Confusion on Access Rules

I’ve managed to bodge things up good… So now the learning must begin!

From the FAQ, the way the packets are filtered are:

- Incoming Connecions

1- Network monitor applies filtering if success it passes to application monitor
2- Application monitor checks the target application, if allowed passes to
3- Advanced security analysis monitor(component monitor + application behavior analysis)

if these 3 steps are passed, application receives the connection.

  • Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor

Assume I have no antivirus, so no weird loopbacks and such going on for mail filtering.

Now, I want to use my mail program (thunderbird).

Thunderbird initiates an outbound connection. Therefore, I should definitely allow it in the application monitor, as well as the advanced security monitor. If I know the mail server’s address, I suppose I could put a network filter in to allow data from my PC to that IP (and maybe even more restrictive on that port).

Now let’s say I have an app that I trust, so I put it into the application monitor. I have no idea what that app is going to do - but it’s going to initiate a bunch of outbound connections, and maybe even get some inbound ones as a result (on different ports). So by the time I get done, I really should allow ALL TCP/UPD traffic OUT of my IP address, and be careful about the application monitor - only allow what I believe is necessary.

As far as inbound - if it gets tested by the network monitor first, then ends up getting to the applications - that only really applies to connections that are UNSOLICITED. Say once again I have apps that I trust, but may be getting connections from an outside server (initiated by the outside server). I’m not really sure what that app may be doing, so I allow ALL TCP/UDP traffic to pass the network filter, and be careful at the application layer what permissions I give.

It seems once you have an app that may do some things where you don’t know, what choice do you have but to open up the network monitor portion?

I originally had the network monitor rule to allow ALL TCP/UDP IN/OUT from My PC’s IP to Anywhere… and anywhere To My PC. Things worked fine… but then I thought “This seems to be dangerous!” so I deleted those rules. And then it all fell apart, becuase Hamachi was trying to make a bunch of outbound connections, and then field the inbounds… and I found myself trying to figure out everything it was doing and putting network rules in… Argh. Also, I found that my mail program didn’t work - I had allowed thunderbird access in the application monitor, but then found that it was being trapped at the network monitor becuase it would not allow an outbound connection to the IP of my mail server…

Am I making any sense here?

Can you possibly know EVERYTHING your app is going to connect to / get connections from? If you can’t, what choice to you have other than to make the network monitor “useless” and transparent, and rely on the application monitor?

Sorry for being overly verbose.