Sunbelt Personal, block unopened ports must be an internal rule

chrizio · #1 February 19th, 2012, 07:04 AM

Sunbelt the latest 4.6 version.
All filter rules have been created manually.
On demand particular rules are been disabled/enabled.
No firewall own automatics nor learning mode is nor was in use.

"Log traffic to unopened ports" is enabled.
For some traffic which meets the "incoming to unopened port" criteria
a advanced packet filter rule has been created manually. It was also named accordantly, just to recognize it quickly within a lot of log points.
Anyhow, the firewall logs still show "to unopened port" instead of "my advanced filter rule for some inbound to unopened port" -traffic.

This says to me that "block all traffic to unopened port" rule must be some
internal / fixed-coded rule and must have higher prio than all advanced packet filter rules.
Is this true?

act8192 · #2 February 19th, 2012, 11:12 AM

Look in the Help file. They specify processing rules sequence.

Kerodo · #3 February 19th, 2012, 04:42 PM

Quote:

Originally Posted by chrizio

This says to me that "block all traffic to unopened port" rule must be some
internal / fixed-coded rule and must have higher prio than all advanced packet filter rules.
Is this true?

I can't say for a certaintly, but yes, if I remember right, that's true.... although I don't know if it has higher priority than an advanced packet filter rule, if that were true, you wouldn't be able to create a rule to open a port inbound if you needed to.

act8192 · #4 February 19th, 2012, 05:43 PM

Kerodo,
See this thread by the same poster:
http://www.wilderssecurity.com/showthread.php?t=318612

Note that there's ruleId = 0 in the log of inbounds. That implies to me a built-in rule that can't even be followed in the xml file.
Perhaps iwatching TCPview at the same time might show FF done with a port, system takes over, so the port is closed by then.

Edited:I just looked at the config. It is a global, built-in rule in the section of gateway. I never enabled gateway, no need. So that's what's there, and I quote:
<table name="Globals_kpf">
<variable name="IsRunningOnInternetGateway">0</variable>
<variable name="LogClosedPort">0</variable>
<variable name="BootSecurity">1</variable>
</table>

chrizio · #5 February 20th, 2012, 03:07 PM

All this discovered because some inbound traffic from local dsl router was irritating me. After short investigation I know that this is a service running on router. It is fine for me, because I am using parts of this functionality.
So, but after a long time in the future I might have forgotten it.
And the same irritation will arise again. Therefore I was going to create
an explicit advanced filter rule which does the same but is named unambiguously.
If it hits its name appears in the logs and I see immediately what it is.
But as it turns out, is not the proper way because "block traffic to unopened port" rule seems to has higher prio than my advanced filter rule.
It must have higher prio than mine, otherwise mines would been not overridden by the block-to-unopened one.

chrizio · #6 February 20th, 2012, 03:08 PM

Quote:

Originally Posted by act8192

Look in the Help file. They specify processing rules sequence.

I didn't find any relevant hint in the help file. Yet before opening this thread.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search