Any change in philosophy?

I’ve chosen to clean install; based on previous upgrade experiences, one doesn’t benefit from improved predefined policies if upgrading. Hopefully this will change, although I understand it’s difficult to implement.

Until now, global rules took precedence over application rules.
I’m wondering if there’s a change in FW behavior, for outgoing.

How I came to this:
I’ve created the following global rule (second in my list):
Block and log TCP/UDP Out from IP any to IP any where source port is not in [1024-4999] and destination port is not in [80,443,8080] (– defined as port sets)
This should block any access to UDP 53?

Firefox, defined as Webbrowser in apps is allowed to perform DNS queries. (svchost and all other …m$ blocked)
So, Firefox works like a charm, and IMHO it should not be able to find DNS.

Other settings: FW: custom, D+ Paranoid,
The other two global rules are: block ICMP any any… first
block IP in any any… third

What I’m trying to understand here, is if/why global rules aren’t of any use for outgoing connections of applications listed in apps rules.


I have seen other threads of “exclude” not working in the rules for ports and port sets in some circumstances. Try revising as “allow” rules followed by a block and log all. And global rules don’t really have precedence. For outbound connection, the application rules are evaluated first from top to bottom, and if an “allow” is found it is then evaluated against the global rules. For inbound, the global rules are evaluated from top to bottom, and if an “allow” is found, evaluated against the application rules. I don’t use global rules, so am not the expert. I think they are a PITA. :wink:

Thank you, sled, for your answer.
Yes, after posting here, I’ve replaced my “Block and log Out …if not in A …if not in B”, with
“Allow out… if in A if in B” - this one works as it’s supposed to.

Why I haven’t done it in the first place? because of logs, if my last rule is
Block “and log” in/out any any…
then FW log fills instantly with all traffic on my ISP WAN.

Anyway, I’ve learned something: “Block … if not in “ is not the same with “Allow in”

Thanks again, Gabi