Some further tests:
Switching away from Opera to a dedicated IRC client (HydraIRC) to try to determine the nature of the issue. These tests were performed on a clean installation of Windows 7 Ultimate x86 (not a VM) with a clean installation of CIS. HydraIRC is a portable application so the zip was unpacked to folder on the desktop.
All defaults apart from the DNS client service, which is disabled.
Settings for CIS:
Firewall enabled in Custom policy Mode and Alert settings on very high.
Ipv6 filtering and create rules for safe applications are unchecked.
Defense+ and AV are not installed and cloud look-ups are disabled, as are automatic updates.
I also deleted the folder containing the TVL.
All other settings are defaults.
In the first test we create a rule for HydraIRC using the pre-defined web browser rule. The rule is edited to enable logging. Once the rule is applied we run HydraIRC and connect to an IRC server. This succeeds and log entries are created for DNS and the connection via TCP to port 6667 (one of the default IRC server ports). A local connection is also made to IDENT over TCP port 113, although this is not logged by CIS, it can be seen via netstat or some other network monitor such a TCPView/Currports. (See images 1 to 5)
In the second test we modify the pre-defined web browser rule by placing a block and log on the entry for passive ftp (Allow Outgoing FTP-PASV Requests), as this is the only rule in the pre-defined set, apart from DNS, that generates a log entry. Now we attempt to connect to an IRC server. This time the connection fails. (see images 6 to 9)
In the final test, we remove the pre-defined web browser rule and create a functionally equivalent analogue. Once done, we attempt to connect to an IRC server. This fails. (see images 10 and 11)
One point of note, when capturing data in the CIS logs, only the first connection to an IRC server will generate an entry, however, subsequent connection’s do succeed.
The question is, why does the pre-defined web browser rule allow these connections when a functionally equivalent rule does not, (which is as it should be)? Moreover, why does this rule allow these connections in the first place. To my mind, this appears to be a security vulnerability in the firewall.
[attachment deleted by admin]