Global rules question

Is there any harm in removing the global rules in network security policy and putting in place of it the (non-application specific) rules as used in the old Kerio Firewall? I found these rules in a google search and I thank the author surferslim for having such information.

Notes:
Rule 1 is the default rule of Tiny Firewall for loopback.

Rule 2 - 3 are your NetBIOS blocks. Enter them as displayed. Even if you have removed NetBIOS from your Network applet, these will serve to “Notify” you of any attempts. (Of course, this assumes you are NOT legitimately using NetBIOS on your system.)

Rule 4 - 5 allow any application to connect to your Domain Name Servers. If your ISP uses 4 different servers, yours may add and use more or less.

Rule 6 - 10 are the balance of the ICMP rules. Enter them as displayed.

Rule 11 blocks and logs every requests issued to your computer on common ports : FTP, HTTP, POP3, SMTP, Telnet, NetBios, etc.

Rule 12 - 15 are more (AtGuard Default) rules. But you can use for Tiny Firewall now. Once the Trojan Port Blocking rules are activated, these can be deactivated or deleted as they provide duplicate coverage. (I don’t use them)

Rule 16 - 17 are the Low and High Trojan Port Blocking rules. Make sure they are set to Log all occurrences. Later you can examine your logs for any programs that are legitimately trying to use these ports. High/Low Trojan Port Blocking rules are not required. But they do “enhance” security, at the cost of increased nuisance. (I don’t use them)

Rule 18 - 21 are the “application specific” rules. In general, you’ll write one or two rules for each application that you want to access the internet.

Rule 22 blocks and logs every unwanted UDP/TCP requests issued from your PC (could be a trojan, a worm…), this rule disables the learning option (unknown outgoing request).

Rule 23 is the “Block Everything” rule. Enter it as shown but don’t enable it until all of the “kinks” are out of your rule set. Let the Rule Assistant (ask for action when no rule is found) work for you to show you where problems are occurring.

= = = = = = = = = = = = = = = =
RULE 1:

Description: Loopback
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: 127.0.0.1
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 2:

Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 3:

Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY

= = = = = = = = = = = = = = = =
RULE 4:

Description: ISP Domain Name Server Any App UDP
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: (Your ISP DNS) IP number
Port type: Single
Port number: 53
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 5:

Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action DENY

= = = = = = = = = = = = = = = =
RULE 6:

Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 7:

Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 8:

Description: In Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 9:

Description: Out Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 10:

Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Echo Reply, Destination Unreachable, Source
Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
StampReply, Info
Request, Info Reply, Address, Address Reply, Router
Advertisement, Router
Solicitation (ALL)
Remote Endpoint: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 11:

Description: Block Common Ports (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports:
113,79,21,80,443,8080,143,110,25,23,22,42,53,98
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 12:

Description: Back Orifice Block (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 54320,54321,31337
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 13:

Description: Netbus Block (Logged)
Protocol: TCP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 12456,12345,12346,20034
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 14:

Description: Bootpc (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 68
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 15:

Description: RPCSS (Logged)
Protocol: UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 135
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 16:

Description: Block Low Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 1
Last port number: 79
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 17:

Description: Block High Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 5000
Last port number: 65535
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 18:

Description: Internet Explorer-Web browsing
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => iexplore.exe
Remote Address Type: Any
Port type: Any
List of ports: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 19:

Description: Outlook Express
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => msimn.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 25,110,119,143
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 20:

Description: ICQ Web Access Block
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => icq.exe
Remote Address Type: Any
Port type: Single port
List of ports: 80
Action DENY

= = = = = = = = = = = = = = = =
RULE 21:

Description: ICQ Application
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => icq.exe
Remote Address Type: Any
Port type: Single port
List of ports: 5190
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 22:

Description: Block Outbound Unauthorized Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

= = = = = = = = = = = = = = = =
RULE 23:

Description: Block Inbound Unknown Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

If you are on a LAN you might need to allow NetBIOS to and from computers on your LAN. You should insert two rules before rule 2 and 3:

RULE 2a:

Description: Trusted Inbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Any
Action PERMIT

= = = = = = = = = = = = = = = =
RULE 3b:

Description: Trusted Outbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Port/Range
First Port: 137
Last Port: 139
Action PERMIT

= = = = = = = = = = = = = = = =

And you should enter your local IP addresses in the Trusted Address Group list.

Sorry you cannot in CIS does not work the same as Tiny or Kerio Firewall.

In CIS all outgoing rules go in Application Rules all incoming go in Global rules.

So you will have to sort them out if you want to use them placing each rule in the right place Application or Global.

Also you would have to place them at the top and in Applications Rules placed them in a group under All Aplications rule.

Dennis

No, Dennis2, you are not right.

If one disables global rules alltogether (excepting the ones for icmp), and customizes the application rules, he shall obtain something quite near to what Kerio did (and gave a very good protection for threats existing at that time), excepting that Kerio knew how to set a said rule for whatever ip and port, and that cis does not, leading the users to rewrite themselves the said ports:
it’s nothing but a well documented cis bug.

But of course, such rules need to be adapted for each user:
-You can’t, and as noted in a footnote, globally deny netbios on a lan, and you can’t anymore deny globally rpc port 135 and bootp ports 67 and 68 if your router needs them under the same circumstances.
-I see no reason to allow echo and reply requests in a general situation .
-I see no reason to allow your browser tcp out to the whole world: ports 80 and 443 are enough.
-and the common ports and common malware rules are outdated and completely useless: the default behavior of a modern firewall/hips should definitely deny what is not explicitly allowed.

I was going through the list and noticed rule 6 and rule 7. With a Stateful Inspection (SFI) firewall like Kerio, Comodo and many others there is no need for rule rule 7. Rule 6 would suffice as SFI will take care of the incoming traffic.

Rules 8 and 9 work against rules 6 and 7. On as SFI firewall rule 8 does not need rule 9 (the same situation as with rule 6 and 7). Rule 10 blocks everything from rules 6-9.

As said, kerio is a port firewall now outdated, and the op is not even speaking of last kerio vesions (winroute, sunbelt) but of the last and very old freeware one (2.1.5).

The icmp packets are monitored in cis global rules.

Nevertheless:

Rules 8 and 9 work against rules 6 and 7.

No: note the outbound and inbound directions. Easier to read from a synoptic table (sorry, in french): http://kerio215.free.fr/

Concerning the association of rules 8 and 9 (or 6 and 7), note that the 6-7 set is for you pinging someone else (why would one want to do that excepting on lan, yes the full rule is lousy and should be replaced by a global lan rule) while the 8-9 set is for someone pinging you.
One could make a global ping blocking rule, but if you want to differentiate pinging and being pinged, you indeed need to monitor the different direction of echo request and echo reply.

The default global cis rule in proactive configuration is to block every inbound echo request, i.e. also blocking lan ping.

Rule 10 blocks everything from rules 6-9.

No: it is written below rules 6-9 and therefore interpreted after. It only is redundant for those of the icmp details involved in echo request and reply.

In short. Is the old freeware version you mention a non stateful inspection firewall?

No, I really liked it I was sad when Kerio sold it.

Kerio Personal Firewall (KPF) is a desktop firewall solution that performs stateful packet inspection.

For Windows NT/2000/XP

slightly !ot!, but for incoming traffic, do we need a global and application rule for the global rule to work?

Yes in some cases if directed at a specfic application.

Dennis