Subject: ZA Expert Firewall/Program rules hierarchy

Discussion in 'other firewalls' started by stalker, Feb 2, 2004.

Thread Status:
Not open for further replies.
  1. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    HelloI posted this topic separated, cause in my opinion is very essential, must say also, it is related to LowWaterMark's topic "Zone Alarm Plus/Pro Program Options"


    I am pretty "educated" about how to set firewall settings (already "studied" NPF, ZA, etc.), and I completely understand all about it (what are ports, protocols, source/destination, etc.)

    But here is the question: I am confused about "priority"/"hierarchy" of rules enforcement. For example I understand (as it says in help file), that Firewall/Zone Expert Rules are enforced before Zone Rules (general Trusted/Internet zone rules), and also before any Program Rules (expert or general), so therefor are global. And it says aslo, that first rule matching is enforced while the others are ignored. One the other hand, Program (Access) Expert rules are executed depending on rank number.

    So to the main question. I must say here that I don't undestand one thing - what are (only talking about Program Rules here) then Allow, Block, and Ask (red cross, question mark, green mark) ??


    1.) If I for example:

    Set "Block All Access" (red cross), for one program, but then make (only one) expert rule which allows all (all ports, protocols, all sources/destinations) - which one will be used/applied ??
    The same on the other hand, if I set "Allow All Access" for one program (green mark), but then make (only one) expert rule whcih blocks all (all ports, protocols, all sources/destinations) - which one will be used/applied ??

    Here is another important question, in which matter to set rules for some program (IE, Outlook, or p2p sharing program), which has basicaly lot of comunications permitted ??


    To set it to "Block All Access" (red cross), and then allow some of comunications, ports, etc. in Expert Rules ??
    or ...

    To set it to "Allow All Access" (green mark), and then block some of comunications, ports, etc. in Expert Rules ??


    So generaly I understand relationship between Zone and Program "General" vs. "Expert Rules", but not relationship between settings made by those marks (green, red, blue), and Program Expert Rules.


    2.) There are also other possible "incompatibilites" or "one rule-overiding other rule"

    Like for example:

    "Program Expert rules" permitting or blocking port/protocol and permitting or blocking port/protocol in "Firewall - Custom - High/Medium security for Internet/Trusted Zone - Allow/Block Incoming/Outgoing TCP Ports" ...

    And there are many, so there is obvious that "priority"/"hierarchy" is essential here.


    3.) LowWaterMark wrote in his topic: http://www.wilderssecurity.com/showthread.php?t=3899
    "Since OE never needs "server rights", I have also blocked those capabilities."

    ... but I must say, that in my case both IE, OE (Outlook Explorer), and also alg.exe (application layer gateway), and svchost.exe (generic host process for Win32 services), all require "Server" permittion from time to time, IE, OE more frequently, and alg.exe, svchost.exe rarely ...

    3.) LowWaterMark I have one more question for you:

    In your picture (OE-ExpertRules1-SummaryScreen.gif), I noticed, that you create expert rules for each port new rule. My question is - could I set all this in one rule ??

    Meaning under "Modify" - "Add Protocol", you could set all rules, one after another, for which you create separated indipendant rules. Just add new protocol (let say TCP, port pop3), after setting rule for TCP protocol, smtp port, etc. And there are also exist "Groups" of protocol rules ...

    Your way: (like in screenshot)

    Rank 1: Allow pop3 (TCP), My Computer, Trusted
    Rank 2: Allow smtp (TCP), My Computer, Trusted

    My way:

    Rank 1: Allow pop3, smtp (TCP), DNS (UDP), My Computer, Trusted


    Tip: I rather than puting all my mail servers to Trusted Zone, put servers here under "Destination" tab.



    Thanks for any explanation, tip, etc.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Program access settings (checkmark, X or ?) are evaluated first in all cases when determining whether to block a program access. If you put Xs in the access columns for a program, then that is it... No matter what you set in the program's expert rules, that program will be blocked. The expert rules are never reached to be evaluated because these access settings are applied first.

    The program expert rules are really meant to further refine the actual access a program gets, if it is being allowed (either with green checkmarks, or by answering Yes when asked by popup alert). So the common usage would be: Set a program to either allow (checkmark) or ask (?); Define a set of specific program access rules (like the ones I show for Outlook Express) that first define the specific access you do want to allow, then block the rest with a final block rule.

    That program will be blocked regardless, by the red X.

    Well, this program will be block, too of course because the expert rule to augment its access is a total blocking rule, but ZAP does reach the expert rules in this case. It gets by the first hurdle, the access settings, because you allowed it and then it does check and enforce the expert rules.

    But, when program access settings are blocked, the expert rules aren't even looked at.


    Set a program to either Allow or Ask, and then refine its ports, timing, logging or other aspects with expert program rules.

    End of part I of answer. More to follow
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Yes, you must carefully consider the impact that different settings and types of rules will have on each other. But, as said in the ZA help, the general order is firewall expert rules, firewall custom settings & zones, program access settings and then program expert rules. In a way, you are narrowing your focus from global rules all the way down to specific allowed or blocked packets on a single program. Refining access as you go deeper and deeper.

    Well, this can be a complicated thing depending upon specific OS configurations. But, let's start with the overall usage of "server rights" capability in ZA. You grant a program server rights if it is a server, ie. a program meant to receive unsolicited inbound connections from the network. Common examples being: a webserver, ftp server, p2p programs which are set to allow people to reach in and pull files from you, etc.

    OE and IE are not "servers", so they should not need "server rights" in ZAP. However, that does not mean that ZAP won't popup an alert from time to time asking if you want these programs to act as server (if you have the "server" column in ZAP's program settings set to "ask", that is.) Why? Well, it's the complexities of the OS...

    Example: I have Internet Explorer set to all "?" (all four columns in program settings). When I first start a new IE program session and connect somewhere, I have to answer Yes to an alert. From then on and until I close IE it remains allowed and I get no more alerts. Except that maybe once a day, if I'm really heavily hitting the web with IE, I'll get a popup alert from ZAP asking if I want to allow IE to act as server...

    This happens specifically when there is a slow down in responses from my ISP's DNS servers. When a DNS lookup response takes longer than ZAP normally allows, (there are timeouts involved when considering whether certain network traffic is related to previous traffic or is altogether new traffic), then when those DNS responses do arrive ZAP thinks they are new unsolicited connections coming in from my DNS servers. This causes ZAP to trigger an alert asking if I want IE to act as server to accept these packets.

    Basically, in this case IE was waiting longer for a reply from DNS then ZAP allowed. The late packets arrived, IE was still listening on its reply port but ZAP had timed out. Hence, it looks like IE is a server application when it really isn't.

    It's probably this same effect that is mostly responsible for what you are seeing, although svchost.exe can and will act as server for many other reasons, depending upon what network service settings you got configured on your system. But, svchost.exe is a whole massive topic in and of itself.

    On my system, I've tweak network services such that ZAP never pops up an alert about svchost needing to act as server (even though I have the server columns set to "?" in program settings). Also, I've disabled alg.exe as I don't need it for anything. (It is also a complex service. It works with the XP ICF firewall, which I have disabled and it works with FTP, if you let it. But, I have it disabled and I can still FTP without a problem.)

    End of part II of answer. More to follow...
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Well, almost... You could combine the four "allows" into a single rule, because they share the exact same other major parameters (Source, Destination and Time). If those varied then separate rules would still be required. And of course the final block rule must be separate because an expert rule is either set to "allow" or "block", not either/or. So, you do at least have to set the allows and blocks in separate rules.

    Here are some other examples of ZAP expert rules to show different ways of doing things. In this first one, you can't combine all the allows because each one is to a different custom destination.

    SpywareBlaster expert rules

    An expert rule to "block without logging"... Notice in this one I did combine the blocking or a port and ICMP packet in the same rule because all the other parameters were in common:

    Block, no logging worm traffic

    That's right, there are different ways of making this work and that would work, as well. Notice in the SpywareBlaster example above, I created a custom destination "Javacool sites". I've done this with my DNS servers, email servers and other items that make logical sense to combine into groups.
     
Loading...
Thread Status:
Not open for further replies.