block all incoming connections

I’ve noticed that if you select the third option in the stealth port wizard, It will block all connections using an IP address, but why are there 3 rules that are set to allow?

The first rule allows outbound connections. This rule is not strictly necessary unless you’re also using Global rules to restrict some outbound communication. The other two are for specific inbound ICMP connections:

Fragmentation Needed - This tells your system the destination was unreachable because the packet being sent was to big and it should be sent again with the fragmentation flag set.
Time Exceeded - This tells your system the destination couldn’t be reached because the life of the packet expired before delivery. This rule is used by Tracert.

So, should I delete the allow rules and just keep the block rule or should I change the allow rules to ask rules? You would think that if the first rule allows outbound connections, then if an infected computer taps on your firewall to see if it will respond, the rule that allows outbound connections will allow whatever is being tapped into by the infected computer would respond, right?

It’s up to you, however, the ICMP rules play an important role in identifying problems with communication. Personally, I’d leave them as they are.

You would think that if the first rule allows outbound connections, then if an infected computer taps on your firewall to see if it will respond, the rule that allows outbound connections will allow whatever is being tapped into by the infected computer would respond, right?

Only if there’s an process, with an application rule that’s allowed to respond. Global rules don’t work with out appropriate Application rules.

based on the information that you have been telling me; I think that I will delete the very first allow rule while keeping the last two allow rules. My reason for this is that, if what I said is true and an infected computer would reach out to mine and “talk” to a program on it, the program that was talked to will be able to send information off my computer back to whoever is controlling the infected computer. So, from what I can tell, if I remove the rule completely, even if the program is talked to, it will not send any info back and thus the security risk will be avoided. Please correct me if I am wrong in what I am saying.

Also, the FW detects my home network and is asking me to select one of the three options for it. If I select the home option, will just the router and stuff in my house be able to go through as safe and nothing else besides what is in my home network go through, or is there a slight chance of a security risk that maybe a virus or a Trojan be able to communicate with someone or something if it manages to get into my computer while I am at home?

The allow IP out Global rule isn’t necessary to allow outbound connections. If you remove it, any application with an appropriate application rule will still be allowed out. Personally, I’ve never found a use for the rule.

Also, the FW detects my home network and is asking me to select one of the three options for it. If I select the home option, will just the router and stuff in my house be able to go through as safe and nothing else besides what is in my home network go through, or is there a slight chance of a security risk that maybe a virus or a Trojan be able to communicate with someone or something if it manages to get into my computer while I am at home?

Network detection is based on the IP address CIS ‘sees’ when in use. It really doesn’t matter if you select Home or Work for the Identifier, as they’re only labels. Any Network Zone created manually or via the auto-detection mechanism in CIS, actually has to be used as part of an Application or Global rule to have any effect.

As far as ‘reach’ of the detected network, basically, anything with an IP address belonging to the subnet identified will be included. For example:

If your home network uses addresses from the 192.168.x.x/255.255.255.0 range, let’s assume it’s specifically 192.168.1.0/255.255.255.0 then any device that has an IP address between 192.168.1.1 and 192.168.1.255 would be considered to be on the same subnet.

The allow IP out Global rule isn't necessary to allow outbound connections. If you remove it, any application with an appropriate application rule will still be allowed out. Personally, I've never found a use for the rule.

So, it won’t do any good whether I keep it or not?

Network detection is based on the IP address CIS 'sees' when in use. It really doesn't matter if you select Home or Work for the Identifier, as they're only labels. Any Network Zone created manually or via the auto-detection mechanism in CIS, actually has to be used as part of an Application or Global rule to have any effect.

As far as ‘reach’ of the detected network, basically, anything with an IP address belonging to the subnet identified will be included. For example:

If your home network uses addresses from the 192.168.x.x/255.255.255.0 range, let’s assume it’s specifically 192.168.1.0/255.255.255.0 then any device that has an IP address between 192.168.1.1 and 192.168.1.255 would be considered to be on the same subnet.

So, If I select home in the network detected screen, it won’t do anything, but just add allow rules for everything in my network? So, if a malware got on my system, then it would be allowed to do what it wanted since I have put the network as my home network on the screen selection? Please help me understand, I’m really confused.

It won’t make a difference. Connections are allowed outbound by default, but only by those applications that have an Application rule.

So, If I select home in the network detected screen, it won't do anything, but just add allow rules for everything in my network? So, if a malware got on my system, then it would be allowed to do what it wanted since I have put the network as my home network on the screen selection? Please help me understand, I'm really confused.

If you select one of the options from the ‘New Network Detected’ dialogue, for example ‘Home’ it will create a Network Zone called 'Home #1" and it will add two Application rules to the System process and two Global rules. These rules allow connections to and from anything defined by the Zone. Basically, the rules allow you to use Microsoft File and Printer sharing on your LAN.

If you select one of the options from the 'New Network Detected' dialogue, for example 'Home' it will create a Network Zone called 'Home #1" and it will add two Application rules to the System process and two Global rules. These rules allow connections to and from anything defined by the Zone. Basically, the rules allow you to use Microsoft File and Printer sharing on your LAN.

So, you’re saying that it won’t do me any good if I don’t have a printer or file sharing enabled?

If you’re not sharing any resources between PCs on your LAN, there’s no real any point in establishing a ‘trusted’ network. Just make sure you don’t disable communication with your router.

“Block IP in any any” is a very usefull (global)rule, which gives protection and avoids annoying.
(P2P or running a real server might need specific exceptions. Everything else should run as usual.)
The two ICMP exceptions can be usefull.
The allow outgoing on top is useless.

Rules are read from top down.