Hi.I’m a little confused.After installing CIS wih both AV and FW module,there is
a Rule in network security policy for all programs that allows outgoing
from any address to any address,and even in Custom Policy Firewall Setting,
FW does not ask for any program and all programs can connect to internet.
This Rule does not exist when u install just FW module.
My question is:
(1) Why this rule does not exist in FW only mode,but when you install FW
and AV this rule exists???!!!
(2) If this rule is just for Outgoing,why all programs can receive,and have incoming
connection?
There are three different configuration files used by CIS. The configuration chosen will be dictated by the choices you make during installation. The configuration may be changed after installation from the More/Manage my configurations option in the CIS control panel.
The theory is, by incorporating this rule, in what is arguably the most popular installation option, users will be less frequently ‘troubled’ by ‘annoying’ alerts…
(2) If this rule is just for Outgoing,why all programs can receive,and have incoming connection?
The default configuration for the firewall with the Proactive and Firewall security policy, allows all inbound traffic, however, only processes that have an Application rule to accept inbound traffic, or those listening for a response to a request (stateful inspection) will process inbound connections.
Thanks Radaghast.
dont use defaults. they are mainly just compromisses.
am i wrong, or is the described default then nearly like the windows firewall?
Can you give me an example that I compare with my Global Rules?
-“outgoing” means, can request ingoing packets.
-“ingoing” means, could come in without request. that is what a firewall should protect against. so ingoing should not be allowed by itself, apart from RARE, controlled cases.
the first example, erase all rules which would allow something unspecific to connect to the internet. use stealth port wizard setting 3, and look again in your global rules. and for the principle of “nothing unspecific allowed”, erase the rule “allow outgoing” in global rules too, after that.
the windows firewall is like protecting you from ingoing, while installed applications should be able to connect “userfriendly”. thats why i said it in this case. and usually one wants to have a better firewall, to have control over any attempts to connect to the internet. and it wonders, that an alternative firewall is nearly acting like the windows firewall per default. why not use the windows one then?
if you have a better firewall, you should use it for additional protection. need to make settings.
As I mentioned earlier, there are three different configuration files use with CIS, Internet Security, Proactive Security and Firewall Security. The configuration file chosen will depend on the options you choose during installation, for example, if you install the Antivirus, the settings from the Internet Security configuration file are used.
As far as the firewall is concerned, there are very few differences between the three configurations, in fact, from a firewall perspective, the Proactive and Firewall configurations are identical. However, the Internet Security configuration has a few differences you should be aware of.
- Under Firewall Application rules there is a rule:
All Applications - Allow All Outgoing
As the name implies, this essentially allows all outbound connections for all applications. This is something you may not want. Personally, I suggest deleting this rule.
-
The Firewall Global rules are in ‘stealth’ configuration - equivalent to running the Stealth Ports Wizard with the third option. This sounds pretty funky, but it really only blocks all inbound connections. That point, however, is key, as the other two configuration files allow all inbound connections, so this change will have an impact on applications that need server status, such as p2p, web/ftp server etc.
-
The Global rules allow some essential ICMP communication inbound.
It’s also worth making mention of the way the firewall configuration works. Basically the flow of communication is as follows:
Process → Application Rules → Global Rules → Internet/Network
Internet/Network → Global Rules → Application Rules → Process
Essentially, when a process attempts to make a connection to the outside world and number of criteria have to be satisfied:
For an outbound connection:
a. There is an Application rule that allows the connection
b. There are no Global rules that prevent the connection
For an inbound connection:
a. There are no Global rules that prevent the connection
b. There is a Application rule that can accept the connection
Another way to imaging the rules is:
a. Application rules are used to control which process can make and accept connections
b. Global rules are used to control which protocols are allowed to pass to and from the firewall