Here I wanna concentrate on the Application Control module, since I have a h/w firewall.
I have noticed weird behaviour from CPF. I wanna create specific rules to make a distinction between behaviour in safe zone or non-safe such as Internet. I have been playing with rules on Firefox, trying to prevent Firefox to be a server on the Internet zone (quite easy to achieve in Kerio for instance but not the point ;D)
Now after creating rules and deleting rules, I cant connect with Firefox!! although there is a rule that authorize Firefox to connect in and out to everywhere!!! >:( >:(
It seems that some cache exist and even when rules are changed, some of the cache prevails and prevent normal rule behaviour. Once a rule has been entered “in the wrong way”, it does not seem to show and thus impossible to modify.
My log shows firefox being stopped although the rule allows it!!!
There is certainly a potential here, but sometimes CPF behaves really weirdly.
I think it would be nice if application control could be tailored according to the zone you are dealing with.
Now has anyone a comment on this “cache” issue?
The ‘acting as server’ alert is most likely due to Firefox requesting the loopback connection. I use Opera and it alerts the same thing. By default, CFP checks for TCP loopback connections in case you run a proxy server (which is more vulnerable for this type of connection). To disable such checks, go to Security > Advanced > Miscellaneous > Configure > check to enable Skip loopback TCP.
To resolve the “cache” issue go to the Application Monitor and remove any rules blocking firefox. After doing this you should restart firefox and see if it works again.
It does seem that CFP behaves strangely, but this is for security purposes in case something suspicious (including malware) uses firefox to connect out.
Thanks but … nope…both were checked.
It is true that I would expect a “act as a server” alert but it doesnt show anymore it used to !!!
Anyway, I have created a rule that allow firefox to do anything but it doesnt help, the log shows FF being blocked!?
Any other ideas?
additional comment: when an “act as a server” rule is created, only incoming connection rule should be created not both directions. Not the case I believe.
Would you please post a sample of your logs and preferably a screenshot of your rules? Remember to edit out any private IPs.
I don’t know much about the act as server message, but the last I saw it was with Opera and it was an incoming connection rule just like what you’ve witnessed.
Ok I will asap, but my laptop is out of battery right now.