Application Rules - ICMP


booted XP and i noticed that CFP will create general rules from the alerts concerning ICMP.
“(…) Where ICMP Message Is Any”

I have alert Alert Frequency level set to Very High, as always. Shouldn’t this create specific rules for ICMP as well (echo reply etc.), besides TCP and UDP (in this case it’s specific port, IP)?

What about source ports and IP’s for UDP and TCP? Indeed this isn’t a big issue, i can always set to NOT previledged ports and so on. But is this what you think is the appropriate behaviour if i set Alert Frequency to high?
Could we put another level, “Maximum”? ;D

What do you guys think about it?

I have Icmp ehco request tied to the Mac address of router. I like using the max firewall alerts too.


ICMP messages should be treated like any others, with specific types called out for H, VH. If they aren’t, sounds like a bug. The source ports for UDP and TCP are a bit different. A lot of the messages select source ports randomly, then with a one-up counter (http, ftp for example), as opposed to things like DHCP that uses specific ports on both ends. But worth submitting a bug report also to have this behavior where appropriate with very high or high. This degree of protocol and rule understanding is just not in CFP3 at this point. And having all rules at the same level, instead of selecting L,M,H,VH from the popup makes little sense. My favorite deficiency is that CFP3 doesn’t understand passive FTP. You need to make a static rule to allow all the unprivileged ports instead of CFP3 recognizing the server response and allowing it with SPI. So now you have allowed http on all of them too.

I understand what you’re saying. The firewall per se needs attention now i think.
It has improved on 2.4 no doubt (big usability improvements imo), only went back in terms of the main GUI ;D
But it needs further improvement. Attention on these aspects are needed, in my view.