Example of CFP3 Network Security Policy for advanced users (router users only?)

Example of CFP3 Network Security Policy for advanced users ~router users only? :slight_smile:

(Temporary)Test Use/New CFP3 Firewall and OS Action Tracing Use only Rule:

Application Rules
Loopback (OUT)
w/log Block/Allow, TCP/UDP, OUT, Any Address->127.0.0.1, Any Port->Any Port

Loopback (IN)
w/log Block/Allow, TCP/UDP, IN, 127.0.0.1->Any Address, Any Port->Any Port

Block and Log All Unmatching Requests
w/log Block, IP, IN/OUT, Any Address->Any Address, Any Protocol

detailed explanation of Rules Settings:

Global Rules (My router not use DHCP)
Outgoing DNS Requests
Allow, TCP/UDP, out, Any Address->ISP DNS Address, Any Port->53

Router HTTP Connection
Allow, TCP, out, Any Address->Router Address, Any Port->Router Web Management Page Port

Block Router Connection (block access to router)
Block, TCP/UDP, out, Any Address->Router Address, Any Port->Any Port

Block Router Incoming Requests w/log (Routor Action Tracing Use)
Block, TCP/UDP, IN, Router Address->Any Address, Any Port->Any Port

Allow Incoming P2P Listen Ports (please use “My Port Set” for P2P Ports Management)
Allow, TCP/UDP, IN, Any Address->Any Address, Any Port->P2P Ports

Allow Outgoing TCP or UDP Requests
Allow, TCP/UDP, OUT, Any Address->Any Address, Any Port->Any Port

Block Incoming TCP or UDP Requests
Block, TCP/UDP, IN, Any Address->Any Address, Any Port->Any Port

Block ICMP Message Out “Port UnReachable”
Block, ICMP, OUT, Any Address->Any Address, ICMP Port UnReachable

Allow ICMP Message In “Time Exceeded”
Allow, ICMP, IN, Router Address->Any Address, ICMP Time Exceeded
PS:maybe need add this “ICMP Time Exceeded” rule. but, CFP matbe have Pre-define firewall Rules, so not need…(now, using log from CFP3 action tracing…)

Block ICMP Incoming and Outgoing Requests w/log (ICMP tracing)
Block, ICMP, IN/OUT, Any Address->Any Address, Any Message

Block Any Outgoing Requests (or with log for test/tracing use)
Block, IP, OUT, Any Address->Any Address, Any Protocol

Block Any Incoming Requests (or with log for test/tracing use)
Block, IP, IN, Any Address->Any Address, Any Protocol

Application Rules (parts explanation only, other please look pic.)
Internet =Web Browser
E-mail =Email Client
FTP,DL App=Ftp Client and download manager
P2P =P2P Client

Ftp Client
Allow Incoming TCP Requests (for active mode/Ftp server use)
Add Incoming Ports in Global Rules. (for active mode, Port range maybe is 1024-5000)
please see your Ftp Client option or help, maybe can give this port pange.

Add external IP Address in Ftp Client/Ftp server, (not need, if your application can self-detect external IP)

P2P Client
Allow Outgoing TCP or UDP Requests
Allow, TCP/UDP, OUT, Any Address->Any Address, Any Port->Any Port

Allow Incoming TCP or UDP Requests
Allow, TCP/UDP, IN, Any Address->Any Address, Any Port->P2P Ports

PS:please change your router setting for remote client accessing your PC. (for router users)

System Idle Process =unopen port!? or is equal to the other firewall “lowest priority any application rule”!?
but, CFP3 this thing can send ICMP Message… =.=? (other firewall is “System” Process send ICMP Message)
PS:Now, I’m use log test/tracing this…
if u will create this process rule, please set this to the bottom. (lowest priority)

Block P2P Ports (without Log)
Block, TCP/UDP, IN, Any Address->Any Address, Any Port->P2P Ports
After P2P Client closure, Block the Incoming connection attempts without log^^; (Because after this rule has record rule)

-true end- OTL

sorry for my bad english.

[CFP3 Bug Link]
CFP3 has Pre-define firewall Rules, and priority high than User firewall Rules. (http)
Multi-User & %USERPROFILE% variable (http)

CFP3 has Pre-define firewall Rules, and priority high than User firewall Rules. (https)
Multi-User & %USERPROFILE% variable (https)

[attachment deleted by admin]