Guest Dvx Posted April 5, 2021 Share Posted April 5, 2021 What I want : block any networking activity even on network's card activation. What I do : I set up a new firewall Profile I set up a new rule blocking any input or output for all ports all protocols etc I moove up that rule up above every pre-defined rules I set up that new profile as the Default Profile The test : I disable my network card and enable it again The result : it's written "network" on network connexion on windows, ie the card could have connect to the modem when i check "arp -a" in the console i see that my local IP adress is the one that has been assigned by my modem (DHCP is working) The expected result : as no network activity should have happened, DHCP shouldn't have worked and i shouldn't have the IP assigned by the modem in the network connections ( control panel, network and internet) the ethernet network should be declared as "unidentified network" The investigation : if i assign my "BLOCK ALL" rule to "All profiles", de-activate and activate the network card again the network is declared "unidentified network", then nothing leaked then it's what happened. Conclusion Did I miss something or do the firewall start on "No Profile" before switching to the selected profile, and leaking then some activity on the network? Link to comment
Administrators Marcos 5,259 Posted April 5, 2021 Administrators Share Posted April 5, 2021 If you want to block network communication completely, including WIndows and AV updates, create a generic blocking rule and place it in the list of rules above the built-in rules. Link to comment
itman 1,746 Posted April 5, 2021 Share Posted April 5, 2021 If you are using an Ethernet connection, simply unplug the Ethernet cable. Otherwise, disabling IPv4 and IPv6 for the network connection should block all network traffic to that network connection. Link to comment
Guest Guest Dvx Posted April 5, 2021 Share Posted April 5, 2021 Marcos Quote If you want to block network communication completely, including WIndows and AV updates, create a generic blocking rule and place it in the list of rules above the built-in rules. That is exactly what i've done itman Quote If you are using an Ethernet connection, simply unplug the Ethernet cable. Otherwise, disabling IPv4 and IPv6 for the network connection should block all network traffic to that network connection. If i wasn't frustrated by the issue i would have smiled. Actually i want to allow what i choosed to allow starting from a "block all input all output". Actually my bad, i didn't say that I wanted to block everything expect what i allow. From what I see, i could as I said put a generic rule for "ALL PROFILE" forbidding everything, but i prefer not touching to the "NO PROFILE" and then if I switch to "NO PROFILE" i would return back to the less restricted profile with the default eset's firewall rules. Link to comment
Administrators Marcos 5,259 Posted April 5, 2021 Administrators Share Posted April 5, 2021 You'd need to put any custom permissive rules above the generic rule blocking all communication. If it doesn't work for you, please provide logs collected with ESET Log Collector for a check. Link to comment
Guest Dvx Posted April 6, 2021 Share Posted April 6, 2021 3 hours ago, Marcos said: You'd need to put any custom permissive rules above the generic rule blocking all communication. If it doesn't work for you, please provide logs collected with ESET Log Collector for a check. you didn't even try to read my post... Link to comment
Most Valued Members peteyt 396 Posted April 6, 2021 Most Valued Members Share Posted April 6, 2021 Maybe I'm reading it wrong myself and my experience with networking is very limited but you mentioned wanting to block the network but also allow some programs access which is confusing me Link to comment
Guest Dvx Posted April 6, 2021 Share Posted April 6, 2021 I am from linux (iptables) where i would set the input and output policy to drop and set the specific rules I want to allow. I tried to reproduced the same with eset so the first step would be to block everything, and then the second step to allow what i choosed to allow. But the eset's profile manager seems buged as when an interface is being activated the global selected profile in profile manager is not activated, it is first the "no profile" with global rules and then it seems to switch to the choosed profile in the firewall's profile manager. (i verified using wireshark) Whatever it seems a bit overkill to do so but i wanted to know if it is really a bug or if i missed a feature in the AV. Link to comment
Guest Dvx Posted April 6, 2021 Share Posted April 6, 2021 The first step is not the aim. I intented to check that i was really blocking everything before i start setting the firewall. Link to comment
Recommended Posts