Are there some redundant rules in the 'enhanced ruleset"

Discussion in 'LnS English Forum' started by nuser, Jun 2, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi,
    in the enhanced ruleset,
    the 3rd rule for ICMP is 'BLOCK ICMP type 10 without notification' and the 4th is 'block all ICMP'.

    So, if I delete the 3rd rule, the 'type 10' will still be blocked by the final rule (block all ICMP)

    My question:
    Is the rule on 'type 10' really necessary?
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :) you will be notified.
     
  3. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    another example:
    the 'Block WinNuke" rule (blocking port 139 of my local machine).
    If I delete this rule, port 139 is still be blocked by the final rule "Block all other TCP packets", since I have no rules to allow traffic through local port 139.o_O

    IMHO: an ideal ruleset can be expressed as:
    allow 1;
    allow 2;
    ......
    Block All

    Any rules to block individual ports are redundant.

    Plz correct if I am wrong.
     
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi nuser :)

    If you used the enhanced rule set instead of the "standard" these TCP packets for the port 139 will be blocked with the rule "Block incoming connections" since the port 139 in TCP is used for Printer sharing and is a kind of "server"...

    Like I explain you in an other post, the best is to keep the rules at the minimum possible (with non "redundant" rules) but sometimes it's not possible and we have to accept some "redundancy".

    The rules sets must be developped to fit to various configuration. Some rules are possibly useless for some and important for others configurations...

    Thank you for your interest in LNS.

    :)
     
  5. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks, Climenole,
    Sorry for so many stupid questions.
    As you indicated, the winnuke (port 139) is blocked by the 'block incoming connections' rule.
    If I, (see attached), change this rule's 'stop condition' and continue to match the following rules, (I have allowed port 139).
    Will port 139 be opened, or still blocked?
     

    Attached Files:

  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    For these "redundant" rules ... so someone here mentions, they basically serve a purpose of blocking without logging for some of the common Internet traffic... This helps from being annoyed when trying to find something little more worthy on the Look 'n' Stop Log screen... ;)
     
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I'm trully sorry for not saying that, but i assumed it was implicit.
     
Thread Status:
Not open for further replies.