What should the last global rule be? [HELP]

I’m looking at my global rules, and the last rule says
“Block and Log IP any to IP Any Where ICMP Message is ECHO REQUEST”

Should that not be a block all rule?

Hi Trel. When I first installed CFP 3 (first final), I selected the option for p2p users, which generated that rule. Well, I’m not certain if it was that or I ran the Stealth Ports Wizard and selected the 2nd option.

Anyway, the second time I install CFP 3 I selected the defaults and ran the Stealth Ports Wizard to select the 3rd option and it generated this Global Rule instead: Block IP In Any/Any… Note this doesn’t include Out because it works different than v2. I’m not sure why.

I think I would want a global block rule for IP in and out as my last rule, that way, if it hasn’t been allowed explicitly it will be blocked.

yoohoo, i’ve tried to make this global rule :

block&log IP in/out from IP any to IP any where protocol is any

and suddenly i can’t access this forum >:(
is it wrong?

Change it to IN only and see if it works then.


Did you make sure it was the last rule and that your rules preceding it actually do allow access?

i have 3 global rules :
allow all ingoing…my LAN IP address
allow all outgoing…LAN
block & log IP IN any any any

Ganda. Your original post said

block&log IP in/out from IP any to IP any where protocol is any

How can you expect to connect to the Internet when you have only allowed the LAN Out?

to clear things up :
Japo told me to create this rule :
block IP IN any any any

then i read somewhere that it should be block IP in/out
i change it, andthe result : i can’t access the internet.

so i change it back to Block IP IN any any any

Soya is right, v3 works differently from v2. It could be that in v3 app and global rules aren’t queued together, so if say an outbound connection is allowed by some app rule the app rules below it aren’t consulted as usual; but then the global rules are consulted anew whereas in v2 they weren’t if the outbound connection was already allowed by an app rule.

However I wonder if it’s intentional or a bug. And I don’t think I understand the procedure for inbound connections… The programs that needed to act as server with v2 no loger do. ???

Your Global Rules (as most recently defined)

allow all ingoing…my LAN IP address <----Allows all traffic IN from the LAN
allow all outgoing…LAN <----- Allows all traffic OUT on the LAN
block & log IP IN any any any <----- BLOCKS ALL OTHER INBOUND CONNECTIONS

Do you see any Internet rules here?

??? so? what should i add then?

Sorry Japo I’m not sure I understand, do you have a link to soya’s post please.

As far as I can tell (it’s early days yet) the rules for apps are still hierarchical and applicatios will still require a global ‘Allow’ rule to be permitted access. However, the Global Allow rule must be ‘hard coded’ as there are no specific Allow rules to be seen in the interface.

This is interesting :slight_smile: Block everything IN and OUT and gradually place rules above that allow specific ports…

However I wonder if it's intentional or a bug. And I don't think I understand the procedure for inbound connections... The programs that needed to act as server with v2 no loger do. ???

That, as we knew it under V2 seems to have changed :slight_smile:

Huh so? what should i add then?

Testing is underway…watch this space :slight_smile:

I told you, baby steps, I haven’t changed anything out of the box yet, I want to understand how this software works before I ‘tweak’ it

;D OK. you mean, the default set up is decent? then i think i’m safe.;D
i thought i need configure it manually. i’m so stupid :THNK now i miss my lunch

Go and eat ganda, the brain needs blood sugar :slight_smile:

Hm, excuse me if I am wrong (:WIN), but there is a small picture of CPF3 engine in the help that easily explains how it works (see attachment).

Speaking of the “last rule”, the last rule always depends on the all rules that come before. (:KWL) Doesn’t matter if all is done on application rules basis, or on the global rules.

I personally use a concept published here on the forums by some guy from Saint-Petersburg(rus), the meaning of which can be described in two steps: 1. Hardcode DNS; 2. All applications call from 1024-4999 ports; even browsers. So, if there is somebody wishing to hijack a browser, he would be logged and receive no access.

The rules.

Port sets:
“HTTP/HTTPS ports” 80,81,82,443,8080,8090
“POP3/SMTP” 25,110,143,465,995
“FTP” 20,21
“DNS Request” 53

Special ones…
“Whitelisted User Ports” 1024-4999
“Whitelisted Standart Ports” → HTTP/S + POP3 + FTP + DNS
“LocalExceptionPorts”-> Torrent anyone?
“ExternalExceptionPorts”-> Torrent anyone?

Global rules:

  1. Allow TCP/UDP CreateAlert(optional) Out “General Access: Allow whitelisted communication” SA:MAC Address DA:Any SP:PortSet-“Whitelisted User ports” DP:PortSet-“Whitelisted Standart Ports”

  2. Allow TCP/UDP Out “DNS: Grant Access to Naming Server 1” SA:MAC Address DA:SingleIP- SP:PortSet-“Whitelisted User ports” DP:PortSet-“DNS Port”

  3. Allow TCP/UDP Out “DNS: Grant Access to Naming Server 2” SA:MAC Address DA:SingleIP- SP:PortSet-“Whitelisted User ports” DP:PortSet-“DNS Port”

  4. Allow TCP/UDP In/Out “Loopback: NIC<->localhost” SA:Zone- DA: SP:Any DP:Any

… Any LAN Rules go here …

  1. Allow TCP/UDP In/Out “Exceptions” SA:MAC Address DA:Any SP:LocalExceptionPorts DP:ExternalExceptionPorts

  2. Allow ICMP Out “Ping: allow pinging others” SA:MAC Address DA:Any ICMP:Any

  3. Block ICMP CreateAlert In “Block: beeing pinged” SA:Any DA:Any Any

  4. Block IP CreateAlert In/Out “Block: any other traffic” SA:Any DA:Any IP:Any

[attachment deleted by admin]

Yep, fairly standard stuff there shinobiteno although I don’t use 81, 82, 8080 or 8090.

You forgot 587 for email, Gmail can use this.

You didn’t mention DHCP ports 67 and 68.

DNS mainly uses UCP, so only an OUT rule is necessary for this (add your ISP’s DNS servers)
TCP is only used in extreme circumstances and can be blocked for DNS, as it will revert to UDP.

Can’t see why you need number 4 if you have allowed all on the LAN.

I don’t use P2P so can’t comment

Better to have separate rules for TCP, UDP IN and OUT, makes tracking a problem easier.

My two pence :slight_smile:

Thanks for the ports!!

81,82,8080,8090 are sometimes used as alternative ports, thats why they are present.

DHCP out is blocked, Netbios off, IP is allocated dynamically by my ISP no problem(SinglePC->DSL Modem->ISP).

Regarding number 4,seperation and DNS… thank you very much!
I will correct it!

Sure, it was in this very thread though:

But maybe the only difference with v2 is that the default global rules are different, and then I failed to understand the whole mechanics.

Thanks a bunch Shinobiteno and Toggie for the global rules. I guess those will be in the 2nd volume of the guide for dummies, eh? :slight_smile: