Results 1 to 7 of 7

Thread: Care and feeding of program expert rules.

Hybrid View

  1. #1
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Care and feeding of program expert rules.

    No matter what program expert rule you make there are a few things that need to be done and known.

    First in program rules ALL rules will apply, whereas in a Firewall expert rule, only the first applicable rule applies. Second when you create an program Expert rule, there is one thing that needs to be added and another added depending on how you set up your zones.

    The rule that should always come in last (the rules are applied in order from 1 to whatever) is a blocking rule. Create a new rule and name it blocking (or whatever) then select block for an action. You can leave everything else the alone. This blocks everything except what you have allowed in rules prior to this one.

    Another rule that you may need is a rule for DNS lookup. If you add this rule to each program then you can control it to a single port and not put the DNS servers in the trusted zone, but in the internet zone. And for that, create a new rule, name it DNS (or whatever)as a destination add both (or all) of your DNS servers, then in the protocol section, open only the DNS port. This allows only DNS to go between your computer and your ISP's DNS servers.

    The big thing to remember is that in the program expert rules, they are ALL looked at for permission from 1 to the last, and you have to add the blocking rule or all ports are open. This is real handy in email clients. No more junk coming thru (pictures and remote pages and objects).
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  2. #2
    sunnyview Guest

    Default Re: Care and feeding of program expert rules.



    "Another rule that you may need is a rule for DNS lookup. If you add this rule to each program then you can control it to a single port and not put the DNS servers in the trusted zone, but in the internet zone. And for that, create a new rule, name it DNS (or whatever)as a destination add both (or all) of your DNS servers, then in the protocol section, open only the DNS port. This allows only DNS to go between your computer and your ISP's DNS servers."

    Good stuff Hoov, when you say "add this rule to each program" do you mean as in messenger or must it be done for say Generic Host Process for win32? DNS calls usually go out on Port-15 if I recall, will this technique still help or apply? In my case the trusted zone seems to be everything or nothing runs. I am in back of a router and it gets assigned to trusted zone when ZAP first see's a network.

    I didn't want to ask a bunch of questions, just focused on DNSso this will help me! Thanks.



  3. #3
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Care and feeding of program expert rules.

    The problem I always had putting it in the trusted zone is that it did open your system up a little to the servers. Granted you should be able to trust them a little, but you are also taking a risk because you don't know about thier security. So if you put it in every program that needs it and restrict it to just DNS protocol, you are putting even a tighter grip on what you are allowing. I have created the rule and then put it into every program that needs to do DNS lookup. But you also have to put the blocking rule in too. So far it seems to be working, still tight as a drum.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  4. #4

    Default Re: Care and feeding of program expert rules.



    I hope you don't mind if I present a different point of view about the DNS rule. My thoughts about thisis that taking all the necessary precautions we can; up to date anti-virus & trojan software, regular scans with these Spybot S&D and Ad-aware, make placing a DNS program rule un-necessary for each program that needs DNS access. I feel that implementing a single firewall DNS rule on a healthy system is sufficient, especially since we have installed ZA to help warn us about unauthorized internet access. Besidesmalware will have the "phone home" addresses hard coded into themselves, and therefore will not have a need to preform a DNS lookup.

    However I do see what you are saying about putting a tighter grip on what is accessing the internet. But likewise that tight grip can become a choke hold when something goes wrong. Anyway that's just my 2 cents.

  5. #5
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Care and feeding of program expert rules.

    You are right, but I am thinking some of this stuff is getting sneakier all the time, and the way I am doing it puts in one more stumbling block just in case I accientally approve of something. Of course these expert rules are still so new that I may decide you are right in a while.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  6. #6

    Default Re: Care and feeding of program expert rules.



    It's not about being right, but about exploring the Expert Rules and being better equipped to help others. OK that's enough OT for me.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •