First time CIS user, can you recomend some best practices for firewall only?

Thank you for taking the time to read this as I am sure you get this type of question a lot.

well here it goes… >:-D

I have installed CIS and I am only using the Firewall in “custom policy” mode and it’s working out well for me. I am not using the sandbox nor Defense+.

1.) I noticed that I do not have any “network zones” listed in the “network security policy window”, is this normal?

2.) If memory serves, I think I erased something with the words “loop back” from the “network zones” list, was this a big mistake?

thank you for your time ;D

You’re likely to get different opinions based on each users preferences, expertise and willingness to spend time creating customised rules. For some, the best option is to simpley leave the defaults as they are. For others, myself included, a more ‘hands on’ approach is preferred.

At the very least, I’d say placing the firewall in ‘Custom policy’ mode is good practice, as it will provide a little more insight and control. As a further step, you could increase the ‘Alert Settings’ Doing so will provide a still greater degree of control over how rules are created. However, doing this will increase the number of alerts received, at least until you have your rules created.

Another consideration would be to remove the default firewall rules and replace them with more precise and somewhat more controllable equivalents. Taking a read through this thread might provide some insight. Remember, however, the information contained therein is just a starting point.

1.) I noticed that I do not have any "network zones" listed in the "network security policy window", is this normal?

Network zones are simply identifiers for connections that CIS has either found automatically (see More/Preferences/Automatically detect new private networks) or created manually. If you only have a single PC connected directly to the Internet, it’s unlikely any new networks will be detected. If you’re behind a router, the chances are you will get a prompt for a new network, typically with a 192.168.x.x identifier.

2.) If memory serves, I think I erased something with the words "loop back" from the "network zones" list, was this a big mistake?

On a clean installation, there is usually a single network zone created called ‘Loopback zone’ The zone is typically used in some of the ‘predefined’ firewall rules. Whilst deleting this zone is not critical, if you choose to use the ‘predefined’ rules, things may not happen as expected. To recreate the zone, assuming you’ve deleted it:

  1. go to /Network security policy/Network zones and create a new zone called loopback zone.
  2. Select the zone and click Add
  3. select ipv4 subnet mask
  4. add 127.0.0.1 as the ip address
  5. add 255.0.0.0 as the mask

thank you for your time ;D
[/quote]

tyvm, Radaghast :o

I will take your advice and set my 'alert settings" to “high”.

I will read that thread you linked me to and get back to you :slight_smile:

You could even use a /32 bit mask (255.255.255.255) for the Loopback to further harden the “zone”, as this address is static and never changes. Or you may leave it as-is :slight_smile: