Utini 1 Posted December 14, 2014 Posted December 14, 2014 (edited) Hey there, I know from CIS and KIS that they have certain Predefined Rulesets that you can use for firefox,chrome,.... E.g. they have "browser" or "installer" or "system app". The "browser" rule set would automatically limit the app that uses this rule set to allow only http,https communication (so only the specific ports) where "installer" or "system app" would have different settings. Is there any KB entry or guide on how to do this with ESS? Or any "guidelinies" on how to configure those specific categories of apps? I don't want to allow my browser to use "all communication" it gets. In a custom rule it would only allow the communication to the specific IP that is requesting. It is not much work to delete the IP in the custom rule so that the rule is port specific but still it would be more secure/user friendly to tell the users on how to configure the rules for their apps the best? Thanks Edited December 14, 2014 by Utini
Administrators Marcos 5,466 Posted December 14, 2014 Administrators Posted December 14, 2014 You can create a new rule that will allow communication on the remote port 80 and add your browsers as the local application.
Utini 1 Posted December 14, 2014 Author Posted December 14, 2014 (edited) You can create a new rule that will allow communication on the remote port 80 and add your browsers as the local application. Yes I did that, but what other ports should I allow ? e.g. 443 for https. In general I think it would we usefull to add such "specific" rules as standart rule set for "new users" ? Or even automatically apply suche rules to specific categories of apps (e.g. browser) ? And as I am currently creating a few rule sets: I used this "guide" for creating a torrent.exe ruleset with my previous firewall. If I follow this guide with ESS FW, will it work too? Only that "destination" is "remote" and "source" is "local" ? Add the following rules: Rule 1 Action = Allow Protocol = TCP or UDP Direction = In Description = Rule for incoming TCP and UDP connections Source Address = Any Destination Address = Any Source port = A port range = (start port = 1025 / end port = 65535) Destination port = the port of utorrent Rule 2 Action = Allow Protocol = TCP Direction = Out Description = Rule for outgoing TCP connections Source Address = Any Destination Address = Any Source port = A port range = (start port = 1025 / end port = 65535) Destination port = A port range = (start port = 1025 / end port = 65535) Rule 3 Action = Allow Protocol = UDP Direction = Out Description = Rule for outgoing UDP connections Source Address = Any Destination Address = Any Source port = the port of utorrent Destination port = A port range = (start port = 1025 / end port = 65535) Rule 4 Action = Ask (enable Log as a firewall event if this rule is fired) Protocol = TCP Direction = Out Description = Rule for HTTP requests Source Address = Any Destination Address = Any Source port = A port range = (start port = 1025 / end port = 65535) Destination port = 80 Rule 5 Action = Block (enable Log as a firewall event if this rule is fired) Protocol = IP Direction = In/OUT Description = Block and Log All Unmatching Requests Source Address = Any Destination Address = Any IP Details = Any Doesn't look like it works as it is supposed to do. I still get asked about some "UDP in" although it is with in the allowed port range. In general I shouldn't get any notification anymore as every should get blocked except what is allowed in the rules. But I still get some few notifications. Edited December 14, 2014 by Utini
Administrators Marcos 5,466 Posted December 14, 2014 Administrators Posted December 14, 2014 You can add port 443 for https. From my point of view, using automatic mode with no custom rules is best for most users and no further intervention in the settings is needed.
Utini 1 Posted December 14, 2014 Author Posted December 14, 2014 (edited) You can add port 443 for https. From my point of view, using automatic mode with no custom rules is best for most users and no further intervention in the settings is needed. Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ? @edit: also why is no http/https rule for svchost.exe as pre-rule in FW ? There are a lot of standard rules for svchost.exe like dns/dhcp but not for http/https? Edited December 14, 2014 by Utini
rugk 397 Posted December 14, 2014 Posted December 14, 2014 You have also the possibility to activate the interactive mode. Then you will get a allow/deny-question when an application is trying to connect somewhere and there you can also create rules and specify all the things you like (when you expand it with "show advanced options")... There you even have a button "custom rule" where you get the "normal" window for adding a rule - just with the difference that the settings you set in the notification will be shown there too and you can "fine-tune" them. ANd also with HIPS (in interactive mode) you have a similar possibility: I tzhink this way you can see not only what ports (and other things) are used/needed, but also create the rules easier and faster. Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ? If you want this I think you would have to specify not only the port, but even the IP addresses and that is time consuming.
Utini 1 Posted December 14, 2014 Author Posted December 14, 2014 (edited) You have also the possibility to activate the interactive mode. Then you will get a allow/deny-question when an application is trying to connect somewhere and there you can also create rules and specify all the things you like (when you expand it with "show advanced options")... ESS_InteractiveFirewallQuestion_advancedOptions.png There you even have a button "custom rule" where you get the "normal" window for adding a rule - just with the difference that the settings you set in the notification will be shown there too and you can "fine-tune" them. ANd also with HIPS (in interactive mode) you have a similar possibility: ESS_InteractiveHIPSQuestion_advancedOptions.png I tzhink this way you can see not only what ports (and other things) are used/needed, but also create the rules easier and faster. Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ? If you want this I think you would have to specify not only the port, but even the IP addresses and that is time consuming. I think I have configured about 50% of my system within an hour. But now I am having trouble with system specific rules and a few apps where I am not sure how to handle them. E.g. svchost.exe rundll32.dll spoolsv.exe etc For example I am wondering if I should allow port 80 and 443 for svchost.exe... according to google this is for windows update but ESET doesn't have a rule for it out of the box? And btw, I am already running interactive, thats why I have all those questions ;P Edited December 14, 2014 by Utini
Recommended Posts