Customizing Firewall Rules - Application Rules

Discussion in 'other firewalls' started by CrazyM, Oct 25, 2002.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Again the following are presented as suggestions and food for thought only for those who may now want to get under the hood and tweak their rule sets.

    Application Rules

    Application rules will likely be the largest section of your rule set and are placed after your System Wide Rules and before any Final Block Rules. The following rule examples are limited to a few basic applications most users will use. Once familiar with customizing basic Global, System and Application rules, you will be comfortable enough to monitor your many other applications and then customize them to your specific needs.

    Rule examples here were made with NIS v.4 which permits multiple remote addresses in a rule. Those using firewalls without this ability may have to make individual rules for each remote address where applicable.

    ------------------------------------------------------

    Rule: Your Browser
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your Browser)
    .........Path: c:\program files\your browser\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    ..........Port: 80
    ..........Port: 443
    ..........Port: 8080
    Remote Address: Any Address

    ***Note: This rule should allow most web browsing/surfing.

    ------------------------------------------------------

    Rule: Your Browser Site XYZ
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your Browser)
    .........Path: c:\program files\your browser\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: xxx
    Remote Address:
    .....................IP: xxx.xxx.xxx.xxx

    ***Note: Some Internet sites may use a remote service/port not covered by your first rule. This example shows permitting your browser for a specific remote service/port to a specific site/IP address.

    ------------------------------------------------------

    Rule: Block Your Browser All Other
    Rule in use: YES
    Logging: YES
    Protocol: TCP or UDP
    Action: Block
    Direction: Either
    Application: (Your Browser)
    .........Path: c:\program files\your browser\xxxxx.exe
    Local service: Any Service
    Local Address: Any Address
    Remote Service: Any Service
    Remote Address: Any Address

    ***Note: This will block your browser from accessing any other services.

    ------------------------------------------------------

    Rule: Your Email Client POP3 Servers
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your Email Client)
    .........Path: c:\program files\your email client\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: 110
    Remote Address:
    .....................IP: xxx.xxx.xxx.xxx
    .....................IP: xxx.xxx.xxx.xxx

    ***Note: Restrict this rule to the pop3 mail servers you use.

    ------------------------------------------------------

    Rule: Your Email Client SMTP Servers
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your Email Client)
    .........Path: c:\program files\your email client\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: 25
    Remote Address:
    .....................IP: xxx.xxx.xxx.xxx
    .....................IP: xxx.xxx.xxx.xxx

    ***Note: Restrict this rule to the smtp mail servers you use. Note separate rules for send and receive. This allows for better monitoring of what is going on and the ability to easily disable your email client from sending if desired.

    ------------------------------------------------------

    Rule: Your Email Client HTTP
    Rule in use: NO
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your Email Client)
    .........Path: c:\program files\your email client\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: 80
    Remote Address: Any Address

    ***Note: To permit certain types of html mail that references remote systems for content you will require this rule. You should leave it disabled to avoid hostile content and things like web bugs and then enable it for html email from trusted sources when you want to view it.

    ------------------------------------------------------

    Rule: Block Your Email Client All Other
    Rule in use: YES
    Logging: YES
    Protocol: TCP or UDP
    Action: Block
    Direction: Either
    Application: (Your Email Client)
    .........Path: c:\program files\your email client\xxxxx.exe
    Local service: Any Service
    Local Address: Any Address
    Remote Service: Any Service
    Remote Address: Any Address

    ***Note: This will block your email client from accessing any other services and in particular the web with regard to the web bug issue and potential hostile content in html email.

    ------------------------------------------------------

    Rule: Your News Reader NNTP Servers
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your News Reader)
    .........Path: c:\program files\your news reader\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: 119
    Remote Address:
    .....................IP: xxx.xxx.xxx.xxx
    .....................IP: xxx.xxx.xxx.xxx

    ***Note: Restrict this rule to the news servers you use.

    ------------------------------------------------------

    Rule: Block Your News Reader All Other
    Rule in use: YES
    Logging: YES
    Protocol: TCP or UDP
    Action: Block
    Direction: Either
    Application: (Your News Reader)
    .........Path: c:\program files\your news reader\xxxxx.exe
    Local service: Any Service
    Local Address: Any Address
    Remote Service: Any Service
    Remote Address: Any Address

    ***Note: This will block your news reader from accessing any other services and in particular potential hostile html content.

    ------------------------------------------------------

    Rule: Your FTP Client FTP File Transfer
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your FTP Client)
    .........Path: c:\program files\your ftp client\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: 21
    Remote Address: Any Address

    ***Note: Example of required rule for an FTP client.

    ------------------------------------------------------

    Rule: Your FTP Client FTP Data Transfer
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Inbound
    Application: (Your FTP Client)
    .........Path: c:\program files\your ftp client\xxxxx.exe
    Local service: (1024 - 5000)
    ..Range Begin: 1024
    ....Range End: 5000
    Local Address: Any Address
    Remote Service:
    .................Port: 20
    Remote Address: Any Address

    ***Note: Example of required rules for an FTP client. These examples for active FTP restrict the client to specific remote addresses. Because this rule permits inbound traffic, it is best to restrict it to specific trusted remote addresses.

    ------------------------------------------------------

    Rule: Your FTP Client FTP Data Transfer
    Rule in use: YES
    Logging: NO
    Protocol: TCP
    Action: Permit
    Direction: Outbound
    Application: (Your FTP Client)
    .........Path: c:\program files\your ftp client\xxxxx.exe
    Local service: Any Service
    Local Address: Any Address
    Remote Service: (1024 - 65535)
    ...Range Bergint: 1024
    ........Range End: 65535
    Remote Address: Any Address

    ***Note: Example of additional rule that may be required for an FTP client using passive mode. This rule could be logged to determine exactly what range your client uses. This example also restricts the client to specific remote addresses. All these FTP rules could also be used for your browser if you use it for file transfer. Be aware if you use this rule that it allows the application outbound to a wide range of remote ports and why it is best to restrict it specific trusted remote addresses.

    ------------------------------------------------------

    Same final note applies if you decide to venture into your rule set: Pay close attention to your logs to make sure everything is working as expected. They will provide the information required to make any corrections.

    Stay tuned for the next installment...

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.