Internet Filtering Rules

Hello!

I'm big fan of rulebased firewalls and now I'm moving to Vista so I have to change my old firewall (GhostWall) to something else. So I start to test some of the popular firewalls and choose LnS. So I have couple of questions for about Internet Filtering Rules.

I'm big fan of tight and secure rules so I start to set-up same rules than I have with GhostWall.

Code:

Description		Rule						Local IP	Local Port	Remote IP	Remote Port
-----------------------------------------------------------------------------------------------------------------------------------
PORT 0 & 1		Block All Protocols Outgoing and Incoming 	Any		0-1		Any		Any

LOOPBACK		Allow TCP Outgoing and Incoming 		127.0.0.1	Any		127.0.0.1	Any

HTTP			Allow TCP Outgoing				My IP		1024-5000	Any		80
HTTPS			Allow TCP Outgoing				My IP		1024-5000	Any		443

IMAP			Allow TCP Outgoing				My IP		1024-5000	My EMAIL	993
SMTP			Allow TCP Outgoing				My IP		1024-5000	My EMAIL	465

DNS 1			Allow UDP Outgoing and Incoming			My IP		Any		My DNS 1	53
DNS 1			Allow UDP Outgoing and Incoming			My IP		Any		My DNS 2	53

BLOCK			Block All Protocols Outgoing and Incoming 	Any		Any		Any		Any

Of course I don't need PORT 0 & 1 rule anymore but how about LOOPBACK? I test without it and everything works with Sandboxie and so on. ATM I have removed it but still waiting your answers. Then my HTTP and HTTPS rules. Why I need to allow Incoming too with LnS otherwise my browser didn't work? I'm using wireless connection so I have to also allow WPA (EAPoL-802.1x) rule and the ARP rule is always needed. So after all here are my settings (quick brief):

allow dns
allow tcp
allow wpa
allow arp
block all

I have setted my ip address, local ports, mac addresses and so on so those rules are secure as possible... Or atleast I thought that. Then I found Phant0m``s Ruleset and see huge amount of different kind of block rules. Do I really need those and do they add more secure? Basically Phant0m``s Ruleset includes same allow rules than I have but include lots of other block rules. I suppose that if some connection didn't match to any allow rule then last block all rule is enough and as secure as blocking some connections earlier.

What's the biggest difference with normal and raw rule? I can set-up DNS rule with both ways so I want to choose better way to do that.

MikeNAS

EDIT: Raw rule question.

 

Hi MikeNAS,

For the loopback address you need a rule because packets with this address are local only, they are not sent over Internet, and thus they are not visible by the packet filter which acts at the NDIS level.

I don't understand why you are saying you need rules to allow incoming connections for your browser. This is normally not required, and the standard rulesets by default will allow HTTP connections without adding rules.

The purpose og Phant0m's ruleset is to allow precisely and exactly what is required, and block the rest. I've understood that you did the same.

Raw rules are offering more possibilities than normal rules. You can control any byte of the packet, and there is an OR option between fields (which avoids to create several rules).
Typically the standard rule edition dialog box offers only some Ethernet Types, if you need to block/allow a specific ethernet type, you can do it with a raw rule.
Note that a normal rule can be transformed into a raw rule, but the opposite is not possible all the time (as soon as specific raw rules features are used).
For usual rules, I mean just allowing a specific port, for UDP/TCP, and with a specific address, there is no reason to create a raw rule, a standard rule will do it and it is easier to create.

Regards,

Frederic

 

Thanks for your answer. I opened Enhanced Rules and Phant0m``s Rules and both have TCP : Block incoming connections and next after that TCP : Authorize most common Internet services. First block all inbounds and second allow connection to both orders (in/out). I don't understand why I have to do it that way. Why I can't just allow only out with TCP: Authorize rule?

 

The "Block Incoming connection" rule just blocks incoming packets trying to open a connection in server mode.
The "TCP : Authorize most common Internet services" allows incoming and outgoing packets for client connections.

In Look 'n' Stop, in/out apply to packets, not to connections. And of course you need to allow incoming packets to have client connections to work.

Frederic