Custom Ruleset

Discussion in 'other firewalls' started by Rmus, Mar 17, 2006.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    For those who use a custom ruleset, how did you create it? Can you post your internet rules (no need for the application rules) and/or comments as to the rationale for what you created?

    When I started out, I followed the advice of those on various firewall forums and looked at different rulesets that were suggested. Many of the rules seemed not to be applicable to me. I received lots of good advice, but realized that I really didn’t understand what I was doing. So, I decided to start from scratch. I began by studying the networking terms: protocol, DNS, UDP, IGMP, etc. Not understanding those, it's a lost cause.

    Then I backed up the default ruleset that came with the firewall, deleted all of the rules, created a "Block All Inbound" rule, and then connected to the internet and let the firewall prompt for what it needed. Those became my basic internet rules.

    Additions:

    ==> I put the addresses in a Custom Address Group.

    ==> I created the ICMP/IGMP rules manually, using suggestions from an article.

    ==> I added a "Block all other Port 53" following the DNS rules;

    ==> and the "Block all Inbound" as the final rule following the application rules.

    This is for Win2K (internet rules only) using a dialup and a LAN.

    http://www.rsjones.net/imgs/ruleset.gif
    __________________________________________________

    The final rule takes care of port scans and probes:

    http://www.rsjones.net/imgs/portscan_3.gif
    ___________________________________________________
     
    Last edited: Mar 17, 2006
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    For a custom rule set starting from scratch is probably the best way to go. I will always work from an implicit deny all policy and then focus on and add what permit rules I need. This will usually keep the rule set small and easy to manage. I also save the the rule set in a text file along with a list of servers/IP's for those rules that are restricted to specific addresses. Once you have done this it is easy to use/apply these rules to different firewalls.

    Regards,

    CrazyM
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I'm glad you said this. I've suggested this to three people (with different firewalls) who were having difficulties, and it worked for them.

    regards,

    -rich
     
  4. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I just have an allow all for UDP, ICMP, and TCP except for SYN flags, since I have stateful inspection for all these protocols :cool: . I also have an allow for ARP incoming. No need for DHCP since I have a static ip. I like to keep it minimal :D

    Alphalutra1
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.