Question about application filtering

Hello all

I'm testing LnS and i do appreciate this "pure" FW but i still have one issue:
If you set an authorization rule, you can restrict it to apply only if a specific application is active, but in this case ANY application will benefit from the rule.

For example if you set an extended authorization rule for all MSN required ports, this rule will be valid as soon as MSN is in the systray but then ALL applications will be able to pass through the authorization...

IMHO, this behaviour seems to be dangerous but i'm not expert enough to take a clear conclusion ...
What are your opinions ?

Thx for any reply

 

Set your applications with restricted port use.

Double left click the application in the application filtering list, you can then enter the ports allowed for that application to use(all other ports will be blocked for that application).



- Stem

 

Thx for your answer but that was not my point

I try to give a better example:
Obviously i want to use a web browser so i need a TCP rule to exchange with port 80 of any www server
Let's say that i want to restrict web access only to IE on my PC, no other software: in LnS I would configure "activate rule only for IE" but it wont work ! if IE is running (even without activity) this rule will be active and .... allow ANY application to exchange with web server !!

Of course this example is too basic but it applies with soft like MSN, p2p or games that requires wide range of protocols and ports accesses that will become available for all others appli on your PC as soon as they are running in background !! i still think that it looks like a giant hole to FW protection but i may misunderstand ?

 

Yes, it would allow any application that has been given internet access the ability to access that rule and make outbound to those ports.

Now going back to what I was putting forward. Lets say we have an open rule to allow outbound TCP to all remote ports. Any application that is then given internet access will then be able to use that rule, however, if you place port restrictions on an application so it can only use port 80, then it will only be able to use that port, it does not matter that a rule is in place to allow all other ports.

So from your original example. You have an e-mail client with a rule in place that allows the various ports, you than have a browser that is restricted to port 80, the browser will only be able to use that port(80), it will not be able to use the ports in the rule you have made for the mail client.

- Stem

 

A simple test for you to make.

You will have an open rule to allow outbound to remote port 80, your browser will use that rule to connect to the web. Now go into the application filtering list and double click on your browser, and in the TCP ports, enter 60. Now try and connect to the internet with that browser, it will fail due to that port restriction.

- Stem

 

Thx again, i really do appreciate your answers !!

And yes your strategy sounds good to me: using this capability to restrict port of any application, you can really connect application to protocol rules, i ve missed this point, thank you again

One last advice from you if you dont mind: if i allow ports at the application level, do you think i still need to activate the protocol rules by an application ?
i mean what about setting all required protocol rules (including MSN, p2p, games) but always active, while setting restrictions for each application so that they can only behave as expected ?

 

When the application is connecting out, no. Where I do make rules that are activated by application, is for inbound connections, so that the rule is disabled and the port is filtered again when the application exits.


- Stem

 

Yes it is even better this way !

OK everything is clear for me now

I wish to thank you again for your smart advices, i can now use LnS without any regret !

 

You are Welcome.

Good to hear.

- Stem