Networks are arcane and enigmatic - and IP addressing is central to their use - until one has an epiphany and the light goes on: OH! Its that simiple! Yes it is.
For the browser, these are the only rules you need (get rid of all the IP address specific rules):
allow UDP out from your PC, i.e., NIC IP address, to all DNS server IP address on port 53
allow TCP out from your PC, i.e., NIC IP address, to Any IP address s on ports in [HTTP ports]
allow TCP out from your PC, i.e., NIC IP address, to Any IP address s on ports in [Adobe RTMP ports]
ports in [HTTP ports] is a port set created manually; it has ports 80, 81, 443 & 8080
ports in [Adobe RTMP ports] is a port set created manually; it has ports 843, 1935
Any port not in those two port sets is special, and is addressed ad hoc basis. It doesn’t matter what the destination IP address are - its the browser - and it goes where you send it.
If you’re using DHCP to assign the IP for your NIC, then the source IP address will be MAC Any - because your host IP address is dynamic - it could be any one of 65,000 IP address. The destination will always be MAC Any for the standard HTTP ports; you don’t know where you’ll surf to. ‘MAC Any’ is how CIS makes the rule to address any IP address. The same with DNS servers, if you don’t know what they are, you use ‘MAC Any’ as the destination and assume ALL UDP on port 53 is DNS look-up.
The only time that the browser will alert is if any IP wants to connect to any port not specified in the aforementioned port sets. These alerts can be allowed, but don’t create the rule for them unless you go to that web-site often. Then create a rule for that IP address specifically to the special destination port.
For example, my previous post listed: allow TCP out from your PC, i.e., NIC IP address, to IP in [Amazon] on port 6667
[Amazon] is a network zone that contains an Amazon IP address(es). If I co there, the active connections might show 5 connections to that IP address, e.g., one to port 80, one to port 443 and one to port 6667. No other website needs port 6667, so no special rule is specified for that.
I can go anywhere on the web and the three rules will work w/ out alerts. But if I click on the eMail button on my Yahoo home-page, then I need the following rule (or I’ll get an alert):
allow TCP out from your PC, i.e., NIC IP address, to IP in [web-mail] on ports in [web-mail server ports]. T
[web-mail] is a network zone that contains the servers for Yahoo Mail, and [web-mail server ports] is a port set that contains 5050 & 843.
this one rule allows access to any one of 66,045 IP address, each able to connect to one of two different ports, i.e., 5050 or 843.
If I look at active connections while at the browser Mail web-page, I may see several connections to any IP in [webcs.Yahoo] containing the following netmasks:
18.104.22.168 / 255.255.255.0 - 255 IP allowed
22.214.171.124 / 255.255.255.0 - 255 IP allowed
126.96.36.199 / 255.255.0.0 - 255 * 255 IP allowed
188.8.131.52 / 255.255.255.0 - 255 IP allowed
184.108.40.206 / 255.255.255.0 255 IP allowed
In addition to the Yahoo home page, there may be Yahoo home-page IP address that can connect to any one port in the set 80, 81, 443, 8080 and 843 & 1935
But one rule addresses the additional requirement of the browser to do web-mail - and I don’t care which IP it connects to now, two hours from now, today, tomorrow or next week. The Yahoo Mail load balancing server determines which IP address to provide to my browser’s DNS query when it looks up www.YahooMail.com And any IP address that’s related to Yahoo Mail, for me, is implicitly trusted. But no other web-site needs to hit ports 5050, 843 or 6667, so that’s why I have an explicit rules for those ports exclusive to those particular IP address exclusively for Yahoo Mail & Amazon.
The reason you have all those rules is because CIS is creating rules for each web-site you visit (or you’re allowing them with ‘remember’ ticked for each alert).
If you don’t want to be bothered to set up the rules manually, then just implement the pre-defined policy [web-browser] and be done with it.