Yes, keep the other Network rules. They are there by default, and all serve a purpose (these allow the majority of users to connect and surf, email, etc without any difficulties). The Allow TCP/UDP Out Any Source/Destination/Port is your generic browsing/email/etc rule. There are a couple that I generally find are not needed by me (the ICMP & GRE ones), but the most important is that bottom rule to Block & Log All. That is the ‘safety net’ for anything not defined in any previous rules; that way you make sure it’s stopped (the rules filter from the top down…).
Let me know how it goes; we want to make sure we have success…
LM
The firewall silently blocked my DHCP again while I was playing a game. Maybe it was because I changed the Alert Frequency Level from Very Low to Low. What does it mean exactly when it is on the lowest setting? Will the firewall automatically block or allow everything without a popup?
Here’s the log:
Date/Time :2007-06-14 22:03:26
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:MY.DHCP.IP.ADDRESS: :dhcp(68))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: MY.DHCP.IP.ADDRESS::dhcp(68)
That log entry is for the Application Monitor, firing on svchost. This means that some aspect of that traffic did not match the rule you have to allow svchost. The present rule is too restrictive in some way.
Go ahead and open Application Monitor. Find the rule for svchost.exe, and Remove/Delete it. Then reboot. If you see any alerts for svchost.exe, Allow with Remember.
At Alert Frequency Low you will see an alert based on Application, and Direction (in or out); this same level of detail will be reflected in the AppMon rules created from the alerts.
At Very Low, you will see an alert based only on Application; that’s it. So once you’ve allowed an application, or denied it, that’s it (except for Application Behavior Analysis issues).
So it’s really a thing of the amount of detail in the alert & subsequent rules. It’s almost confusing to call it Alert Frequency, although it will generate more alerts, because of the level of detail. At Very High, you have application, direction, protocol, port, and IP address - you get alerts for each new website you access!
LM