To Developers: Default Rules

I just installed CPF a few days ago and it failed the ‘Shields Up’ test as CPF did not block ICMP Echo Requests. I read in this Forum the solution.

I also read m0ng0d’s excellent Tutorial at,1125.0.html. It should be added to CPF’s Help file.

From reading the above two, may I suggest that the developers add these Rules as the top four so that the average novice users of CPF need not add new Rules to be protected? :

  1. Block & Log, IP In, Any, Any, Where IPROTO is Any
  2. Block & Log, ICMP In, Any, Any, Echo Request.
  3. Block & Log, ICMP Out, Any, Any, Echo Reply.
  4. Block & Log, ICMP In/Out, Any, Any, Source Quench.

I also tried Outpost Firewall 4 and it blocks more ICMPs. I don’t know whether they are necessary but can the developers look into them?

The above are just my novice opinions but perhaps you can look into them.

Update : Thanks to Triplejolt, I have changed the above proposed Rules. See below.

Update : I opened this post as the default Network Rules failed the ShieldsUp test when I first installed CPF. Since it passed after reinstallation, I withdraw my suggestion for a change in the default Rules. Sorry for any inconvenience.

Bookmarked!! I’ll look into this later

Thanks for looking into this.

If you decide to add these or others as default Rules, there would be no problems for new installations as the list would be as you want it to be. However, I suppose you would need to have a way to add these rules and their positions in the list for those who have already installed CPF and have added or edited the Rules.

1st I’d revise the list entirely. The entry 0. is read 1st and according to this list, your firewall will be dropping absolutely everything headed your way rendering the remaining rules useless :slight_smile:
Remember: IP supersedes TCP, UDP and ICMP
2ndly I’d block & log any-[your hostname] inbound ICMP Echo request. And allow [your hostname]-any outbound ICMP Echo request. This will allow you to test connectivity, but block and notify you of others attempting to do the same to you.
Source Quench isn’t really necessary as this is more common as a router option.

I went trough all tests but I didn’t fail any of them…
Default settings except for uTorrent/skype ports rule.
Image “shieldsup4” shows that even if you have a TCP/UDP In rule for your torrent app, it doesn’t mean that it’s always open. It’s not just closed, it’s stealthed.
I also did a couple at pcflank.
Se images.

[attachment deleted by admin]

You’re right. I misapplied m0ng0d’s Tutorial. The first rule should actually be at the bottom. I have amended them as shown in the image below. As this post is to recommend to the developers default rules when first installing CPF, please correct any mistakes. Many thanks.

I failed the ShieldsUp Common Ports test using the default Rules. After adding the Block Incoming Echo Request rule, it passed.

Edited : Sorry, I made a slight change to the order of the Rules. Please ignore the image here and see next post.

[attachment deleted by admin]

My proposed default Rules are shown in image below.

[attachment deleted by admin]

I’ll jump in with some thoughts. Please feel free to comment and/or dispute :slight_smile:

  1. Leave as is
  2. Change to Any Any inbound ICMP
  3. Can be deleted
  4. Can be deleted
  5. Can be deleted
  6. Can be deleted
  7. Delete this (rule 7 makes this obsolete)
  8. Leave as is for now (with logging on, this rule is good for debugging and troubleshooting)
  9. What would we do without the implicit deny at the bottom :slight_smile:

Normally rule 0 would have rule 2 as well to be working, but this isn’t the case here ???
Outbound Echo’s is usually allowed by default, but to get something in return you’d need Echo Reply. Think I need some more coffee to be more effective :slight_smile:

Thanks, Triplejolt, for pointing out my errors.

One question before I present another list: Is it practical to block all inbound ICMP? Do we need any inbound ICMP?

I failed the ShieldsUp Common Ports test using the default Rules. After adding the Block Incoming Echo Request rule, it passed.

Why didn’t I fail?

There is an allow OUT Echo Request by default, so do you need Block In Echo Request?

Triplejolt, did you also fail the test?

Well… that depends on how much functionality you want. Normally you would allow these inbound ICMP types:
0 Echo Reply (Reply packets from the host you’re trying to ping)
3 Destination Unreachable (When theres a routing problem and you want to know about it)
11 Time Exceeded (When TTL expires and you want to know that aswell)

Go ahead and block all inbound ICMP, and open up those you need when you want to debug/troubleshoot.
I’m behind a proxy, a hide address and a perimeter firewall so any inbound tests would fail to work properly. But block & log inbound Echo requests as these are outside hosts trying to ping you.


I uninstalled CPF and reinstalled it with its default Network Rules. I did the ShieldsUp test again and it passed this time. I don’t know why it failed the first time I installed it as I didn’t change any of the rules then.


One of the default Rules is “Allow IP Out, Any, Any, Where IPPROTO is GRE.”

What is GRE?

GRE stands for Generic Routing Encapsulation and was originally developed by Cisco to create an IP tunnel between two endpoints. This protocol was developed for the purpose of encapsulating any type of packets inside an IP tunnel in an internetworking environment. Eg From HQ to branch offices. This tunnel however is not encrypted and is not to be mistaken for VPN which is encrypted :slight_smile:
Basically its a simple site-to-site tunneling protocol.

I can explain it further if need be, but then I need to look into the details myself. It’s been a while, lol

Ok, good.
CFP should pass these tests with default rules.

Computers seem to live their own life sometimes… ::slight_smile:

AOwL & Triplejolt,

I opened this post as the default Network Rules failed the ShieldsUp test when I first installed CPF. Since it passed after reinstallation, I withdraw my suggestion for a change in the default Rules.

I am glad I opened this post though as I learned a lot.

Since inbound ICMPs are safe to allow (i.e. from hackers) except for inbound Echo Requests, I have changed my Rules to the following:

  1. Block & Log, ICMP In, Any, Any, Echo Request.
  2. Allow, IP In, Any, Any, Where IPPROTO is ICMP.
  3. Allow, IP Out, Any, Any, Any.
  4. Block & Log, IP In, Any, Any, Any.

Any security flaws here?

For ‘Destination Unreachable’ which option do I use in CPF as there are four: Port, Net, Host & Protocol Unreacheable"?

Good to see you’re still with us Charlie. The ICMP stack can be a pretty formidable undertaking to peruse with leisure eyes, but it’s a useful exercise :slight_smile:
If you wanna do this in details, here’s what I’d suggest for the ICMP rulesets:

  1. Allow, UDP, Out, From [your computername], To Any, Source port Any, Destination port 53
  2. Allow, ICMP out, From [your computername], To any, Echo Request (Your outbound ping requests)
  3. Allow, ICMP In, From Any, To [your computername], Echo Reply (to receive Echo replies from pings)
  4. Block & Log, ICMP In, Any, To [your computername], Any ICMP message
  5. Block & Log, ICMP Out, From [your computername], To Any, Icmp Host Unreachable
  6. Block & Log, ICMP Out, From [your computername], To Any, Icmp Port Unreachable

The last two I added to prevent hackers from revealing my presence. Someone using a packet sniffer and examining the returnpackets can find out I am in fact at the address specified but blocking his ping requests. This way I’m not returning anything, like an offline host would not return anything. There are ways to even circumvent this aswell, but thats for the advanced session ;D

  1. Allow, IP Out, From [your computername], Any, Any.
  2. Block & Log, IP In, Any, Any, Any.

Last two looks good. Just remember to place special or custom rules after rule 5 and before rule 6 and you should be ok :slight_smile:

Try and see what happens. I’m a bit stumped as to how CFP handles ICMP, so I’d like to hear from others how they experience it. And as I can’t use ShieldsUP tests from my office, others with similar rulesets as me trying it is of interest too.

Geek session is over. Dismissed!

Thanks, Triplejolt, for your suggested Rules.

Before I try them out, could you please tell me (I’m new to firewall rules) :wink: :

  • why UDP instead of TCP/UDP and why port 53?

  • does [yourcomputername] mean ‘Host Name’ or ‘Zone’?

I notice that ‘Host Name’ (IP assigned by ISP to and ‘Zone’ ( have different IP addresses. What is the difference between them and

DNS queries uses outbound UDP port 53. DNS are connectionless and doesn’t require TCP.

This is your computer hostname. When you use DHCP (dynamicly assigned IP addresses, these tend to change from time to time. Hostnames are permanent and doesn’t change, meaning you won’t have to tweak the firewall rules when your IP address does. Hostnames are always mapped automatically to your current IP address. is always Localhost. It’s a static IP address to help prevent your TCP/IP protocol from going haywire when you lose your DHCP assigned IP address. You can ping this address to see if you have installed the TCP/IP protocol correctly. This address will always reply when you have.
The entry tells you what subnet you are allowing traffic to flow to/from. This means every host on that subnet (254 hosts).
Difference is is for debugging purposes, while your computer IP address comes from the range.
If you do an IPCONFIG /all in a Command Prompt, you’ll see what IP address your computer has. If you want to know what the Internet knows you as, start up your favorite browser and type in: in the address field.

Hope this answers some of your questions :slight_smile:

Many, many thanks, Triplejolt.

I am now using your suggested Rules as I feel safer now with them. But I changed all instances of [yourcomputername] to ‘Any’ as m0ng0d’s Tutorial says that all Outbound rules use my computer as Source and all Inbound Rules use my computer as Destination regardless of what other setting you use for Source/Destination.

Could you please clarify:

  • Do only DNS requests use outbound UDP? Anything else require outbound UDP but may require a port other than 53?

  • By ‘computer hostname’, do you mean the name I used in right-click My Computer->Computer Name?

  • I noticed in the logs that sometimes when I try to access a website, CPF blocks incoming ‘Host Unreachable’ from perhaps that website. Does blocking this affect my surfing in any way such as slowing it down or not being able to access that site?

  • How do I make the Run results window pause when completed when I run IPCONFIG /all?

A friend mentioned to me that running any firewall will slow down internet upload/download speeds. Is this true?