Results 1 to 2 of 2

Thread: Quick couple of question about duplicating rules (between Firewall Expert and Program Expert)

  1. #1
    da_jokker Guest

    Default Quick couple of question about duplicating rules (between Firewall Expert and Program Expert)

    I have created some general firewall rules that
    allow HTTP:80, HTTPS:433, DNS:53,
    DHCP:67/68, and DENY everything else.
    Quest# 1:
    From my understanding then is that
    ANY program that I give ALLOW access to the Internet Zone still has to follow those rules. For example if I say Adobe Reader has Access to Trusted/Internet and it tries to connect using port 76, it would get blocked.. is this correct?

    Quest# 2:
    If I want to lock down a specific program further, I can create Expert rules for that program. So for example if I want Internet Explorer to access
    HTTP:80 but nothing else, I could create expert rules that allow HTTP:80 but Deny Everything Else....is this correct?

    Assuming my understanding is correct... here is my actual question.... I have
    a rule that says ALLOW HTTP:80 and DENY everything else from my general Firewall configuration. Do have have to continue to duplicate these same rules over and over again for every individual program?




    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Quick couple of question about duplicating rules (between Firewall Expert and Program Expert)

    <blockquote><hr>da_jokker wrote:
    I have created some general firewall rules that
    allow HTTP:80, HTTPS:433, DNS:53,
    DHCP:67/68, and DENY everything else.
    Quest# 1:
    From my understanding then is that
    ANY program that I give ALLOW access to the Internet Zone still has to follow those rules. For example if I say Adobe Reader has Access to Trusted/Internet and it tries to connect using port 76, it would get blocked.. is this correct?

    Quest# 2:
    If I want to lock down a specific program further, I can create Expert rules for that program. So for example if I want Internet Explorer to access
    HTTP:80 but nothing else, I could create expert rules that allow HTTP:80 but Deny Everything Else....is this correct?

    Assuming my understanding is correct... here is my actual question.... I have
    a rule that says ALLOW HTTP:80 and DENY everything else from my general Firewall configuration. Do have have to continue to duplicate these same rules over and over again for every individual program?




    Operating System:
    Windows XP Pro
    Software Version:
    7.0
    Product Name:
    ZoneAlarm Pro

    <hr></blockquote>


    Okay first before I will reply directly to your questions, I will point out a few details or ideas for you.
    [*]Create these "global" or blanket rules in the Expert of the Firewall.[*]Use the Groups as much as possible (really does save time and confusion).[*]Use the correct DNS server IPs for the DNS rule(s). Also allow both TCP and UDP to the remote port 53 of the DNS and allow all in from remote port 53 of the DNS servers.[*]The DHCP is similar to the DNS rule - use both outgoing and incoming for both the DHCP and the DHCP Client to the correct IP of the gateway/router.
    Optionally add the MAC of the router for simplifing/enhanced security/less confusion.[*] Use My computer for the PC address for both the DNS and DHCP rules and for others too.[*] Repeat an outgoing and incoming rule for the Time Updater (UDP remote port 123) with the correct IP range or IP and subnet of the time servers.[*]I see no mention of IM or email servers?


    Quest# 1:

    From my understanding then is that ANY program that I give ALLOW access to the Internet Zone still has to follow those rules. For example if I say Adobe Reader has Access to Trusted/Internet and it tries to connect using port 76, it would get blocked.. is this correct?
    Correct. As long as the Adobe has the correct rules added in the Program's Expert.If the alerts are set to High, the ZA will alert the blocked port activity.

    Quest# 2:

    If I want to lock down a specific program further, I can create Expert rules for that program. So for example if I want Internet Explorer to access HTTP:80 but nothing else, I could create expert rules that allow HTTP:80 but Deny Everything Else....is this correct?

    Correct. And...
    The Deny all other or Block all rule should be placed last in the list of the IE's expert rule. Deny All is the last rule in the order of the rules and should or could be set as log and alert (depending on your experience, paranoia, needs, firewall rule debugging process, etc) or just log. Once the deny all rules and the ZA setup is really finialized and all is understood and you have become a firewall master, then the log or log and alert rule for the deny all rules becomes not important or become trivial.
    I would however,first add a dns rule in the IE's expert (allow outgoing tcp/udp to the remote 53 and allow incoming from the remote 53 of the DNS IPs. Local ports of the PC can be either 1020-5000 or 1-5000 depending on your needs or how things work for you. Remember I did advise to use Groups and this is one of the places where the Group is needed. Use Groups often and as many times as possible.)

    To give you some idea about what I am talking about, mine looks like this (notice I customized the ICMP and disabled the ZA's global rules for the ICMP. Oh I did the same for the broadcast and unwanted protocols too).


    Oper rule is like this.


    Special pointers:
    Once you create "hard rules" for the application experts, you must always check the logs to see what was mistakenly blocked off or not included and needs to be added!
    Mistakes will happen - happens to everyone.
    Set the logging to High and make sure the block rules are set to alert and log - this helps a lot in tracing the mistakes and making the needed new rules or editing the old rules easier than without the logs and alerts.

    Once you do something with any firewall's rules, it does have a ripple effect!
    An example is the ICMP.
    You will find once the icmp rules are laid in, it is not just the ping.exe, tracert.exe, etc that need the ICMP ruless added, but also the command.exe, the explorer.exe, the winlogon.exe, the uerinit.exe and the services.exe all need to have ICMP rules too. Or the tracert will not work. But the logs will show what was denied and work it from there and fix the issue. Then try it again and do another tracert. Still does not work? Check the logs again and see what was blocked. Edit or create new rules as needed. Try that tracert once again.
    Well you understand what I mean.

    Another example is the time updater.
    Not just the svchost.exe need the right time rule added, but so do a few other applications (like explorer, services and winlogon). By the way, the svchost will need also the dns and dhcp rules in it's expert (remember I did say to make groups from the beginning of this reply).

    Oldsod.

    Message Edited by Oldsod on 06-03-2008 05:24 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •