc.), and I completely understand all about it (what are ports, protocols, source/destination, etc.)
But here is the question: I am confused about "priority"/"hierarchy" of rules enforcement. For example I understand (as it says in help file), that Firewall/Zone Expert Rules are enforced before Zone Rules (general Trusted/Internet zone rules), and also before any Program Rules (expert or general), so therefor are global. And it says aslo, that first rule matching is enforced while the others are ignored. One the other hand, Program (Access) Expert rules are executed depending on rank number.
So to the main question. I must say here that I don't undestand one thing - what are (only talking about Program Rules here) then Allow, Block, and Ask (red cross, question mark, green mark) ??
1.) If I for example:
Set "Block All Access" (red cross), for one program, but then make (only one) expert rule which allows all (all ports, protocols, all sources/destinations) - which one will be used/applied ??
The same on the other hand, if I set "Allow All Access" for one program (green mark), but then make (only one) expert rule whcih blocks all (all ports, protocols, all sources/destinations) - which one will be used/applied ??
Here is another important question, in which matter to set rules for some program (IE, Outlook, or p2p sharing program), which has basicaly lot of comunications permitted ??
To set it to "Block All Access" (red cross), and then allow some of comunications, ports, etc. in Expert Rules ??
or ...
To set it to "Allow All Access" (green mark), and then block some of comunications, ports, etc. in Expert Rules ??
So generaly I understand relationship between Zone and Program "General" vs. "Expert Rules", but not relationship between settings made by those marks (green, red, blue), and Program Expert Rules.
2.) There are also other possible "incompatibilites" or "one rule-overiding other rule"
Like for example:
"Program Expert rules" permitting or blocking port/protocol and permitting or blocking port/protocol in "Firewall - Custom - High/Medium security for Internet/Trusted Zone - Allow/Block Incoming/Outgoing TCP Ports" ...
And there are many, so there is obvious that "priority"/"hierarchy" is essential here.
3.) LowWaterMark wrote in his topic: http://www.wilderssecurity.com/showthread.php?t=3899
"Since OE never needs "server rights", I have also blocked those capabilities."
... but I must say, that in my case both IE, OE (Outlook Explorer), and also alg.exe (application layer gateway), and svchost.exe (generic host process for Win32 services), all require "Server" permittion from time to time, IE, OE more frequently, and alg.exe, svchost.exe rarely ...
3.) LowWaterMark I have one more question for you:
In your picture (OE-ExpertRules1-SummaryScreen.gif), I noticed, that you create expert rules for each port new rule. My question is - could I set all this in one rule ??
Meaning under "Modify" - "Add Protocol", you could set all rules, one after another, for which you create separated indipendant rules. Just add new protocol (let say TCP, port pop3), after setting rule for TCP protocol, smtp port, etc. And there are also exist "Groups" of protocol rules ...
Your way: (like in screenshot)
Rank 1: Allow pop3 (TCP), My Computer, Trusted
Rank 2: Allow smtp (TCP), My Computer, Trusted
My way:
Rank 1: Allow pop3, smtp (TCP), DNS (UDP), My Computer, Trusted
Tip: I rather than puting all my mail servers to Trusted Zone, put servers here under "Destination" tab.
Thanks for any explanation, tip, etc.