I reinstalled Windows 7 on one of my computers and installed CIS10 on it. I’m currently trying setup comfiguration to match a certain security level, but I’m having some trouble understanding the firewall rules. According to the CIS10 manual here, it is stated that:
For Outgoing connection attempts, the application rules are consulted first and then the global rules second.
For Incoming connection attempts, the global rules are consulted first and then the application rules second.
So, if I understand the manual correctly, it means that the firewall will read rules in top-to-bottom order and trigger the first rule that matches a given condition. The rule evaluation will stop as soon as there is a match and no further evaluation will be performed. Instead a specified action (allow, drop, log, etc.) will be made on the packet. For incoming connections, the global rules are evaluated first and then the app rules, and for outgoing it’s the other way around.
Question #1: I know the firewall is capable of alerting the user on incoming and outgoing connections. What exactly causes the firewall alert to appear and when??? Is there like some invisible rule in the list that, when triggered, causes the popup alert to show up? I would imagine it so that there is a default rule i.e. when the firewall seeps through the rules list, but doesn’t find any matching rules and reaches the end of the list. I assume a default rule is then triggered that causes the packet to either drop or an alert to appear. Is this the case or does the firewall use a different design?
Question #2: I’ve initiated the ‘Stealth Ports’ function from the dashboard and chose to block incoming connections. This caused the following entries to appear in the global rules list (see attached image). I am a bit confused about this. If the above statements (Incoming: Global => App, Outgoing: App => Global) are correct then what does this mean? With the global rules being evaluated first for incoming connections, doesn’t this mean that all and every packet will be filtered by the deny rule (marked in red) in the list? And so the application rules will never be reached or evaluated? Therefore even if I create an app rule i.e. allow all incoming connections for a bittorrent app on a given port, all packets will still be dropped by the global rule?
Similarly for outgoing connections where the app rules are evaluated before the global ones. The first rule in the global list (marked in green) is an allow-everything-outgoing rule which imeans it will always match, provided that no application rules matched previously. This will prevent the “rule evaluation cursor” from reaching the end of the list, and the default rule to show the popup alert will never trigger (assuming there is a hidden default rule that shows an alert).
Can someone please elaborate this?
Thanks a lot!
EDIT: I am running the firewall in the ‘Custom Ruleset’ mode.
When the firewall is set to ‘safe mode’ you will get a connection request alert if the application making the request has a rating of unknown/unrecognized, or if you have a rule in the applications rules set to ask. But seeing as you said you use custom ruleset, you will only get an alert if no application rule is set to cover a particular connection request. So if an application is attempting an outbound connection request, and no rule to either allow or block such request, you will get an alert asking to allow or block. If the application is listening on a given port for incoming connections, then you will get an alert if the global rules either have an allow rule for that incoming connection, or you don’t have a specific blocking rule for that port.
With the global rules being evaluated first for incoming connections, doesn't this mean that all and every packet will be filtered by the deny rule (marked in red) in the list? And so the application rules will never be reached or evaluated? Therefore even if I create an app rule i.e. allow all incoming connections for a bittorrent app on a given port, all packets will still be dropped by the global rule?
Correct no application would be able to receive a connection regardless of application rules if the global rules are set to block incoming connections.
Similarly for outgoing connections where the app rules are evaluated before the global ones. The first rule in the global list (marked in green) is an allow-everything-outgoing rule which imeans it will always match, provided that no application rules matched previously. This will prevent the "rule evaluation cursor" from reaching the end of the list, and the default rule to show the popup alert will never trigger (assuming there is a hidden default rule that shows an alert).
You could actually remove that global allow out rule and outgoing connections will still go through without an alert.
:-\ Okay, this is confusing!
Today I did some tests for outgoing connections by running “ping 8.8.8.8” in a command line window. I experimented in custom ruleset mode with various rule combinations in the application and global rules list. For the sake of brevity let’s assume the keyword Allow in the rules list stands for “Allow IP Out from MAC Any to MAY Any Where Protocol Is Any” and means “Allow Everything Out”. The Block keyword is analogous.
When I first ran the command with my clean firewall rules (Test#4 - pic in first post), it generated an alert. This seemed strange to me because I was under impression that the firewall operates in a single-list mode (see case A below) and there is already an existing Allow rule in the global list that should have matched this traffic, but yet an alert pops up. This either means that:
Case A) Both lists are processed together as one big list where one is appended or prepended to the other depending on the traffic direction, rule evaluation stops as soon a matching rule is found, and an alert is generated when the “cursor” reaches the end of the rule list without finding a matching rule (the global Allow rule being ignored for some strange reason).
Case B) The application and global rule lists are processed separately, and an alert is generated when the “cursor” reaches the end of the application list without finding a matching rule (and without consulting the global rules list afterwards).
The second time I ran the ping command I only changed the global rule from Allow to Block while not having any matching application rules (see test #7). You said that “you will only get an alert if no application rule is set to cover a particular connection request”. So I take it an alert should popup because the firewall does not find any matching rule in the applications list. And what was the result of test #7? No alerts were generated! This rather confusing because there seem to be some inconsistencies in the firewall. :-TD So which is the correct case then? ???
If A) is the case: Test #4: Why does the firewall ignore the global Allow rule? Why does it generate an alert where it shouldn’t?
If B) is the case: Test #7: Why does the firewall not ignore the global Block rule? Why does it not generate an alert where it should?
After performing more tests it turned out the latter is the more probable scenario. Here are some observations that support this claim:
Take a look at tests #2 and #4 for example - if A) were the case then no alerts should be generated here, yet test #4 generates an alert. This suggests the alert pops up because no matching rules were found in the application list, thus supporting B).
Another example are tests #6 and #8 - if A) were true then test #8 should not block outgoing connection, yet it does, thus suggesting B) again.
What I learned:
Apparently there are two separate lists of rules. I originally believed that the firewall will treat both lists as a single long list, and will stop evaluating the rules as soon as it finds a match. But apparently the global list is simply not appended or prepended to the applications list as I have previously thought. It seems that both lists are checked individually - for outgoing connections, the application rules list is checked first and then the global rules list is checked next. For example, if the firewall finds a matching rule in the application list, it will still evaluate the rules in the global list. So if an application list has an allow-rule, but the global list has a block rule (or vice-versa - tests #6 and #8), the traffic will be blocked.
I will perform some more tests on incoming connections soon.
Yes the application and global rules are separate and both must not have a specific block rule in place for a giving connection request. If you have a global block rule but no application rule for an outgoing connection it automatically gets blocked without showing an alert because it wouldn’t make sense to ask the user to allow a request if it is going to be blocked by a global rule anyways. A connection request regardless of direction must pass both checks of the app and global rules to be allowed through.
Well, it kind of had the opposite effect on me while I was trying to make sense of the firewall behavior. Being a programmer myself, I would expect the firewall to show the alert regardless of the global rules because the current behavior is an anomaly in the system. Perhaps this “feature” should be documented in the CIS10 manual?
I’ve got one more question. If I want to setup rules for incoming connections in a way where the firewall will only allow incoming connections for applications that have existing firewall rules defined, but drop everything else (no alerts), what’s the proper way of doing so? For example I have a torrent application that listens on a given port. I want this application to be able to listen and accept incoming connections on the given port without issues, but all other incoming traffic should be dropped. I take it a global block rule is out of question since all traffic will be dropped because the global rules are processed first.
EDIT: Another question. I noticed that CIS10 will automatically generate new network zones and call them Home #1, Work #1, etc., if the automatic detection of private networks is enabled in the Network Zones. How does this detection work - what is it based on? Does the system only take the IP range and netmask into account (this means the system cannot recognize two different networks with the same IP range i.e. 192.168.1.0/24) or is there something more to it i.e. MAC address of the gateway or DHCP server? If latter, where can I edit these network fingerprints?
EDIT2: I noticed there are some IPv6 entries besides the IPv4 IP range in the network zones. Could this be the identifier?