Inbound rule: Block All! Won't that kill a connection?

Discussion in 'other firewalls' started by Flexigav, Oct 18, 2012.

Thread Status:
Not open for further replies.
  1. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    I am lead to believe DHCP service needs local port 68 to be open to inbound UDP traffic and DNS service also needs ports open to inbound UDP traffic, as does Loopback for TCP and UDP at local address 127.0.0.1...to mention some! If the default inbound rule is block all, won't there be connection problems? Or should the rule read "Block all unsolicited inbound traffic access"?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    It should block inbound unknown/unsolicited access
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Which firewall your referring to??

    By "default inbound firewall rule", I assume you are referring to the last rule in your global or system rules? Many firewalls don't need an explicit rule like this; it is provided by default. Any inbound traffic not allowed by an inbound firewall rule is auto blocked.

    As far as a given inbound firewall rule goes, the "block edge transversal" option for inbound rules in the WIN 7 firewall for example will deny any traffic for the specifics of rule e.g. port, protocol, etc unless corresponding outbound traffic was performed.

    If your router has a "statefull inspection" feature, then the router will auto block inbound traffic unless corresponding outbound traffic was performed.
    Note the degree of "statefull inspection" protection is variable in most software firewalls with most retail firewalls providing basic protection only.
     
  4. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    All you mentioned is solicited so your rule would not block it. It would only block unsolicited inbound traffic.
     
  5. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    Thanks everybody. I have been a long-time user of the old Kerio personal firewall and if I block all inbound traffic on it...well it literally blocked all inbound traffic. I suspected that in general terms though, when "block all inbound traffic" is mentioned, it referred to all unsolicited traffic, but was not absolutely sure! I notice Windows 7 firewall claims all inbound traffic is blocked by default, so I should take it to mean all unsolicited inbound traffic is blocked by default!
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    If you're using the old Kerio 2.1.5, then what you need to do is place your block all inbound rule at the end. Then above that, you can define rules for whatever you need such as DHCP, DNS, browsers, etc etc. Any program that communicates outbound will usually get replies back as part of TCP traffic and sometimes UDP. So in general, set up all the rules necessary for normal operations of programs above, and put your block all inbound rule last. This will then block any other (other than defined in your above rules) unsolicited inbound traffic coming in, much like a router would.
     
  7. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    Thanks, I had it set up that way, but unfortunately things have moved on and Kerio 2.1.5 development has long stopped. It was never made for 64 bit systems, so I am currently working with Windows 7 and trying some of the 3rd party user interfaces talked about in these forums. :-*
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Ok, sounds good. I didn't realize you were on Win 7 x64... For what it's worth, the Win 7 built-in firewall is quite good nowadays and there are some forum members here that are experts with it if you need help. But it's fun to try everything else too.. Good luck. :)
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    Correct. It also means that any process acting as a server, listening for inbound requests, will be blocked. Inbound rules, at least in regards to Win7/Vista fw, are usually only created for the latter case or by allowing certain types of icmp traffic, such as echo reply or destination unreachable, for example.

    You can try an experiment with Win7 fw; assuming you have outbound allowed by default or you have rules in place to allow specific programs outbound comms, try creating an "inbound" block rule for one of your programs, such as your web browser. You will see that even with that inbound block rule enabled, you will find that the browser won't be blocked at all, and it's because the outbound rule allows your browser to make a solicited request, thus allowing the initiation and completion of the three way handshake to establish full communications.
     
  10. Flexigav

    Flexigav Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    57
    Location:
    Australia
    That sounds good and aimed at a market of average users who are generally not educated in network security. I do find the standard Windows Vista/7 Firewall user interface awkward to use. For instance to block all inbound traffic from IP Address 127.0.0.1, I could put the rule in the block address section, but then if I wish to let a test through on that address, temporarily remove the block! In Kerio I would just put the allow rule above the deny all rule!
     
Loading...
Thread Status:
Not open for further replies.