Customizing Firewall Rules - Final Block Rules

Discussion in 'other firewalls' started by CrazyM, Oct 25, 2002.

Thread Status:
Not open for further replies.
  1. CrazyM
    Offline

    CrazyM Firewall Expert

    Again the following are presented as suggestions and food for thought only for those who may now want to get under the hood and tweak their rule sets.

    Final Block Rules

    Most firewalls will block anything not allowed by rules by default, but be sure yours does. Some may require changing something like a setting from Medium to High Security or disabling a Learning Mode. With this default block of anything not allowed, Final Block rules are not really required. Some users prefer to use them as sort of a safety net, to cut down on rule assistants/wizards popping up all the time and for logging purposes. As the title suggests, Final Block Rules, are placed at the end of your rule set.

    ------------------------------------------------------

    Rule: Block Inbound System Ports
    Rule in use: YES
    Logging: YES
    Protocol: TCP or UDP
    Action: Block
    Direction: Inbound
    Application: Any Application
    Local Service: (0 - 1023)
    ...Range Begin: 0
    .....Range End: 1023
    Local Address: Any Address
    Remote service: Any Service
    Remote Address: Any Address

    ***Note: See below.

    ------------------------------------------------------

    Rule: Block Inbound Application Ports
    Rule in use: YES
    Logging: YES
    Protocol: TCP or UDP
    Action: Block
    Direction: Inbound
    Application: Any Application
    Local Service: (1024 - 65535)
    ...Range Begin: 1024
    .....Range End: 65535
    Local Address: Any Address
    Remote service: Any Service
    Remote Address: Any Address

    ***Note: Having two rules here is an option for logging purposes, making a distinction between system ports and the higher application ports. You could have a single final block rule for all inbound TCP/UDP. These rules also cover off things like inbound netbios (137-139), epmap (135), microsoft-ds (445) and eliminate the need for specific block rules elsewhere in the rule set. Specific block rules for services such a these could be created if there was a need to monitor/log that blocked traffic specifically.

    Under logging/tracking options, select Log Entry only unless you really want all the blinking icons and alert pop ups every time a firewall event is logged. Instead make use of your logs and review them routinely.

    The key is to create very specific permit rules in your system wide and application rules above your final block rules that meet your needs. Paying close attention to your logs will help you determine what else may be required once you have a custom rule set in place.

    ------------------------------------------------------

    Rule: Block Outbound All Other
    Rule in use: YES
    Logging: YES
    Protocol: TCP or UDP
    Action: Block
    Direction: Outbound
    Application: Any Application
    Local Service: Any Service
    Local Address: Any Address
    Remote service: Any Service
    Remote Address: Any Address

    ***Note: A final block rule for all other outbound traffic could also be used here. Not recommended for new users as it will usually stop any rule assistants/wizards from popping up/prompting when a new application is encountered or something for which no rule exists. For those that have customized their rule set and have allowed for all traffic they will use, it is a rule that could be used as a final lock down rule. The alternative is to just let the rule assistants/wizards alert to any outbound requests for which there are no rules.

    ------------------------------------------------------

    Same final note applies if you decide to venture into your rule set: Pay close attention to your logs to make sure everything is working as expected. They will provide the information required to make any corrections.

    Last installment for now...

    CrazyM
Thread Status:
Not open for further replies.