Question about firewall's "internal rules"

I have searched the forum but i couldn’t find an answer for this. When my global rules are set to P2P mode, is it allowing all icmp incoming and packets except ping request and all outgoing???


Take a look at your global rules and see what they say about blocking ICMP-there really aren’t any hidden rules in that sense. What version of the firewall are you using and what OS?

Thnx for your response. I’m using the latest version of CIS under winXP 32bit. So you are telling me that all types of icmp are allowed IN except ping request?

Under stealth port wizard, the “P2P mode” is part of the “Alert me to incoming connections” option, so you should see the ICMPs and be able to allow/block them. If you use the stealth mode option, all incoming connections that are not specifically allowed by global rules are blocked.

As u said I’m able to allow/block the ICMPs but only for programs and not about the pseudo process “Windows Operating System”. I have added “Windows Operating System” in my Application Rules List and i added the Rule to Block and Log IP IN/OUT and i notice some strange behavior with the logs. Firewall was logging ONLY Blocked ICMP IN/OUT packets. Nothing about TCP or UDP. That’s why i guessed that there must be some “hidden internal” rules. I only want to know how secure enough i am with the firewall set to “Alert me to Incoming Connections” and if its blocking other ICMP’s except Ping.

WOS is really how the firewall handles incoming requests that are not routed to a specific destination. Like the program that sent out the request has terminated, or a response comes in to something not initiated by you. In a sense it is redundant with the global rules-I don’t use global rules, but put the equivalent under WOS as in the attachment. Stuff that is blocked and logged by your global rules also shows up as WOS. But there have been some inconsistencies in this behavior in previous firewall versions, so would err on the conservative side to be sure it is doing what you want. WOS used to be called “System Idle Process” in the firewall, which was more MS correct but also more user confusing. :wink:

[attachment deleted by admin]

Cheers, your explanation about WOS is very enlightening :■■■■
1 more question pls. The firewall isn’t logging packets blocked by protocol analysis, right?

Sorry; don’t know, although it should (if not a bug). Just haven’t used it. Maybe someone else will chime in.

Well i set up my rules for WOS as yours on the screenshot and i deleted all in the global rules but I’m not getting anything in my logs for WOS. I’m only getting some blocked entries for the SYSTEM process. I’m behind a network and normaly firewall should be logging the blocked traffic in the network. I’m very confused… ???

I don’t have logging turned on for my rules, since they are just clutter the log. Have you checked the “log” box for each block rule to be sure of getting something?

Yes i did. Also i notice that rule for ICMP IN: Echo Reply is not needed and is not logging anything. Is only logging the Echo Request and type(3) and type(4) as i see in my logs. I guess when user sends a ping then the echo reply is permitted by SPI and ignores the rule…

Sounds right. We don’t have a list of the SPI rules either, probably a trade secret or ? SPI rules can’t be blocked or logged, though. There are other threads on various CIS logging problems but don’t know the status. CIS uses “selective logging” so the logs don’t always represent all that is happening.

Lets hope at the future to have full logging capabilities. Its a pity a firewall so strong to be weak on logging. Cheers for the help sded :slight_smile: