I use Windows 7 x64 with Jetico Personal Firewall 2. I have some question about ports 49152-65535. Quite big amount of different apps/games request inbound connect / outbound connect / send datagram to 127.0.0.1 over some port from 49152-65535 range. I've been using "my restricted rules" so far giving permissions only if app/game is requesting specific port but some apps/games are changing these ports on each start so it's a little annoying. I've also found this: https://support.microsoft.com/en-au...iew-and-network-port-requirements-for-windows Prior to Windows 7 I was using Windows XP with Kerio Personal Firewall and I've never heard about this "change". My question is: is it "a good idea" to set firewall rule to "allow inbound connect / outbound connect / send datagram to 127.0.0.1 over any port from 49152-65535 range" as a global one, which would mean: "for every app/game on my system, before any other rules"? I'm asking because if this is "safe thing to do" then why Jetico does not have it set by default? Does anyone still use Jetico 2 here? If yes then what is your personal "solution" for this "problem"?
You are complicating yourself. Make generic rules, create application tables or modify the existing ones, for example to accomplish generic rulesets,make them in the left panel, then you just link them when the network access connection request pops-up in relation to an app.. Select a set of ports for receive /send datagram (UDP), outbound connect(TCP) , local and remote that you close with a block rule at the end. Make firstly generic ones like 1024-65535 local and remote for UDP, or add some other specific ports for TCP for destination ,then narrow the rules. Example for a simple game: Allow DNS -> accept local 1024-65535 to remote 53 receive /send datagram remote IP-s could be specified for IP-s , if the DNS default table is not used. Allow UDP-> accept local 1024-65535 to remote1024-65535 receive /send datagram Allow TCP-> accept local 1024-65535 to remote 1024-65535 , 80, 443 (or any other used/needed port by the game)outbound connect etc Protocol TCP/IP Block All the rest - > reject and log, to see whats being dropped. Yo can add here, before the block, an Allow ICMP rule, for BF4 for example, or you can allow send datagram to remote port 0 for the same purpose. Browser: Allow DNS -> accept local 1024-65535 to remote 53 receive /send datagram remote IP-s could be specified for IP-s Allow TCP-> accept local 1024-65535 to remote 80, 443 (or 8080 for proxy) outbound connect etc Protocol TCP/IP Block All the rest - > reject and log, to see whats being dropped. If the app works without a connection to a specific port leave it blocked. In this way you avoid filling pages of individual ports allowed. The more you play with the firewall the more tricks will discover to stop leaks and such and make it easier to handle. Hint : Another way of managing rulesets is under Groups-> Applications , under Network activity you will notice a Web browser rule for example that is before the rest and takes precedence, that will point to the application table in the left panel, where you should find by default a Web browser set.In this way you don t have to answer to a network activity interrogation if you ve already added an exe into those groups. Indirect access may create connectivity problems as most of the apps will use it and blocking one indirect will kill any other connection, so be careful if you use this one.
dynamic ports should NOT be blocked unless there exists a reason for SPECIAL programs to do so. if you want local restrictions then allow local (127.0.0.1:any) and deny the rest (2 rules)
