Local loopback referes to the host itself. There’s no reason to block it. Depending on the design of an app, it may access system resources via RPC, i.e., remote procedure call, via loopback.
I’ve created a zone called [local_0] and [local_127] for IP addr 0.0.0.0 and 127.0.0.1 respectively.
I allow TCP out from in [local_0] to in [local_127] (or vice versa) as is necesary by app. The specific ports are usually arbitrary. But in some circumstances they’re particular, e.g, for BOINC screen-saver, BOINCMNGR, destination port is specifically 31416 (source port ANY)
IExplorer wants TCP out from in [local_0] to [local_127] source port ANY dest port in [Adobe RTMP] (sort port ANY)
and TCP out from in [local_0] to in [local_127] sourc port ANY dest port [HTTP ports]
Adoboe RTMP ports: 843 / 1935
HTTP ports: 80, 81, 443, 8080
CFP.exe, i.e., CIS FW, wants TCP out from in [local_0] to in [local_127] sorce port ANY to dest port 80 (of all CIS components its the only one requiring a rule for hat particular IP connection)
0.0.0.0 refers to this network compared to 127.0.0.1 refering to this host. I have a network zone defined [NIC] that refers to the host IP, i.e., 192.168.0.64, and [gateway] is 192.168.0.1. Its so much easier to implement rules using network zones, rather than typing IP addr in manually each and every stinkin’ time.
I shouldn’t need rules for traffic 192.168.0.65 to 192.168.66. If SYSTEM was intercepting that a global rule to block IP from ANY to not in [NIC] src port ANY to dest port ANY. My system shouldn’t be bothered by my children’s PC interacting.
To allow traffic in from any node on the LAN, create a [network] zone and add all the host IP addr on the LAN into it. Then creae a rule: allow IP from in [network] to in [NIC] src port ANY to dest port ANY. That allows traffic into the host IP, ic NIC.
To allow all nodes on LAN access to local host, then allow IP in [network] to in [local_127] src port ANY dest port ANY should work.
The above assumes static IP w/ in the DHCP specified domain range. IF you’re using DHCP on the LAN, [network] can be defined as IP address w/mask: 192.168.x.0 / 255.255.0.0, where x = network address. In that case nodes on the network can have different host IP address.
When a DHCP fails, APIPA allocates IP addresses in the private range 169.254.0.1 to 169.254.255.254. TO cover that rule, I’d create a zone called [APIPA] using IP mask: 169.254.0.0 / 255.255.0.0
If you have devices having an IP in the cloud, e.g., smartphone w/ ISP assigned IP address (public facing IP) - trying to get into your local network, that’s a major securty risk.