Customizing Firewall Rules - Final Block Rules

[CrazyM]

Again the following are presented as suggestions and food for thought only for those who may now want to get under the hood and tweak their rule sets.

Final Block Rules

Most firewalls will block anything not allowed by rules by default, but be sure yours does. Some may require changing something like a setting from Medium to High Security or disabling a Learning Mode. With this default block of anything not allowed, Final Block rules are not really required. Some users prefer to use them as sort of a safety net, to cut down on rule assistants/wizards popping up all the time and for logging purposes. As the title suggests, Final Block Rules, are placed at the end of your rule set.

------------------------------------------------------

Rule: Block Inbound System Ports
Rule in use: YES
Logging: YES
Protocol: TCP or UDP
Action: Block
Direction: Inbound
Application: Any Application
Local Service: (0 - 1023)
...Range Begin: 0
.....Range End: 1023
Local Address: Any Address
Remote service: Any Service
Remote Address: Any Address

***Note: See below.

------------------------------------------------------

Rule: Block Inbound Application Ports
Rule in use: YES
Logging: YES
Protocol: TCP or UDP
Action: Block
Direction: Inbound
Application: Any Application
Local Service: (1024 - 65535)
...Range Begin: 1024
.....Range End: 65535
Local Address: Any Address
Remote service: Any Service
Remote Address: Any Address

***Note: Having two rules here is an option for logging purposes, making a distinction between system ports and the higher application ports. You could have a single final block rule for all inbound TCP/UDP. These rules also cover off things like inbound netbios (137-139), epmap (135), microsoft-ds (445) and eliminate the need for specific block rules elsewhere in the rule set. Specific block rules for services such a these could be created if there was a need to monitor/log that blocked traffic specifically.

Under logging/tracking options, select Log Entry only unless you really want all the blinking icons and alert pop ups every time a firewall event is logged. Instead make use of your logs and review them routinely.

The key is to create very specific permit rules in your system wide and application rules above your final block rules that meet your needs. Paying close attention to your logs will help you determine what else may be required once you have a custom rule set in place.

------------------------------------------------------

Rule: Block Outbound All Other
Rule in use: YES
Logging: YES
Protocol: TCP or UDP
Action: Block
Direction: Outbound
Application: Any Application
Local Service: Any Service
Local Address: Any Address
Remote service: Any Service
Remote Address: Any Address

***Note: A final block rule for all other outbound traffic could also be used here. Not recommended for new users as it will usually stop any rule assistants/wizards from popping up/prompting when a new application is encountered or something for which no rule exists. For those that have customized their rule set and have allowed for all traffic they will use, it is a rule that could be used as a final lock down rule. The alternative is to just let the rule assistants/wizards alert to any outbound requests for which there are no rules.

------------------------------------------------------

Same final note applies if you decide to venture into your rule set: Pay close attention to your logs to make sure everything is working as expected. They will provide the information required to make any corrections.

Last installment for now...

CrazyM