Where you set the ALERT SETTINGS determines the granularity of the resulting ruleset.
Setting it to very high will create a rule for every access for every protocol for every direction (in or out) for every port and for every address. What this means is that, for a browser, you would end up woth separate rules for every address you went to, as they are separate addresses. Lower settings produce correspondingly looser rules.
This setting would work in well with what you were asking about suspicious programs, as it would show all details for each outbound attempt.
Alright, now I understand the difference clearly. Thanks Panic :-TU
EDIT: This is a global setting right. So let’s say I keep it medium in usual. Then I install an application - and I want to prevent it to have any contact with the outside (scenario). Before to install the application, I move the alert setting to Very High, install and create the custom rules accordingly.
Then I revert the setting back to Medium.
So here is my question: are there applications (not specifically applications with bad intend) which change port or mode of communication after installation to communicate with the outside? Or they don’t, it is static?
My point is if I create some block rules during installation and then revert to an more loose setting, if the application uses a different port or IP to communicate, I might not have an alert? (correct/incorrect?)