I found that setting global rules for everything was far to defensive as i use a lot of stuff like utorrent etc that needs incomming communication so i have set my firewall up like this could someone in the know just check that its ok.
ok first of all i have 4 global rules:
allow all incomming and outgoing requests for my LAN
allow ICMP in where the message is FRAGMENTATION NEEDED.
allow ICMP in where the message is TIME EXCEEDED.
block and log ICMP in from any to any.
then in application rules for Windows Operating System and System i have:
block and log TCP or UDP in from any to any.
block and log IP in from any to any.
allow TCP or UDP out from any to any.
for svchost i have the same only with some more outgoing allows.
these rules it seems to me blocks anything incomming.
then i have set up individual sets of block and allow rules for each application where i need connections incomming
this way (from what i imagine) any attempted connections to my pc with no applications running would be blocked by these rules, but if i run a program it will allow anything i want (except ICMP which i dunno why i would ever want)
does this look right? i have done some simulated attacks on my system with a few websites and nothing got through, and i get masses of block logs for system and windows so it definitely appears to be working… have i understood it right ?
You need to have allow rules above your block rule for your example of windows operating system. But rather than going into each rule I would recommend reading the thread in the faq section for Utorrent. Good examples of rules for you to follow there.
surely if the rules are a block for in and an allow for out, it wouldnt make any difference which came first no?
I checked that thread when i set up utorrent its working perfect
It makes a world difference because there is an ordering system:
top = highest priority
bottom = lowest priority
CFP fulfills your rules from top to bottom.
i realise that it does them in order from top to bottom…
but how does that effect the rules i have?
why do i need the allow TCP or UDP out from any to any, above the other 2 ?
i could understand if i had lets say
allow IP from 192.168.1.1 and
Block all IP from any to any
i would need the allow one at the top or else the block would block everything…
but i dont see what difference it makes to 2 completely different rules…
you guys did notice that the top 2 are blocking INCOMMING, and the bottom allow is allowing OUTGOING, right ?
Now I do (:SHY) ;D. However, your app rules on WOS and System are inefficient because there’s no point in the first rule (block incoming TCP & UDP) while the second rule (block incoming IP) is there for each. Remember that IP encompasses all the protocols, including TCP & UDP. I actually find it’s not essential to allow any thing on System WOS (at least on my PC, except for ICMP traffic which I allow for slightly faster uTorrent downloads).
[attachment deleted by admin]