I tried to block loopback connections but CIS Firewall can’t block any loopback packet.
For testing I created a simple rule in ‘Global Rules’ section placed at the top of the list of global rules:
“Block IP in/out From IP Any To IP Any Where Protocol Is Any”
It should block all network connections but it blocks everything except loopback connections.
My Firewall is set to ‘Custom Policy Mode’, alert frequency is set to ‘Very high’ and all types of allerts are enabled.
The firewall desn’t even allert me about any loopback connection.
The same situation appears when I want to be informed about loopback connection by Defense+ component.
I set ‘Loopback networking’ to ‘Ask’ for all predefined security polices and Security Level to "Paranoid Mode’ but there are still no allerts when my aplications establish loopback connections.
My configuration:
CIS Version: 3.5.57173.439
System: Windows XP Professional (32 bit) with Service Pack 3
Antivirus software: Avira AntiVir Personal
Welcome to the forum jordan_jrd
The block rule(All Applications) which has to be the first in Network Security Policy/Application Rules as all outgoing is checked here, Global Rules are for incoming.
Have you got a all application rule in Network Security Policy/Application Rules as I do not remember deleted all rules except CIS on install.
Dennis
PS Do not try this in Vista as it blocks all internal communications, and you will have to boot in Safe Mode(F8) to remove it.
Thanks, it was helpful. I created a rule
‘Block IP In/Out from IP Any To In [Loopback zone] Where protocol is Any’
in ‘Application Rules’ section and it filtered all loopback connections.
I was wrong. I performed additional tests and I noticed that not all loopback connections were blocked.
For example I have SOS server working on 5000 port, and SOS client still can connect to the server.
After this I added a rule (for all applications):
“Block IP In/Out From IP Any To IP Any Where Protocol is Any”
at the top of the list with application rules. It didn’t change anything and the SOS client still was able to connect
to the server.
Can you try to create a block+log rule for the SOS client to block In/Out IP, src any dst, 127.0.0.1, src port any, dst port any. And see if that works ?
I created the rule which should block everything with added option for logging, then I called SOS client again.
After this there wasn’t any event in the log file related to the SOS application, then I changed the rule and set Action to ‘Ask’ but it looks like the SOS connection wasn’t detected by CIS and no alert appeared (all alert options are enabled and alert frequency is set to the highest level).
The same situation appears when I have defined the rule only for the SOS client (nothing registered in the log file and the client can connect to the server).
