Wilders Security Forums  

Go Back   Wilders Security Forums > Security Products > other firewalls
Reload this Page Customizing Firewall Rules - Application Rules
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old October 25th, 2002, 06:31 PM
CrazyM's Avatar
CrazyM CrazyM is offline
Firewall Moderator
  
Join Date: Feb 2002
Location: BC, Canada
Posts: 2,433
Default Customizing Firewall Rules - Application Rules
Again the following are presented as suggestions and food for thought only for those who may now want to get under the hood and tweak their rule sets.

Application Rules

Application rules will likely be the largest section of your rule set and are placed after your System Wide Rules and before any Final Block Rules. The following rule examples are limited to a few basic applications most users will use. Once familiar with customizing basic Global, System and Application rules, you will be comfortable enough to monitor your many other applications and then customize them to your specific needs.

Rule examples here were made with NIS v.4 which permits multiple remote addresses in a rule. Those using firewalls without this ability may have to make individual rules for each remote address where applicable.

------------------------------------------------------

Rule: Your Browser
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your Browser)
.........Path: c:\program files\your browser\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
..........Port: 80
..........Port: 443
..........Port: 8080
Remote Address: Any Address

***Note: This rule should allow most web browsing/surfing.

------------------------------------------------------

Rule: Your Browser Site XYZ
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your Browser)
.........Path: c:\program files\your browser\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: xxx
Remote Address:
.....................IP: xxx.xxx.xxx.xxx

***Note: Some Internet sites may use a remote service/port not covered by your first rule. This example shows permitting your browser for a specific remote service/port to a specific site/IP address.

------------------------------------------------------

Rule: Block Your Browser All Other
Rule in use: YES
Logging: YES
Protocol: TCP or UDP
Action: Block
Direction: Either
Application: (Your Browser)
.........Path: c:\program files\your browser\xxxxx.exe
Local service: Any Service
Local Address: Any Address
Remote Service: Any Service
Remote Address: Any Address

***Note: This will block your browser from accessing any other services.

------------------------------------------------------

Rule: Your Email Client POP3 Servers
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your Email Client)
.........Path: c:\program files\your email client\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: 110
Remote Address:
.....................IP: xxx.xxx.xxx.xxx
.....................IP: xxx.xxx.xxx.xxx

***Note: Restrict this rule to the pop3 mail servers you use.

------------------------------------------------------

Rule: Your Email Client SMTP Servers
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your Email Client)
.........Path: c:\program files\your email client\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: 25
Remote Address:
.....................IP: xxx.xxx.xxx.xxx
.....................IP: xxx.xxx.xxx.xxx

***Note: Restrict this rule to the smtp mail servers you use. Note separate rules for send and receive. This allows for better monitoring of what is going on and the ability to easily disable your email client from sending if desired.

------------------------------------------------------

Rule: Your Email Client HTTP
Rule in use: NO
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your Email Client)
.........Path: c:\program files\your email client\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: 80
Remote Address: Any Address

***Note: To permit certain types of html mail that references remote systems for content you will require this rule. You should leave it disabled to avoid hostile content and things like web bugs and then enable it for html email from trusted sources when you want to view it.

------------------------------------------------------

Rule: Block Your Email Client All Other
Rule in use: YES
Logging: YES
Protocol: TCP or UDP
Action: Block
Direction: Either
Application: (Your Email Client)
.........Path: c:\program files\your email client\xxxxx.exe
Local service: Any Service
Local Address: Any Address
Remote Service: Any Service
Remote Address: Any Address

***Note: This will block your email client from accessing any other services and in particular the web with regard to the web bug issue and potential hostile content in html email.

------------------------------------------------------

Rule: Your News Reader NNTP Servers
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your News Reader)
.........Path: c:\program files\your news reader\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: 119
Remote Address:
.....................IP: xxx.xxx.xxx.xxx
.....................IP: xxx.xxx.xxx.xxx

***Note: Restrict this rule to the news servers you use.

------------------------------------------------------

Rule: Block Your News Reader All Other
Rule in use: YES
Logging: YES
Protocol: TCP or UDP
Action: Block
Direction: Either
Application: (Your News Reader)
.........Path: c:\program files\your news reader\xxxxx.exe
Local service: Any Service
Local Address: Any Address
Remote Service: Any Service
Remote Address: Any Address

***Note: This will block your news reader from accessing any other services and in particular potential hostile html content.

------------------------------------------------------

Rule: Your FTP Client FTP File Transfer
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your FTP Client)
.........Path: c:\program files\your ftp client\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: 21
Remote Address: Any Address

***Note: Example of required rule for an FTP client.

------------------------------------------------------

Rule: Your FTP Client FTP Data Transfer
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Inbound
Application: (Your FTP Client)
.........Path: c:\program files\your ftp client\xxxxx.exe
Local service: (1024 - 5000)
..Range Begin: 1024
....Range End: 5000
Local Address: Any Address
Remote Service:
.................Port: 20
Remote Address: Any Address

***Note: Example of required rules for an FTP client. These examples for active FTP restrict the client to specific remote addresses. Because this rule permits inbound traffic, it is best to restrict it to specific trusted remote addresses.

------------------------------------------------------

Rule: Your FTP Client FTP Data Transfer
Rule in use: YES
Logging: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Your FTP Client)
.........Path: c:\program files\your ftp client\xxxxx.exe
Local service: Any Service
Local Address: Any Address
Remote Service: (1024 - 65535)
...Range Bergint: 1024
........Range End: 65535
Remote Address: Any Address

***Note: Example of additional rule that may be required for an FTP client using passive mode. This rule could be logged to determine exactly what range your client uses. This example also restricts the client to specific remote addresses. All these FTP rules could also be used for your browser if you use it for file transfer. Be aware if you use this rule that it allows the application outbound to a wide range of remote ports and why it is best to restrict it specific trusted remote addresses.

------------------------------------------------------

Same final note applies if you decide to venture into your rule set: Pay close attention to your logs to make sure everything is working as expected. They will provide the information required to make any corrections.

Stay tuned for the next installment...

CrazyM
__________________
"The best thing we can do in cyberspace is exactly what we do in the real world: do our best to manage the risks."
- Bruce Schneier
 

Wilders Security Forums > Security Products > other firewalls « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 09:25 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums