Sunbelt Personal, block unopened ports must be an internal rule

Discussion in 'other firewalls' started by chrizio, Feb 19, 2012.

Thread Status:
Not open for further replies.
  1. chrizio

    chrizio Guest

    Sunbelt the latest 4.6 version.
    All filter rules have been created manually.
    On demand particular rules are been disabled/enabled.
    No firewall own automatics nor learning mode is nor was in use.

    "Log traffic to unopened ports" is enabled.
    For some traffic which meets the "incoming to unopened port" criteria
    a advanced packet filter rule has been created manually. It was also named accordantly, just to recognize it quickly within a lot of log points.
    Anyhow, the firewall logs still show "to unopened port" instead of "my advanced filter rule for some inbound to unopened port" -traffic.

    This says to me that "block all traffic to unopened port" rule must be some
    internal / fixed-coded rule and must have higher prio than all advanced packet filter rules.
    Is this true?
     
  2. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Look in the Help file. They specify processing rules sequence.
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I can't say for a certaintly, but yes, if I remember right, that's true.... although I don't know if it has higher priority than an advanced packet filter rule, if that were true, you wouldn't be able to create a rule to open a port inbound if you needed to.
     
  4. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Kerodo,
    See this thread by the same poster:
    https://www.wilderssecurity.com/showthread.php?t=318612

    Note that there's ruleId = 0 in the log of inbounds. That implies to me a built-in rule that can't even be followed in the xml file.
    Perhaps iwatching TCPview at the same time might show FF done with a port, system takes over, so the port is closed by then.

    Edited:I just looked at the config. It is a global, built-in rule in the section of gateway. I never enabled gateway, no need. So that's what's there, and I quote:
    <table name="Globals_kpf">
    <variable name="IsRunningOnInternetGateway">0</variable>
    <variable name="LogClosedPort">0</variable>
    <variable name="BootSecurity">1</variable>
    </table>
     
    Last edited: Feb 19, 2012
  5. chrizio

    chrizio Guest

    All this discovered because some inbound traffic from local dsl router was irritating me. After short investigation I know that this is a service running on router. It is fine for me, because I am using parts of this functionality.
    So, but after a long time in the future I might have forgotten it.
    And the same irritation will arise again. Therefore I was going to create
    an explicit advanced filter rule which does the same but is named unambiguously.
    If it hits its name appears in the logs and I see immediately what it is.
    But as it turns out, is not the proper way because "block traffic to unopened port" rule seems to has higher prio than my advanced filter rule.
    It must have higher prio than mine, otherwise mines would been not overridden by the block-to-unopened one.
     
  6. chrizio

    chrizio Guest

    I didn't find any relevant hint in the help file. Yet before opening this thread.
     
Loading...
Thread Status:
Not open for further replies.