Global Rule to allow Windows Operating System UDP traffic

Hello folks,

I have been receiving this alert lately:


http://img834.imageshack.us/img834/6200/image2lz.png

I figured out that this IP address is from cFosSpeed severs and its related to cFosSpeed sending pings to its servers, so its a safe connection. I would like to create a allow rule to this alert because it shows up every boot time and a few times during PC usage, but I don’t feel save about creating a rule to allow everything to Windows Operation System which is the result of ticking the “Remember my answer” in the Firewall alert dialog (see picture above).

I have tried to create a Global Rule under Network Security Policy > Global Rules:

ALLOW > UDP > OUT > FROM SOURCE ADDRESS > ANY > ON SOURCE PORT > 46327 > TO DESTINATION ADDRESS > 194.95.249.23 > ON DESTINATION PORT > 25903

I have ticked “Log as firewall event if this rule is fired” and I sorted this rule at first place over the other Global Rules.

But I still receive this alert even with the global rule to allow it. Can somebody help me here?

I am under Windows 7 Ultimate 64-bit and I am using CIS 5.3.174622.1216.

See you later,

Aeolis

This would not be reply to a ping request from cFosSpeed as that would be allowed without alert because of Stateful Inspection.

I advice to make a Global Rule that allows incoming traffic from that IP address:
Action: Allow
Protocol: UDP
Direction: In
Description: allow traffic from cFosSpeed server at UDP port 25903

Source Address: 194.95.249.23
Destination Address: Any (that’s easiest but you can choose another parameter if you like)
Source Port: Any
Destination Port: 25903

Then make a rule for cFosSpeed application. You can copy the rule from Global Rules or choose Trusted Application if you want a quick and easy solution.

Hello folks,

Dear EricJH I have tried your suggestion and is doesn’t work. Actually, I have tried several modifications of your global rule and it still asks me to allow or block the connection. I think CIS is not respecting the global rule doesn’t matter how accurate the rule is. I have tried to sort the global allow rule at first and at bottom and the alert is still there. I have even tried to create a global rule to allow UDP out for any source address and to any destination address setting only the source (46327) and destination (25903) ports and the alert is still there.

I still receive the following alert for this connection:


http://img193.imageshack.us/img193/2184/image1gfu.png

By now, the only alternative I have successfully achieved was to set a “Outgoing Only” rule for Windows Operating System. But I don’t fell very safe with this rule. Does somebody else has ideas or suggestions?

See you later,

Aeolis

I see I made a mistake. I thought the problem was with an incoming connection. So, forget what I said in the above.

I would make a rule an application rule for WOS like you described in your topic start:

ALLOW > UDP > OUT > FROM SOURCE ADDRESS > ANY > ON SOURCE PORT > 46327 > TO DESTINATION ADDRESS > 194.95.249.23 > ON DESTINATION PORT > 25903

In the new application rule make one rule to ask and log all all outgoing IP traffic. Place this rule underneath the the above rule. That way you will get notified when other outgoing traffic is happening.

Hello folks,

Dear EricJH I did as you told me and I have created a Predefined Policy named “Windows Operating System” with the following rules:


http://img684.imageshack.us/img684/8940/image1eip.png

After that I applied this policy to Windows Operating System. Now everything is fine. Thank you for your help.

See you later,

Aeolis

Hello folks,

Dear EricJH after creating Windows Operating System rule as mentioned above I noticed that CIS stopped asking for the connections as I instructed it to do. Look at it:


http://img94.imageshack.us/img94/9104/image2xv.png

As you can see CIS is respecting the allow and log rule, but is not respecting the Ask and log rule. It logs it like CIS had asked as the rule instructs it to do, but CIS is not asking it. It’s just loging as it had asked. Could you help me here? Is it normal?

See you later,

Aeolis

Hello folks,

Any news, ideas or suggestions?

See you later,

Aeolis

I see it asks for the ICMP traffic like expected. I fail to see the point.

Hello folks,

Dear EricJH, I think I haven’t made myself clear. CIS is logging like it has asked for the ICMP traffic, but it had not showed any pop-ups alert regarding this traffic. CIS records the ask rule in the log file, but actually CIS is not asking through alert pop-ups if I want to allow or block the ICMP traffic. I have attached my configuration file, maybe it can help. EricJH, is the problem clear now? Thank you for your attention and help.

See you later,

Aeolis

[attachment deleted by admin]

Hello folks,

Should I post a bug report regarding this issue? Do you have any ideas guys?

See you later,

Aeolis

I am not quite sure if it would be a bug; I am going back and forth about it. If I understand CIS correctly it will remember an answer for the session but it should not do that in Custom Policy mode. In what mode is your firewall running?

Hello folks,

Dear EricJH CIS Firewall is running in Custom Policy Mode. If you take a look in my configuration file in the previous posts you will see that CIS is configured to show alerts for all traffic (TCP, UDP and ICMP). The problem is that CIS is not asking for the Windows Operating System traffic as the rule I have created instructs CIS to do. CIS is logging as it had asked, but it’s actually not asking (it’s not showing alert pop-ups). I think it’s a bug. Well, guys feel free to show your opinions.

See you later,

Aeolis

Since I am not sure what the normal behaviour of CIS would be in this case I would suggest to file a bug report. It never hurts. It just takes some time.

You can file a bug report in the Bug Reports - CIS board following the format as described in FORMAT & GUIDE - just COPY/PASTE it!. The format must be strictly followed.