A few questions from a ZA "migrant"...

Great product, finally decided to switch from ZA. :wink: I have a few “starter” questions:

-What application is “System”? In ZA, I had separate settings for svchost.exe, services.exe etc. Does “System” encompass all of these, or can it be split / configured separately? I had those settings pretty strict… 88)

-Is “Ask me” automatically executed even if it’s not listed at the end of global or application rules (I’m using Custom policy)?

-What exactly do the 5 default global rules for blocking ICMP do (protocol unreachable, 17.0, 15.0., 13.0, echo request)? Is the computer pingable from trusted hosts?

-As for network zones - I define a few IPs as well as localhost as trusted (and not the whole LAN range). Should computer’s own IP also be listed as “trusted” (in ZA it was only localhost 127.0.0.1 and other computers’ IPs)?
-Stealth ports - should I go for the “per case” setting or “trusted vs. rest”?
What I want is normal accessibility between trusted hosts (including MS sharing and ping), but stealth for the outside world (unless there’s an application that I approved to have (in some other terminology ;D ) “server/listening rights towards the internet”, in which case that application should be available from the outside world. And if I shut down such application, the ports where it was listening should become “stealth” (not closed) for the outside world. Does it work this way?

In Windows, the ‘System’ process (PID 4) is responsible for handling the majority of kernel mode system processes. As far as networking under CIS is concerned, the ‘System’ process handles connections for such things as NetBIOS/SMB (file and printer sharing protocols), Network discovery, IGMP and in certain circumstances VPN connections.

The main ‘service’ firewall rule in the default installation of CIS is the ‘Windows System Applications’ rule. This actually controls the connectivity for a number of processes, details for which can be found by looking at the group with the same name under Defence+/Computer Security Policy. If you want to create individual rules for system processes, you should delete this firewall rule and the corresponding Windows Updater Applications rule.

-Is "Ask me" automatically executed even if it's not listed at the end of global or application rules (I'm using Custom policy)?

If you’re using Custom Policy mode you should receive alerts for applications for which rules have yet to be created. Once an ‘Allow’ rule is generated the application will no longer prompt, unless something changes. If you wish to be alerted every time an application wishes to connect, use the ‘Ask’ option.

-What exactly do the 5 default global rules for blocking ICMP do (protocol unreachable, 17.0, 15.0., 13.0, echo request)? Is the computer pingable from trusted hosts?

Types 13, 15 and 17 are either obsolete or undesirable and hence blocked. The blocked echo request will prevent inbound PING from anywhere. If you need this kind of ICMP traffic on your LAN you will need to provide rules to cater for this.

-As for network zones - I define a few IPs as well as localhost as trusted (and not the whole LAN range). Should computer's own IP also be listed as "trusted" (in ZA it was only localhost 127.0.0.1 and other computers' IPs)?

When you install CIS it will usually detect the network it is connected to and prompt accordingly. If you select, for example ‘Home’, it will create a Network Zone called Home #1, which contains the full subnet address space. It also creates a Loopback Network zone. By themselves, the Network zones mean nothing, they are simply created to make things easier when you create firewall rules. If you wanted to restrict the number of addresses for your local subnet, you could modify the Network zone or create a smaller subnet.

-Stealth ports - should I go for the "per case" setting or "trusted vs. rest"? What I want is normal accessibility between trusted hosts (including MS sharing and ping), but stealth for the outside world (unless there's an application that I approved to have (in some other terminology ;D )

There’s nothing to stop you running Stealth Ports Wizard twice. The first time select:

Define a new trusted network and make my ports stealth for everyone else

This will add the rules necessary to allow file and printer sharing and allow ICMP traffic on your LAN. You can then run SPW a second time with:

Block all incoming connections and make my ports stealth for everyone

Which will hide you to the outside world. Of course, you could also create the rules manually.

"server/listening rights towards the internet", in which case that application should be available from the outside world. And if I shut down such application, the ports where it was listening should become "stealth" (not closed) for the outside world. Does it work this way?

If you’ve run SPW with the second option described above, ports should be ‘stealthed’ providing they’re not open.

Thank you for your reply. BTW, is it possible to lock yourself out (of Windows) completely with CIS? :slight_smile: Also, once an application was approved by me and has a rule on the list (for outgoing internet access only), will I still be asked should such application require incoming/server rights in the future?

I did what you advised with the stealth ports wizard. I see global rules were changed, and I’d like to know what exactly do these do:
-Allow IP out from MAC any to MAC any where protocol is Any (my logic says I won’t get any questions per application as this one allows everything out, or am I wrong?)
-Allow ICMP in from MAC any to MAC any where ICMP message is Fragmentation needed
-Allow ICMP in from MAC any to MAC any where ICMP message is Time exceeded
-Block and log IP from MAC any to MAC any where protocol is any (I added “log” to this one – does it mean every blocked attempts will be logged now - which is basically what I also want to have enabled?)

I’ve never heard of it happening but I guess anything is possible!

Also, once an application was approved by me and has a rule on the list (for outgoing internet access only), will I still be asked should such application require incoming/server rights in the future?

If you want to receive inbound alerts, you have to allow connections to be received. If you run SPW with the second option discussed above, it will prevent the connections from being made and thus suppress the alerts. However, if you enable logging against the inbound Block all rule, the connections attempts will be recorded.

I did what you advised with the stealth ports wizard. I see global rules were changed, and I'd like to know what exactly do these do: -Allow IP out from MAC any to MAC any where protocol is Any (my logic says I won't get any questions per application as this one allows everything out, or am I wrong?)

Application rules and Global rules work in slightly different ways. Typically, Application rules are used to control connectivity for individual processes, whereas, Global rules are used to control ports and protocols. If an application wishes to make a connection to the Internet, it first needs an appropriate application rule. If this criteria is met the request will be compared with the global rules. providing there are no restrictions at this stage, the request is allowed. Inbound connections are processed in the reverse direction, Global first, then application. If either set of rules imposes a block, the connection will be denied.

With regard to the aforementioned rule, this simply says that, assuming an application has an appropriate outbound rule, it’s allowed. If the application doesn’t have a rule, you will receive an alert.

-Allow ICMP in from MAC any to MAC any where ICMP message is Fragmentation needed -Allow ICMP in from MAC any to MAC any where ICMP message is Time exceeded -Block and log IP from MAC any to MAC any where protocol is any (I added "log" to this one -- does it mean every blocked attempts will be logged now - which is basically what I also want to have enabled?)

The two ICMP rules are considered important for certain aspects of network connectivity. The first is important for MTU/PMTU discovery and the second for use with tracert. The block rule is what I was referring to above.

So if there’s a global rule “Block and log IP In from MAC any to MAC any where protocol is any”, it doesn’t matter if the Application rule says an application can accept incoming connections, because this global rule will be consulted first, and thus the incoming connection blocked (hence, I was also never asked if I want to allow the application to receive incoming connections)?
If so, what has to be done to simply:
-get a question whenever an application needs to listen to incoming traffic;
-and still force all blocked incoming connections (regardless of other settings) being logged?

That’s correct, but please don’t forget the firewall rules are processed from the top (the first rule) to the bottom (the last rule) So, if an allow rule is above a block rule, with the same criteria, it will take precedence.

If so, what has to be done to simply: -get a question whenever an application needs to listen to incoming traffic; -and still force all blocked incoming connections (regardless of other settings) being logged?

Do you have many applications that require ‘server’ status? Typically, the only applications that will require specific inbound rules are those offering a service, such as a web server, ftp server, p2p, remote desktop etc. It should be easy enough to establish rules for any applications of this type and then to add a Block and log as the final rule. Remember, the firewall is stateful, so it doesn’t require specific inbound rules for general applications, such as browsers.

Done – added a global rule to allow incoming connections to a selected port, so it is handled properly by the “server” application’s rules, and keeping the final global rule for block & log. :-TU
How about when such application isn’t running? The global rule accepts the incoming connection, and then what happens? Will it be handled by “System” application rules, or “reverted” back to final Block & Log global rule?

If the application is closed, the port should appear as stealthed, as there’s no active end point for the connection to terminate against.

OK, according to grc.com, it is so. But still (don’t hang me for it :smiley: ) – what do I do if I want the incoming attempts logged after/when the “server” application is closed? Or is this something for the wishlist…

If the application’s closed, there’s no point adding logging to the application rule, as all ‘stray’ traffic will be picked up by system idle process (Windows Operating System in CIS) or simply discarded. The best you can do is add logging to the Global rule. The only problem with this is, if it does log anything, it will log all inbound traffic it sees on that port and an unfortunate consequence of the Internet is background noise.

Yes, but that global rule (if we’re talking about the one allowing incoming connections to a selected port) will in turn also log everything when the “server application” is in service…
I tried adding block&log to the System application rule, but that didn’t do the trick.
So for now I manually move the block&log global rule above the one that allows incoming connections, when the server is not needed (so that I get the logging feature when “server” is off). Guess I’ll do more fine-tuning in the days to come. :slight_smile:

With regard to one earlier question… Isn’t the global rule “Allow IP Out From MAC Any To MAC Any Where Protocol Is Any” (in the default set of Global Rules) somehow redundant? I.e. if there is no Block/IP/Out global rule present, wouldn’t the applications (those with their application rules) be allowed to go out anyway?

It will.

I tried adding block&log to the System application rule, but that didn't do the trick.

This is the point I was trying to convey. If there’s northing at the end to respond, either positively or negatively, nothing is going to be logged.

So for now I manually move the block&log global rule above the one that allows incoming connections, when the server is not needed (so that I get the logging feature when "server" is off). Guess I'll do more fine-tuning in the days to come. :)

Which will see every packet floating about the network that’s either directly, or indirectly, aimed at you PC.

With regard to one earlier question... Isn't the global rule "Allow IP Out From MAC Any To MAC Any Where Protocol Is Any" (in the default set of Global Rules) somehow redundant? I.e. if there is no Block/IP/Out global rule present, wouldn't the applications (those with their application rules) be allowed to go out anyway?

In the years I’ve been using CIS with that rule as an option, I’ve never used it. I typically remove it. I guess it will depend how you configure your Global rules.