I have one rule in global which is :
Allow and log TCP/UDP Out from IP any to IP any where source Port any and destination port is not 80.
And I still can connect to Internet and my active connections show connections to port 80.
Anyone having the same problem
Thanks
Hilmi
I think the red one word is the answer.
But if it is a mistake and you have BLOCK Rule, then it is realy strange.
Thanks for the reply but, that rule shall allow all outgoing IP connections on every port except port 80.
The reason I put that rule is to test the global rules as I was not happy with the results of event logging and still not happy. So I put that rule to test the firewall to see if it is actually allowing some connections while it was not supposed to. As I am writing this, I still have that rule and I have no problem browsing the internet where all the port 80 connections should have been blocked.
Any suggestions!!! as this rule is not doing what it is supposed to.
Hilmi
Allowing all ports exept 80 DOESN’T mean BLOCK 80 port =) Delete allowing rule for browser to port 80 (if any) and then set Firewall to Custom mode - then Firewall will ask you about what to do. In train/Safe mode Firewall will learn automatically allowing outgoing conn to 80 port.
If you will add the last Rule in Global “Block any to any from any port to any port” - then together they will work.
Or just apply rule “Block to 80 port”
So Allowing something exept doesn’t mean to block it.
Thanks again. But as I understand it, it should not allow any connections to go out on that excluded port.
Also, if I use that exclude rule in the Applications Rules, it asks me whether to allow or deny?? instead of just not allowing it without asking.
That exclude problem does not happen if I use Block instead of Allow.That is; if I have a “Block Any Any Any and NOT (80,443,53)” rule in Global, then it blocks all ports except 80,443,53.
Is this a bug or am I misunderstanding something???
Why the logic works with Block rule but not Allow rule???
Hilmi
It seems to be a bug. They fixed similar issue for Block rules. I guess no one bother to check if it works correctly for Allow rules. Let’s hope it will be fixed in next update.
Ok. Let me try explain.
But first of all - I warn you, that all text below is only my oppinion.
Below attached schema of how Firewall looks at Rules
So in your case lets look up at all steps of making right choise by Firewall =)
[attachment deleted by admin]
Everywhere I assume, that “Allow all exept 80 port” means “When port is 80 - no Rule”, but not “Block 80 port”
And also I don’t think it is a bug. It’s only another way to look at word “exept” =)
Yep, It is a BUG.
I’ve tried to a test:
Firewall is in Safe Mode.
App. rule for browser - Allow any to any source port any dest.port EXCLUDE 80.
Global Rules - none.
Browser - safe application.
Then I tried to go to web site…
Firewall Lerned new rule - Allow any to any source port any dest.port 80
So since that moment browser ABLE to go 80 port.
It is realy a BIG FAT BUG.
Allow me suppose - it’s not a bug.
If your logic is correct then allowing rule for a single port should block all other ports, which is certainly not true.
A rule part after allow/deny[and log] is just a pattern to match the rule with actual event.
Exception in allow rule just reduces the set of allowed ports(or IP). Allowing all ports except 80 works like two rules:
allow ports [0-79]
allow ports [81-65535]
If you really want to allow all but 80 port - it could be far more easier just to block 80 port.
An if you are not looking for easy ways - just add block all rule below your first rule. Then all connections that does not match the first rule (those on 80 port) will be affected with the second.
Yes, It isn’t a bug. I forgot the main specific of “Safe Mode” - CIS SHOULD learn that Rule by the logic of CIS. I forgot to write it here =) But in Russian Topics wi disscassed it and all agreed, that it is surely not a bug