Allowing my 4 ISP site names in network blocking

Today I added as the 1st 4 rules in my network monitor the site names used by my ISP.

Is this a good or bad idea? If not why not?

Be as blunt as you want in answering please just provide the rationale.

Thanks.

What kind of traffic or ports did you allow in?

Any and all types of traffic and ports.

I have about 40 blocking rules following these 4 isp sites 2 seem to be dns sites and 2 for their email service.

I have about 40 blocking rules

That is worrisome!
To my understanding blocking rules are useless except for logging, and the default deny all last resort rule.
Anyway, I think it is a very bad idea to open ports to any of your ISP’s no matter what application it is.
Why?
Because CPF is a statesfull inspection firewall, and there is no need to explicitly open ports for most common and basic incoming traffic (e.g, HTTP, DNS, FTP, SMTP, POP3, etc …).
(Statesfull Packet Inspection - SPI - in a nutshell automatically opens ports for incoming packets that are part of outbound locally initiated traffic).
The exception is that if you have a server of some sort (Bit Torrent, HTTP, FTP, etc …) where you have to explicitly open ports for.

My advise to you is to do some sanity check by posting your rules here and have the experts take a look at it.

Cheers

Hi! TY!

I will post my rules here for sanity inspection, that is a good idea! SO I ASK THE EXPERTS TO TELL ME HOW TO IMPROVE THESE NETWORK RULES particularly on allowing the ISP’s. Seems to me if I had 0 rules of my own the default accepts would allow my isp’s sites anyway? :-\

My understanding is that network rules are very effective ! Here is an excerpt from the CFW tutorial on the layered protection that may interest you.

Application Behavior Analysis and Component Monitor combined form the Advanced Security Analysis Monitor, which is truly the final state in our filtering/layering scenario. The flow of traffic thru these layers of security can briefly be described as follows:

  • Incoming Connections

1- Network monitor applies filtering; if successful it passes to application monitor
2- Application monitor checks the target application, if allowed it passes to
3- Advanced security analysis monitor

if these 3 steps are passed, application receives the connection.

  • Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor

[attachment deleted by admin]

G’day,

Just so I know how to respond, can you answer the following;

  1. How do you connect to the internet, through a modem or through a router?
  2. Do you still have the default rules in place?
  3. Have you run the Trusted Network Wizard?
  4. What was your original intention or purpose in adding the first 4 rules to allow your ISPs “site names”?
  5. What forced you to create 40 (!?) blocking rules?

Cheers,
Ewen :slight_smile:

Hi Ewen: While enjoying real Canadian :BeerI will try to answer your questions.

  1. How do you connect to the internet, through a modem or through a router?

CABLE MODEM >H/W FW > ETHERNET ROUTER>MY PC

  1. Do you still have the default rules in place?

IF YOU MEAN THE 5 CFW 2.4 RULES AT THE BOTTOM OF THE NETWORK
MONITOR, ANY TO ANY’S YES!

  1. Have you run the Trusted Network Wizard?

YES, WHEN I FIRST INSTALLED CFW THEN A 2 WEEK LEARNING MODE PERIOD

  1. What was your original intention or purpose in adding the first 4 rules to allow your ISPs “site names”?

I WANTED TO ENSURE THAT THERE SITES WERE ALLOWED AND TO SPEED UP LOGIN TO THEIR WEB BASED EMAIL SERVICES WITHOUT RUNNING THROUGH MY 40 + BLOCKING SITES

  1. What forced you to create 40 (!?) blocking rules?

NOTHING FORCED ME

IT WAS DONE ON PURPOSE SINCE I SWITCHED FROM ZA PRO I BLOCKED THEIR CALL HOME SITES THAT I CAUGHT THEM DOING AND BIT DEFENDER AS WELL PLUS SOME FOUND VIA WHOIS RESEARCH AND P2P HORROR STORIES. MY GOAL IS TO BLOCK ANY PACKET LEAVING MY PC THAT HAS NO BUSINESS DOING THAT. SOME SOFWARE I FINDS CALLS HOME EVEN THOUGH YOU TURN OFF THOSE OPTIONS.

Glad you said Canadian ■■■■ - if you’d said American “■■■■”, I’d have had to edit your post for alcoholic correctness. :wink:

2. Do you still have the default rules in place?

IF YOU MEAN THE 5 CFW 2.4 RULES AT THE BOTTOM OF THE NETWORK
MONITOR, ANY TO ANY’S YES!

Good! The standard rules are a very solid foundation to build on.

3. Have you run the Trusted Network Wizard?

YES, WHEN I FIRST INSTALLED CFW THEN A 2 WEEK LEARNING MODE PERIOD

OK, we can assume there’s no issue within your LAN.

4. What was your original intention or purpose in adding the first 4 rules to allow your ISPs "site names"?

I WANTED TO ENSURE THAT THERE SITES WERE ALLOWED AND TO SPEED UP LOGIN TO THEIR WEB BASED EMAIL SERVICES WITHOUT RUNNING THROUGH MY 40 + BLOCKING SITES

In an earlier post you said "Seems to me if I had 0 rules of my own the default accepts would allow my isp’s sites anyway?". You’re correct when you say the default do indeed allow traffic outbound to your ISP. I don’t know whether having explicit rules for your ISP’s servers are going to speed things up, particularly for web based email. I say this because web based email uses ports 80 and 443, same as normal web traffic

5. What forced you to create 40 (!?) blocking rules?

NOTHING FORCED ME

IT WAS DONE ON PURPOSE SINCE I SWITCHED FROM ZA PRO I BLOCKED THEIR CALL HOME SITES THAT I CAUGHT THEM DOING AND BIT DEFENDER AS WELL PLUS SOME FOUND VIA WHOIS RESEARCH AND P2P HORROR STORIES. MY GOAL IS TO BLOCK ANY PACKET LEAVING MY PC THAT HAS NO BUSINESS DOING THAT. SOME SOFWARE I FINDS CALLS HOME EVEN THOUGH YOU TURN OFF THOSE OPTIONS.

I think a better way to do this would be to identify what executables are trying to phone home and then set up BLOCK rules in the application monitor for them. As you correctly pointed out in an earlier post, the application monitor is checked prior to the network monitor for outbound traffic, so the attempt would be blocked fractionally quicker.

Hope all this helps,
Ewen :slight_smile: :■■■■

Hi Ewen:

Thanks for replying. It does help. Here is your last point which I want to comment on/ discuss a bit more.

“I think a better way to do this would be to identify what executables are trying to phone home and then set up BLOCK rules in the application monitor for them. As you correctly pointed out in an earlier post, the application monitor is checked prior to the network monitor for outbound traffic, so the attempt would be blocked fractionally quicker.”

It would be better but it is not easy or in this case possible to do that. For example a site called report.bitdefender.com 80.86.106.67 is the “gathering site” for spam and world wide outbreak/virus information. I have confirmed that with their official user forum.

In that product, and others you are offered a chance to opt in or out of virus reporting. I choose not since I don’t want products phoning home from my PC. Turns out the product does the phoning home anyway. It is not their update site. So to ensure I can update I allow the update sites and block the “gathering site”. Telling the executable not to access the internet will not solve the problem and still allow me to update BD AV 10 on an hourly basis.

If you can identify the application that phone home AND you know the IP is it phoning home to, you can easily create an application monitor rule that blocks that app from that IP, but not from other IPs.

This would be the easiest way, I think it would be the best way (even better in V3 because you can a rule a “friendly” name, like “BitDefender phone home BLOCK rule”).

Hope this helps,
Ewen :slight_smile: