For those who use a custom ruleset, how did you create it? Can you post your internet rules (no need for the application rules) and/or comments as to the rationale for what you created? When I started out, I followed the advice of those on various firewall forums and looked at different rulesets that were suggested. Many of the rules seemed not to be applicable to me. I received lots of good advice, but realized that I really didn’t understand what I was doing. So, I decided to start from scratch. I began by studying the networking terms: protocol, DNS, UDP, IGMP, etc. Not understanding those, it's a lost cause. Then I backed up the default ruleset that came with the firewall, deleted all of the rules, created a "Block All Inbound" rule, and then connected to the internet and let the firewall prompt for what it needed. Those became my basic internet rules. Additions: ==> I put the addresses in a Custom Address Group. ==> I created the ICMP/IGMP rules manually, using suggestions from an article. ==> I added a "Block all other Port 53" following the DNS rules; ==> and the "Block all Inbound" as the final rule following the application rules. This is for Win2K (internet rules only) using a dialup and a LAN. http://www.rsjones.net/imgs/ruleset.gif __________________________________________________ The final rule takes care of port scans and probes: http://www.rsjones.net/imgs/portscan_3.gif ___________________________________________________
For a custom rule set starting from scratch is probably the best way to go. I will always work from an implicit deny all policy and then focus on and add what permit rules I need. This will usually keep the rule set small and easy to manage. I also save the the rule set in a text file along with a list of servers/IP's for those rules that are restricted to specific addresses. Once you have done this it is easy to use/apply these rules to different firewalls. Regards, CrazyM
I'm glad you said this. I've suggested this to three people (with different firewalls) who were having difficulties, and it worked for them. regards, -rich
I just have an allow all for UDP, ICMP, and TCP except for SYN flags, since I have stateful inspection for all these protocols . I also have an allow for ARP incoming. No need for DHCP since I have a static ip. I like to keep it minimal Alphalutra1