Jump to content

Predefined FW/HIPS Rulesets (browser,mail,installer,system app,...)

Utini
 Share

Recommended Posts

Utini

Utini 1

Posted
Posted (edited)

Hey there,

 

I know from CIS and KIS that they have certain Predefined Rulesets that you can use for firefox,chrome,.... E.g. they have "browser" or "installer" or "system app".

 

The "browser" rule set would automatically limit the app that uses this rule set to allow only http,https communication (so only the specific ports) where "installer" or "system app" would have different settings.

 

Is there any KB entry or guide on how to do this with ESS? Or any "guidelinies" on how to configure those specific categories of apps?

 

I don't want to allow my browser to use "all communication" it gets. In a custom rule it would only allow the communication to the specific IP that is requesting. It is not much work to delete the IP in the custom rule so that the rule is port specific but still it would be more secure/user friendly to tell the users on how to configure the rules for their apps the best?

 

Thanks

Edited by Utini
Link to comment
Share on other sites
Utini

Utini 1

Posted
  • Author
Posted (edited)

You can create a new rule that will allow communication on the remote port 80 and add your browsers as the local application.

 

Yes I did that, but what other ports should I allow ? e.g. 443 for https. In general I think it would we usefull to add such "specific" rules as standart rule set for "new users" ? Or even automatically apply suche rules to specific categories of apps (e.g. browser) ?

 

And as I am currently creating a few rule sets:

 

I used this "guide" for creating a torrent.exe ruleset with my previous firewall. If I follow this guide with ESS FW, will it work too? Only that "destination" is "remote" and "source" is "local" ?

 

 

Add the following rules:

Rule 1

Action = Allow 

Protocol = TCP or UDP

Direction = In

Description = Rule for incoming TCP and UDP connections

Source Address = Any

Destination Address = Any

Source port = A port range = (start port = 1025 / end port = 65535)

Destination port = the port of utorrent

Rule 2

Action = Allow 

Protocol = TCP

Direction = Out

Description = Rule for outgoing TCP connections

Source Address = Any

Destination Address = Any

Source port = A port range = (start port = 1025 / end port = 65535)

Destination port = A port range = (start port = 1025 / end port = 65535)

Rule 3

Action = Allow 

Protocol = UDP

Direction = Out

Description = Rule for outgoing UDP connections

Source Address = Any

Destination Address = Any

Source port = the port of utorrent

Destination port = A port range = (start port = 1025 / end port = 65535)

Rule 4

Action = Ask (enable Log as a firewall event if this rule is fired)

Protocol = TCP

Direction = Out

Description = Rule for HTTP requests

Source Address = Any

Destination Address = Any

Source port = A port range = (start port = 1025 / end port = 65535)

Destination port = 80

Rule 5

Action = Block (enable Log as a firewall event if this rule is fired)

Protocol = IP

Direction = In/OUT

Description = Block and Log All Unmatching Requests

Source Address = Any

Destination Address = Any

IP Details = Any

 

Doesn't look like it works as it is supposed to do. I still get asked about some "UDP in" although it is with in the allowed port range. In general I shouldn't get any notification anymore as every should get blocked except what is allowed in the rules. But I still get some few notifications.

Edited by Utini
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

You can add port 443 for https. From my point of view, using automatic mode with no custom rules is best for most users and no further intervention in the settings is needed.

Link to comment
Share on other sites
Utini

Utini 1

Posted
  • Author
Posted (edited)

You can add port 443 for https. From my point of view, using automatic mode with no custom rules is best for most users and no further intervention in the settings is needed.

 

Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ?

 

@edit: also why is no http/https rule for svchost.exe as pre-rule in FW ? There are a lot of standard rules for svchost.exe like dns/dhcp but not for http/https?

Edited by Utini
Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted

You have also the possibility to activate the interactive mode. Then you will get a allow/deny-question when an application is trying to connect somewhere and there you can also create rules and specify all the things you like (when you expand it with "show advanced options")...

post-3952-0-92338500-1418578392_thumb.png

There you even have a button "custom rule" where you get the "normal" window for adding a rule - just with the difference that the settings you set in the notification will be shown there too and you can "fine-tune" them. :D

 

ANd also with HIPS (in interactive mode) you have a similar possibility:

post-3952-0-15495500-1418578392_thumb.png

 

I tzhink this way you can see not only what ports (and other things) are used/needed, but also create the rules easier and faster.
 

Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ?


If you want this I think you would have to specify not only the port, but even the IP addresses and that is time consuming.

Link to comment
Share on other sites
Utini

Utini 1

Posted
  • Author
Posted (edited)

You have also the possibility to activate the interactive mode. Then you will get a allow/deny-question when an application is trying to connect somewhere and there you can also create rules and specify all the things you like (when you expand it with "show advanced options")...

attachicon.gifESS_InteractiveFirewallQuestion_advancedOptions.png

There you even have a button "custom rule" where you get the "normal" window for adding a rule - just with the difference that the settings you set in the notification will be shown there too and you can "fine-tune" them. :D

 

ANd also with HIPS (in interactive mode) you have a similar possibility:

attachicon.gifESS_InteractiveHIPSQuestion_advancedOptions.png

 

I tzhink this way you can see not only what ports (and other things) are used/needed, but also create the rules easier and faster.

 

Hmm I am not happy with automatic mode as this will basically allow all home calling. I would like to allow everything that is safe to the connection that are safe. That way, even when something gets exploited, it will only be allowed to "call home" to the save connection that I allowed and not send my passwords and data to whoever it wants ?

If you want this I think you would have to specify not only the port, but even the IP addresses and that is time consuming.

 

I think I have configured about 50% of my system within an hour. But now I am having trouble with system specific rules and a few apps where I am not sure how to handle them.

 

E.g. svchost.exe

rundll32.dll

spoolsv.exe

etc

 

For example I am wondering if I should allow port 80 and 443 for svchost.exe... according to google this is for windows update but ESET doesn't have a rule for it out of the box?

 

And btw, I am already running interactive, thats why I have all those questions ;P

Edited by Utini
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...