What does it mean that a firewall is rulebased? Which firewalls are rulebased, and which are not (among the top FW)? What is the difference? Is one better, safer, more userfriendly than the other? Thanks in advance !
this a pretty rough definition (i welcome Stem or any other member to please correct me or add to this): a rules-based means that the firewall uses rules that specify the kind of traffic that is allowed or denied. rules can be customized by protocol (tcp, udp, etc), ip (eg 127.0.0.1), direction (inbound/outbound) and port (25, 80, etc). the other kind of personal firewall is application based. this means it allows or denies a program all internet access. if u allow it all access, a program can contact any server using any port and any protocol. it can connect out as well as accept connections. ********************************************************************************* theres too many rules-based firewalls. some include looknstop, outpost pro, and kaspersky. the only application-based firewalls i know of are zonealarm and sygate. i dont know what kind of firewalls are used in suites like norton or trend micro though. ********************************************************************************* application firewalls are far simpler but a bit less secure. rules-based firewalls can be simple or complex depending on teh firewall and the user.
A rule-based allows you to control all or any the following: 1. Protocol (TCP, UDP, ICMP, IGMP & others) 2. Direction (Inbound or Outbound) 3. Ports (Remote or Local and port #) 4. Time interval (configure to allow the connection everyday or specified time only) 5. Destination (IP range or IP address only) Example of rule-based firewalls: Tiny Personal Firewall, Kerio Personal Firewall, Outpost Firewall Pro, Norton Personal Firewall An application-based firewall is simple to use. The firewall will simply alert you whether to allow or deny the connection. User will only monitor the list of application that are allowed and blocked. There’s no control whether an application is allowed only to use Ports 80, 110, 25, 443 et al. Example of application-based firewall: ZoneAlarm, Sygate With rule-based firewall you can block certain ports that in used by known trojans. For example, my browser is only allowed to use port 80. That’s it. If the browser will try to open port 443, 8080, 21 et al, it needs my approval. Another example, my e-mail programs is only allowed to use ports 110, 25, 119. It is also allowed to communicate only to my ISP’s e-mail server or arcor.de email server or particular newsgroup’s server. It is not configured to accept all connection made by any email server or newsgroup server. If my email program will try to open other ports e.g. ports 80, 443 et al, it needs my approval too. For novices, it is not easy to use a rule-based firewall because you will make custom program rules, enter what port number to use and what type of communication etc. but you will win by a substantial margin after you’re done in creating a rule for each application. With rule-based firewall you are in total control. Control where to connect or communicate to which computer only , or block some ports then allow few ports to use. Further step is a FW (rule based) which has a Three-layer protection: I prefer to use rule-based firewall (I am using Jetico) over application-based firewall because with rule-based firewall, I am in control. I’m not saying an application-based firewall is not recommended. It is OK to use an application only based firewall as long as it is protecting a PC from unwanted intrusions and you know which applications are allowed or not.
A bit more clarification whether Sygate is a "pure and simple" application rule based firewall like ZA or rather a hybrid: http://www.kotiposti.net/string/SPF_eng/SPFServer.jpg As you can see in the picture, SPF has the ability to control allowed ports for TCP and UDP protocols. To desired remote (machine) ports for outgoing connections from any local pc port. Or to specified local ports for incoming connections to "server working" applications (Skype & other IM's, etc.) from any remote machine port. The blank field means whole range 1 .. 65535. Putting value 0 into a field means no ports are allowed for that protocol. One can also in the free version add arbitrary rulebased rules upto 20 max limit. Like this: 1. SPF-quick menu 2. ’Advanced Rules…’. Add this advanced rule: 3. Rule Summary: This rule will allow incoming traffic from IP address(es) 207.46.130.100 on UDP remote port(s) 123 to UDP local port(s) 123. This rule will be applied to all network interface cards. The following applications will be affected in this rule: Generic Host Process for Win32 Services. Sygate's rulebased rule building interface is clumsy, so it is normally used with advanced application rules instead, using the interface in the above picture. That ANY in the connection initiation machine's port leaves then something to be desired, but much much better than an all wide port range rule for a packet's destination port. I must admit I had a bit of a fun reading about that new ashampoo firewall, lol. A rulebased firewall like kerio 2.1.5 allows flexibility and fast configuration changes. It is also a most straighforward packet filter and one of the reason for it's popularity might be also cause the rulesets are so well documentable. An example is BlitzenZeus's template for basic firewall system protection rules and that it can be downloaded from dslreports kerio/tiny forum sticky. Rules can be ticked on/off when needed. Newer rule based firewalls like jetico might have a more advanced concepts than kerio2.1.5 's single ruleset, but personally I am quite happy with it. PG free also complements kerio nice in adding HIPS to program control. So even if IE is allowed on kerio 2.1.5 you get asked first from PG, if it is set to do so, before it gets to internet. Plus it guards against firewall and antivirus termination. In fact all the programs in PG free current latest version. And SnoopFree is for keyboard and screen reading hooks that PG free does not have HIPS protection control against Sygate's application rules are always just one rule for each application, so they don't have that flexibility. It's 'Advanced rules' have that, but there is the 20 maximum rules limit in free SPF. PG free would bring also to Sygate needed application control I think against the famous loopback proxy issue with programs like avast's webshield or email scanner proxies or other local proxies you might be running, though I have not tested it since it is a recent addition to my PC and have only ran it with kerio 2.1.5. Behind the surface I believe Sygate to have been implemented as a rule based firewall while it's GUI is not really. I also consider Kerio 4 to be a hybrid, having both user interfaces, though I don't personally like it for many issues and reasons not bothering to tell here.
While ZA is primarily application-based, the paid versions will have expert rules that you can set up if you wish to block certain protocols too like a rule-based firewall.
