Block all in, upper priority allow rules dont work? Am I doing something wrong?


First of all, I believe I understand how the firewall’s rules system is supposed to work. Lower priority on bottom, higher priority rules on top. Still I cant manage to get my rulesets to work.

  1. I create a rule to block all incoming traffic.
  2. I create rules to allow incoming traffic to wanted ports (ie. 80, 20, 21, 110 etc).
  3. I move the block rule to bottom of the priority list.
  4. All incoming traffic is still blocked, even on the “top” priority allowed ports.

Am I missing something?

Also I would like to know if I could block all incoming traffic, for except certain applications? In example if I have apache listening on port 80, the firewall would prioritize this and allow incoming traffic even though I would set a “block all incoming traffic” with global rules? Would save a lot of work and writing of ports.

At the moment I have specified every blocked port manually in port sets. But this gives another problem: For example passive ftp uses a port that changes, and I would need to open up a range of ports for this application.

Also I have a seperated LAN/WAN IP’s, after blocking all incoming ports the LAN file sharing etc is not working, even though I’ve specified both IP’s and MAC’s that would be allowed ALL IN/OUT. Again this rule is prioritized as higher than the “block incoming” rule.

Any tips would be welcome.

Do you have application rules also for the ports your are allowing in? The global rules only provide access to the application rules. Try using the predefined rules for ftp client, web browser, … for your applications.

I tried this.

And I do have application rules that allow the applications to access any network.

I also noticed SMTP port (25) stopped functioning.
I am connecting port 25 only from localhost, and I am allowing both in/out traffic from localhost.
I cannot open up port 25 from the “block” ruleset, I dont want to have an open SMTP port.

I had a similar problem with CFP on one of my many installs. I could not get my LAN to communicate the only way i could solve it was to uninstall CFP in safe mode run the uninstall script this links straight to the download for the uninstall script and/or see the detailed instructions for uninstall here

see the instructions at the bottom titled “For novice users or people that want to save time”

Hope this helps