allow only the localhost for applications

poser · August 26, 2006, 3:53pm

Hi,

I need to allow localhost (127.0.0.1) for ALL my applications.

I have many apps that need intern TCP to comunicate, but I dont want them to access the internet.

Do I have to make two rules for each of them ?? (e.g. allow, all, both, Hostname=localhost AND block, all, both, any)

This way it works, but much work.

Is there a better way ??

THX

Graham1 · August 26, 2006, 5:16pm

I don’t think you can define a global loopback rule as a process is always required :(. Shouldn’t be too much work creating these rules as you just have to allow the connection once (remember to set the remote port to “any”).

poser · August 26, 2006, 5:38pm

Yes, I tried this, BUT unfortunatly after a reboot, two required services are not startet. Seems in starting phase they need “more” then localhost. And: for one other Prog. it even worked at all.

Why does this FW block internal TCP/IP ? I never saw this before.

And it seems impossible to solve the issues.

Is there a proofed solution for this ?

THX

Graham1 · August 26, 2006, 7:47pm

Which services/processes?

Why does this FW block internal TCP/IP ? I never saw this before.

Do you mean inbound tcp/ip? I guess this is for security reasons. If your not prompted for an inbound connection, you can’t allow it by mistake. So you have to create these rules manually.

stevec · August 26, 2006, 8:14pm

Beta version has option to skip loopback checks for TCP and UDP. Although skipping TCP isn’t recommended.

poser · August 26, 2006, 8:57pm

In this case, it was a defrag server, wich gets its commands by the client, wich has the GUI. So, the service/gui type of app, and communicating through TCP/IP, how it reveals.

Now I installed the new beta. I hope it is better.

poser · August 26, 2006, 10:25pm

as I wrote in other posts, I now found the solution.

Its all about to have a rule, that allows only inbound,IP=0.0.0.0, any,any.

This is, because when a prog wants to “act as server” this rule allows only the initial opening of the port. Otherwise, you would get an popup, press allow, and hav a rule that allows ALL again.
(in the new beta, you can configure the popups to be very secific, or better, the rules that come from them. So here it is poss. to click allow, and have a “good” rule)

Of cos, you need other rules, that block and allow what you need, but always remember to exclude 0.0.0.0 from the blocking rules, because blocking rules are “over” allow rules. This I think is no good solution, but it works.

Greetz

egemen · August 27, 2006, 6:20am

In BETA releases,

Security->Advanced->Miscellaneous → Skip loopback TCP/UDP should help you.
2.2.0.11 does not have this option.

Egemen