Some rules for my software firewall

[maniacut]

I'm using the normal free version of sygate personal firewall. I just set up a few rules that I think are good and if set up correctly will help me from having to decide whether to allow traffic when it has no chance of appearing on the internet. Can any network gurus confirm that allowing traffic (all protocols) in/out from 10.0.0.1 and 192.168.0.1-192.168.0.76 and 224.0.0.0-239.255.255.255 is a safe bet?

[BiPolar_Nut]

ummm no?

I think you misread a setup guide someplace. You should actually be blocking all inbound traffic from those subnets.

edit: Actually, I was in perimeter firewall mode mentally.

I still wouldn't allow even my own subnet wide open in/out access tho...if a visitor plugs in an infected lappy, you could be at risk

argh...I should be asleep...on edit number 3 or 4 already. I'll check this thread tomorrow with a few more cents to add once alert.

[maniacut]

ah ok good point
first edit: (after edit 3-4)...ok looking forward to it [img]/images/graemlins/laugh.gif[/img]

[BiPolar_Nut]

Cliff's notes at bottom.

For an application firewall, the default inbound policy of blocking everything is fine. Rules regarding inbound policies are just going to be for poking holes for needed services (like perhaps you want Remote Desktop access so you can play poker on your computer from the office during lunch).

As for outbound restrictions, uou could block outbound traffic to bunch of known ad sites but it's easier to handle that by using Spybot Search & Destroy's Hosts file. There are hundreds (thousands?) of known ad sites in there, and using the Hosts file effectively blocks them (plus you can update them).

The biggest problems for local network access would be local file/printer sharing. The easiest way to allow network shares is to open your whole subnet in/out like you mentioned in the OP, but that leads to exposure if a friend brings his laptop over or something...you're trusting your security to his practices. A little googling should turn up the specific ports you need to open, and I would further restrict them to the IP addresses of the computers with the network shares and only the ports needed. Personally, I don't use windows file sharing on my personal LAN. If I need to move files I use SCP or a thumb drive, but that would change if I had to move files frequently. Since I don't move files much, and only print from one machine, I have SMB ports blocked.

If you're on a 192.168.x.y network, you could block outbound any other 192.168.w.0 network where w != x, and 10.x.y.z outbound, but that really shouldn't matter since that traffic should be non-routeable anyway...although if a piece of malware established a VPN somewhere and received a 10. or 192.168. address it would effectively block that traffic if you didn't notice you had a rogue VPN connection. I know of no malware that establishes a VPN but it would certainly be possible. Blocking outbound GRE protocol (IP protocol 47) would hinder PPTP VPN's.


[/ QUOTE ]

Cliff's notes: There's really not much you need to do to be reasonably secure firewall-wise except opening inbound ports for external services you want to display to the world (or block except from specific IP's) and specific IP's/ports for local services like network shares.

[Freakin]

these should get you started

1. A firewall may not injure a human being or, through inaction, allow a human being to come to harm.
2. A firewall must obey orders given it by human beings except where such orders would conflict with the First rule.
3. A firewall must protect its own existence as long as such protection does not conflict with the First or Second rules.

[BiPolar_Nut]

lol Frek

BTW, Sam: I heard you are somewhat anti ad-blocking....FWIW, the hosts file I mentioned doesn't block (current) ads on 2+2 (mostly adware sites) so I hope my post wasn't offensive [img]/images/graemlins/wink.gif[/img]
(was Im'ing someone that apparently was banned from CTH for posting how to block ads some time ago.....I don't know the specifics of that situation (and don't really care))