Apparently there’s a terminological difference between our respective use of “global” and “application”. When talking about “application rule”, I mean a rule which is specific to one application. When talking about “global rule”, I mean a rule which is applied to all applications. In a rule list, the first matching rule with a final verdict (“accept” or “reject”) is used and further processing stops. This is a common behavior among rule-based firewalls.
I am not quite sure what you mean by “application rule” and “global rule”. It seems to me that you consider application rules as one level of protection and global rules as another level of protection. A packet is first checked against application rules and if the verdict is “accept”, it is also checked against matching global rules, and only if “accept” is reached* is the packed allowed to go to the net. The same is done with an inbound packet, though in different order. Correct me if I am wrong.
*) Here it’s not clear whether a final verdict is copied from the first matching rule or whether all matching rules must return “accept” for the verdict to be “accept”. That is, if I had two global rules A=“accept outbound connections to port 80” and B=“deny outbound connections to host google.com” and I had a packet to google.com:80, would the result be:
a) always reject regardless of rule order (because one rule returns “reject”)
b) accept if rules’ order is A,B (because rule “A” return “accept” and that stops further processing)
c) reject if rules’ order is B,A (because rule “B” return “reject” and that stops further
5) All applications - deny access to localhost
Create Application Rules
How? I would have to write one rule for every single file (!!! - you can run any file, no matter what extension it has) on my computer. Every time I connect an USB disk, I would have to add rules for every file on that disk. Every time any application creates a file, I would have to add rule for that file. The list of rules would be monstrous, even if it was at all possible to create and maintain it.
If I am misunderstanding your intentions, perhaps you could post a specific example with some actual rules
OK. Imagine that I am on a slow metered line (mobile phones come to mind) and need to minimize data transfers. So I install a HTTP proxy server to do caching of pages. This proxy sever needs to access the internet:
#1: Allow "CachingProxy.exe" outbound TCP to remote-port=80
It also needs to listen to local requests:
#2: Allow "CachingProxy.exe" inbound TCP from remote-addr=localhost to local-port=3128
(One application rule would be enough with most firewalls. With CIS, I would apparently need an additional global rule of ‘Allow inbound TCP from remote-addr=localhost to local-port=3128’, which is an annoyance, but can be handled.)
Now I need to set up my browsers to use that proxy (using their own network setups) and let them pass through firewall:
#3: Allow "Firefox.exe" outbound TCP to remote-addr=localhost remote-port=3128
#4: Allow "Iexplore.exe" outbound TCP to remote-addr=localhost remote-port=3128
...
Which is all fine, browsers now work through proxy as intended. The only problem is that if a malware got installed into my computer, it could read the registry of Internet Explorer and discover that IE uses proxy server localhost:3128. Then it could connect to localhost:3128 and gain access to the internet through my proxy. I don’t want that, so I need to prevent it somehow. I am trying to find how to do it with CIS.
With some other firewalls, the solution is simple: In the list of rules I would place the above rules at the beginning and immediately follow them with another rule:
#5: Deny "*.*" outbound TCP to remote-addr=localhost remote-port=3128
Then I could write any rules I like, including “allow access to loopback to any adapter”, because those rules would be tested only if none of the rules above them yielded a result (either “accept” or “reject”). If a malicious software tried to connect to my proxy, it would get stopped by rule #5 as the first matching rule.