Custom Ruleset

Discussion in 'other firewalls' started by Rmus, Mar 17, 2006.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For those who use a custom ruleset, how did you create it? Can you post your internet rules (no need for the application rules) and/or comments as to the rationale for what you created?

    When I started out, I followed the advice of those on various firewall forums and looked at different rulesets that were suggested. Many of the rules seemed not to be applicable to me. I received lots of good advice, but realized that I really didn’t understand what I was doing. So, I decided to start from scratch. I began by studying the networking terms: protocol, DNS, UDP, IGMP, etc. Not understanding those, it's a lost cause.

    Then I backed up the default ruleset that came with the firewall, deleted all of the rules, created a "Block All Inbound" rule, and then connected to the internet and let the firewall prompt for what it needed. Those became my basic internet rules.

    Additions:

    ==> I put the addresses in a Custom Address Group.

    ==> I created the ICMP/IGMP rules manually, using suggestions from an article.

    ==> I added a "Block all other Port 53" following the DNS rules;

    ==> and the "Block all Inbound" as the final rule following the application rules.

    This is for Win2K (internet rules only) using a dialup and a LAN.

    http://www.rsjones.net/imgs/ruleset.gif
    __________________________________________________

    The final rule takes care of port scans and probes:

    http://www.rsjones.net/imgs/portscan_3.gif
    ___________________________________________________
     
    Last edited: Mar 17, 2006
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    For a custom rule set starting from scratch is probably the best way to go. I will always work from an implicit deny all policy and then focus on and add what permit rules I need. This will usually keep the rule set small and easy to manage. I also save the the rule set in a text file along with a list of servers/IP's for those rules that are restricted to specific addresses. Once you have done this it is easy to use/apply these rules to different firewalls.

    Regards,

    CrazyM
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm glad you said this. I've suggested this to three people (with different firewalls) who were having difficulties, and it worked for them.

    regards,

    -rich
     
  4. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I just have an allow all for UDP, ICMP, and TCP except for SYN flags, since I have stateful inspection for all these protocols :cool: . I also have an allow for ARP incoming. No need for DHCP since I have a static ip. I like to keep it minimal :D

    Alphalutra1
     
Thread Status:
Not open for further replies.