application rules: what is "stronger", block or allow, if two rules apply ?

poser · August 26, 2006, 10:01pm

I’m really glad, that I have solved many issues, that cost me hours, but I thought maybe this soft is worth it.

Ok, on with the questions, lol, a simple one this time:

if I have two app. rules for the same app, that both apply on specific data packet, and one would allow it and one would block, wich is “stronger” then, e.g. wich RULEZ ?

See, sometimes would be easier to have one “allow XY” and one “block all” rule, but since now in testing it seems, that block is stronger, but I may be wrong.

(the other way would be to have a “allow xy” rule and a “block all, except for xy” rule.)
(ok, or “allow all” + "block all, except xy)

Someone who really knows this for sure ??

THX

Graham1 · August 26, 2006, 10:10pm

Good question ???. You can’t order application rules so I would suggest creating these two rules (say for IE) and see what’s happens.

poser · August 26, 2006, 10:36pm

Yes, I did. And for my testing, it seems, that BLOCK is “over” ALLOW.

This is a little annoying, cos it means more work on rules, for example:

must have:

allow,both,IP=169.130.0.20,any
+
block,both,except(!) = IP=169.130.0.20,any

if you only have allow one, you get popups. If you try the allow one + block all, the block seems stronger (for all my testing).

For more complex rules, there is NO solution I would think, because it is NOT possible to give more then one exception (sure, you can put in a range, but what if you need two ranges or IPs ?)

A solution would be to skip the block rules and turn off popups, but this cant be done app specific, so I can imagine, that one will search long, untill he finds why his prog xy is not working (got not block popup).

This is something for the next version, I think.

greetz

poser · August 27, 2006, 12:18am

Again, all is not as it seems, lol.

It reveals, that the rules in application window apply in the same manner as the network monitor rules. That is: From TOP to BOTTOM !!!

So, if a block rule is first, then all allowing is for nothing, but if the allow rule is first the traffig is allowed.

BUT, you cant change to sequense, as in monitor window. SO, if you have a false sequence, you got to delete them all !!!
AND: You cant really know, wich popup ask you first. The one for allow or the one for deney, so you got to make it by hand.

egemen · August 27, 2006, 2:11am

Yes it is read from the top to bottom. But application rules structure is being redesigned. They will work like network monitor. Currently, you wont be able to change the orders of the rules like network monitor.

poser · August 28, 2006, 11:12pm

Hi egemen,

I think, what really is needed, is a tecnical paper, on how this soft handles rules, does this and that.

I really like the FW, you did good job, but its hard, if you always have to try and error on so many things…, 6 hours after installing the 2.2.0.11 I was near to throw it all away, cos I couldn’t get it done what I wanted, esp. for loopback things.

(I know that manuals are ALWAYS the stuff that is most missing for “for free” soft, but it would be really great)