July 12, 2000 09:43
Several people have requested copies of my ruleset. As I seem to
be only marginally successful at delivering these by e-mail, I have
decided to post them here, along with a short discussion.
First of all. This is only one of several different ways to approach
the entire concept of a ruleset. Other folks prefer to write very
specific rules for each application. Choose which ever approach
you're most comfortable using.
Second. High/Low Trojan Port Blocking rules are not required.
But they do "enhance" security, at the cost of increased nuisance.
This "debate" (argument) has already received much attention in
this forum. Again, do what is comfortable for YOU.
Third. These instructions are written for the novice user. Experienced
folks will find them too specific. But entering rules DOES require
the user to be familiar with the AtGuard interface.
Fourth: Uncheck "application specific" rules that aren't being
used and check (activate) them when needed.
Fifth: Both the general group order of rules and the specific
location of rules is important. If you don't understand why this
is, just follow my outline.
Legend
Logged means: Logging tab > check "Write an event log entry when
a rule is matched (and) log event after: 1 matches"
Notify means: also check "Show notification in dashboard when
this rule is logged"
ISP means Internet Service Provider
DNS means Domain Name Server
IP is an Internet Protocol address
Preliminaries:
Reinstalling AtGuard will reset all your rules to the defaults.
Alternately, deleting all your rules and rebooting will also cause
AtGuard to generate a new set of defaults.
If you want to save your current rules (not a bad idea) export
the following registry key:
[HKEY_LOCAL_MACHINE\Software\WRQ\IAM\FirewallObjects]
and save it as a file. If need be, it can be "merged" back into
the registry (but only AFTER) deleting the current key. (You can't
merge two complicated keys without trouble.)
The Question
Now before we go into rulesets, let me ask a killer question.
Do you really need a firewall? Most people don't. Having all your
ports closed is 95% effective. And you can close them all by eliminating
NetBIOS and Print Sharing in the Network applet. Having said that,
I'll assume you're like me and do want to use a firewall.
The Ruleset, By Sections
Section 1 (rule 0) allows any application to connect to
your Domain Name Servers. My ISP uses 4 different servers, yours
may use more or less. (I have only posted 1 of the 4 rules here
in deference to hostboards resources. The remaining 3 look the
same as the one posted. I have also used this convention in other
sections.) You'll need to determine the IP addresses of your ISP's
DNS's and enter them. Remember, to enter IP addresses, you need
to be "on-line."
Section 2 (rules 4 and 5) are the Low and High Trojan
Port Blocking rules. Initially enter them as "Ignore" and not
Block. Make sure they are set to Log all occurrences. Later you
can examine your logs for any programs that are legitimately trying
to use these ports. If you have any, write an exception rule to
go above the Trojan Port Blocking rules to "Allow" them to communicate.
You may also want to drop the "5000" down to as low as "2000",
depending on your system's standard usage of ports.
Section 3 (rule 6) blocks my ISP from probing my machine
(this behavior seems to be tied to the use of Opera.) Leave this
rule out for now. If your ISP probes your machine, you can insert
a rule later, if you so choose. This rule is for logging purposes.
Section 4 (rules 9 through 17) are the balance of the
ICMP rules. Enter them as displayed. (Note: Some folks prefer
to just have a single rule that blocks all ICMP communications;
refer to the Archives for these discussions.)
Section 5 (rules 18 through 23) are some of the AtGuard
Default rules. Initially enable them all. Later you can determine
which ones aren't being used and disable them. (My system only
uses the "Loopback")
Section 6 (rules 24 and 25) are your NetBIOS blocks. Enter
them as displayed. Even if you have removed NetBIOS from your
Network applet, these will serve to "Notify" you of any attempts.
(Of course, this assumes you are NOT legitimately using NetBIOS
on your system.)
Section 7 (rules 26 and 27) are more AtGuard Default rules.
Use them for now. Once the Trojan Port Blocking rules are activated,
these can be deactivated or deleted as they provide duplicate
coverage.
Section 8 (rules 28 through 56) are the "application
specific" rules. In general, you'll write one or two rules
for each application that you want to access the internet.
Example: Standard Access: rules 35 and 36. Rule 35 allows
Opera to access anything on the internet with any of your ports
via TCP protocol. Rule 36 also allows Opera to talk to itself
through the TCP/IP stack in UDP protocol. Some applications don't
need this "localhost" rule, others do.
Example: Blocking Access: rule 28. This blocks
the Windows Explorer from accessing the internet (I don't use
Internet Explorer.)
Example: Limited Access: rule 30. This allows the application
"Keep It Alive" to access my ISP on a regular basis, thus maintaining
the dial-up connection. Notice that I have limited its access
to a single IP.
Example: Limited Access: rules 31 and 32. These allow
"Eudora Pro E-mail" to access my ISP's pop and smtp servers for
"Getting" and "Sending" e-mail.
Example: Required? Access: rule 34. The auth service through
port 113 is required by some ISP's but only optionally used by
others. It should be limited as much as possible to prevent abuse
by Crackers.
Example: Good Rule in Wrong Location: rule 43. This rule
allows "Power Desk 4 Pro" FTP data transfer through port 20. However,
once the High/Low Trojan Port Block rules are activated this rule
will have to be relocated "above" them or they will block the
communication.
Example: Limited Access: rule 46. This rule is included
here as an example of: I entered "liveupdate.symantec.com" and
AtGuard resolved it into 7 different IP's.
Section 9 (rule 57) is the "Block Everything" rule.
Enter it as shown but don't enable it until all of the "kinks"
are out of your ruleset. Let the Rule Assistant work for you to
show you where problems are occurring.
That's it!
pilgrim
*************** The Ruleset *******************
------------------------------------------------------
RULE 0: Your-ISP Domain Name Server Any App UDP
Rule in use: YES
Protocol: UDP
Action: Permit
Direction: Either
Remote service: (domain)
............. 53
Local service: Any Service
Remote Address: (xxx.xxx.xxx.x) {enter you ISP's DNS's IP
............. xxx.xxx.xxx.x
............. xxx.xxx.xxx.x
Local Address: Any Address
------------------------------------------------------
RULE 4: Block Low Trojan Ports TCP UDP (Notify)
Rule in use: YES
Protocol: TCP or UDP
Action: Block
Direction: Either
Remote service: Any Service
Local service: (0 - 79)
............. 0
............. 79
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 5: Block High Trojan Ports TCP UDP (Notify)
Rule in use: YES
Protocol: TCP or UDP
Action: Block
Direction: Either
Remote service: Any Service
Local service: (5000 - 65535)
............. 5000
............. 65535
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 6: Block Your-ISP ICMP Probe1
Rule in use: YES
Protocol: ICMP
Action: Block
Direction: Outbound
Application: -
Remote service: (Destination Unreachable)
............. 3
Local service: Any Service
Remote Address: (xxx.xxx.xxx.x) {enter you ISP's IP
............. xxx.xxx.xxx.x
............. xxx.xxx.xxx.x
Local Address: Any Address
------------------------------------------------------
RULE 9: Needed To Ping And TraceRoute Others
Rule in use: YES
Protocol: ICMP
Action: Permit
Direction: Outbound
Application: -
Remote service: (Echo Request)
............. 8
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 10: Needed To Ping And TraceRoute Others
Rule in use: YES
Protocol: ICMP
Action: Permit
Direction: Inbound
Application: -
Remote service: Any Service
Local service: (Echo Reply)
............. 0
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 11: Needed ICMP Service (Logged)
Rule in use: YES
Protocol: ICMP
Action: Permit
Direction: Inbound
Application: -
Remote service: Any Service
Local service: (Destination Unreachable)
............. 3
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 12: Needed ICMP Service And To TraceRoute Others
Rule in use: YES
Protocol: ICMP
Action: Permit
Direction: Inbound
Application: -
Remote service: Any Service
Local service: (Time Exceeded for a Datagram)
............. 11
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 13: Block Ping and TraceRoute ICMP (Notify)
Rule in use: YES
Protocol: ICMP
Action: Block
Direction: Inbound
Application: -
Remote service: Any Service
Local service: (Echo Request)
............. 8
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 14: Block Ping and TraceRoute ICMP (Notify)
Rule in use: YES
Protocol: ICMP
Action: Block
Direction: Outbound
Application: -
Remote service: (Echo Reply)
............. 0
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 15: Block TraceRoute ICMP (Notify)
Rule in use: YES
Protocol: ICMP
Action: Block
Direction: Outbound
Application: -
Remote service: (Time Exceeded for a Datagram)
............. 11
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 16: Block TraceRoute ICMP (Notify)
Rule in use: YES
Protocol: ICMP
Action: Block
Direction: Outbound
Application: -
Remote service: (Destination Unreachable)
............. 3
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 17: Block ICMP (Notify)
Rule in use: YES
Protocol: ICMP
Action: Block
Direction: Either
Application: -
Remote service: Any Service
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 18: Default Inbound DNS - Save -
Rule in use: NO
Protocol: UDP
Action: Permit
Direction: Inbound
Remote service: (domain)
............. 53
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 19: Default Outbound DNS - Save -
Rule in use: NO
Protocol: UDP
Action: Permit
Direction: Outbound
Remote service: (domain)
............. 53
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 20: Default Inbound Bootp - Save - Not Needed
Rule in use: NO
Protocol: UDP
Action: Permit
Direction: Inbound
Remote service: (bootp)
............. 67
Local service: (bootpc)
............. 68
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 21: Default Outbound Bootp - Save - Not Needed
Rule in use: NO
Protocol: UDP
Action: Permit
Direction: Outbound
Remote service: (bootp)
............. 67
Local service: (bootpc)
............. 68
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 22: Default Inbound Loopback
Rule in use: YES
Protocol: TCP or UDP
Action: Permit
Direction: Inbound
Remote service: Any Service
Local service: Any Service
Remote Address: Any Address
Local Address: (localhost)
............. localhost
............. 127.0.0.1
------------------------------------------------------
RULE 23: Default Outbound Loopback
Rule in use: YES
Protocol: TCP or UDP
Action: Permit
Direction: Outbound
Remote service: Any Service
Local service: Any Service
Remote Address: (localhost)
............. localhost
............. 127.0.0.1
Local Address: Any Address
------------------------------------------------------
RULE 24: Block Inbound NetBIOS TCP UDP (Notify)
Rule in use: YES
Protocol: TCP or UDP
Action: Block
Direction: Inbound
Remote service: Any Service
Local service:
............. 138
............. 137
............. 139
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 25: Block Outbound NetBIOS TCP UDP (Notify)
Rule in use: YES
Protocol: TCP or UDP
Action: Block
Direction: Outbound
Remote service:
............. 138
............. 137
............. 139
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 26: Default Block Back Orifice (Notify) - Save -
Rule in use: YES
Protocol: UDP
Action: Block
Direction: Inbound
Remote service: Any Service
Local service: (Back-Orifice)
............. 31337
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 27: Default Block NetBus (Notify) - Save -
Rule in use: YES
Protocol: TCP
Action: Block
Direction: Inbound
Remote service: Any Service
Local service:
............. 12345
............. 20034
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 28: Block Windows Explorer TCP UDP (Notify)
Rule in use: YES
Protocol: TCP or UDP
Action: Block
Direction: Either
Application: (Windows Explorer)
............. C:\WINDOWS\EXPLORER.EXE
Remote service: Any Service
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 30: Keep It Alive TCP
Rule in use: YES
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (KPALIVE.EXE)
............. C:\PROGRAM FILES\KEEP IT ALIVE\KPALIVE.EXE
Remote service: (http)
............. 80
Local service: Any Service
Remote Address: (www.Your-ISP.com)
............. www.Your-ISP.com
............. xxx.xxx.xx.xx
Local Address: Any Address
------------------------------------------------------
RULE 31: Eudora Pro E-mail (Get Mail) TCP (Logged)
Rule in use: YES
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (EUDORA)
............. C:\PROGRAM FILES\QUALCOMM\EUDORA MAIL\EUDORA.EXE
Remote service: (pop3)
............. 110
Local service: Any Service
Remote Address: (pop.Your-ISP.com)
............. pop.Your-ISP.com
............. xxx.xxx.xx.xx
Local Address: Any Address
------------------------------------------------------
RULE 32: Eudora Pro E-mail (Send Mail) TCP (Notify)
Rule in use: YES
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (EUDORA_2)
............. C:\PROGRAM FILES\QUALCOMM\EUDORA MAIL\EUDORA.EXE
Remote service: (smtp)
............. 25
Local service: Any Service
Remote Address: (smtp.Your-ISP.com)
............. smtp.Your-ISP.com
............. xxx.xxx.xx.xx
Local Address: Any Address
------------------------------------------------------
RULE 34: N/A (Auth) TCP (Notify)
Rule in use: YES
Protocol: TCP
Action: Permit
Direction: Inbound
Application: (N/A_1)
............. N/A
Remote service: Any Service
Local service: (auth-113)
............. 113
Remote Address: (smtp.Your-ISP.com)
............. smtp.Your-ISP.com
............. xxx.xxx.xx.xx
Local Address: Any Address
------------------------------------------------------
RULE 35: Opera Any TCP
Rule in use: YES
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Opera Internet Browser (win32))
............. C:\Program Files\Opera\Opera.exe
Remote service: Any Service
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 36: Opera UDP
Rule in use: YES
Protocol: UDP
Action: Permit
Direction: Inbound
Application: (OPERA.EXE)
............. C:\Program Files\Opera\Opera.exe
Remote service: Any Service
Local service: Any Service
Remote Address: (localhost)
............. localhost
............. 127.0.0.1
Local Address: Any Address
------------------------------------------------------
RULE 43: PowerDeskFTP Data TCP (Notify)
Rule in use: NO
Protocol: TCP
Action: Permit
Direction: Inbound
Application: (PowerDesk_4)
............. C:\Program Files\Ontrack\PowerDesk\pdftp.exe
Remote service: (ftp-data)
............. 20
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
------------------------------------------------------
RULE 46: Norton AntiVirus LiveUpdate TCP (Logged)
Rule in use: NO
Protocol: TCP
Action: Permit
Direction: Outbound
Application: (Norton AntiVirus LiveUpdate_1)
............. C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVLU32.EXE
Remote service: (http_2)
............. 80
Local service: Any Service
Remote Address: (liveupdate.symantec.com)
............. liveupdate.symantec.com
............. 204.176.7.82
............. 206.204.3.29
............. 206.204.221.32
............. 206.204.249.37
............. 208.226.167.20
............. 216.35.137.206
............. 216.35.137.207
Local Address: Any Address
------------------------------------------------------
RULE 57: Block Inbound Unknown Apps TCP UDP (Notify)
Rule in use: YES
Protocol: TCP or UDP
Action: Block
Direction: Inbound
Application: (N/A)
............. N/A
Remote service: Any Service
Local service: Any Service
Remote Address: Any Address
Local Address: Any Address
[This message has been edited by pilgrim (edited July 17, 2000).]