Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?
Updated: 21 May 2010 | 6 comments
This issue has been solved. See solution.
Hi.
Last post :-)
When one creates a new FWall Rule, at Service specification, in the service list, if one was to set the Protocol as IP and then left Protocol Type blank can I assume then that this is how we set the rule to mean all IP protocol types?
I noted this because as a default during install, this is how the "Allow all other IP traffic" rule was set.
Does this same scenario play out for the other service settings?
Basically I want to create a rule for laptops that are out of the office to block all incoming traffic except for wireless EAPOL traffic and DHCP. I'm assuming that a block on all incoming IP type traffice would block everything as needed using this blank setting but just wanted to confirm that with ya'll.
Thanks.
discussion Filed Under:
Comments
Hi
You can check this disscussion to know about blocking services.
https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-firewall-rule-set
You should not leave this entry blank. from help file
A network service trigger identifies one or more network protocols that are significant in relation to the described network traffic.
You can define the following types of protocols:
TCP
Port or port ranges
UDP
Port or port ranges
ICMP
Type and code
IP
Protocol number (IP type)
Examples: Type 1 = ICMP, Type 6 = TCP, Type 17 = UDP
Ethernet
Ethernet frame type
Examples: Type 0x0800 = IPv4, Type = 0x8BDD = IPv6, Type 0x8137 = IPX
When you define TCP-based or UDP-based service triggers, you identify the ports on both sides of the described network connection. Traditionally, ports are referred to as being either the source or the destination of a network connection.
You can define the network service relationship in either of the following ways:
Source and destination
The source port and destination port are dependent on the direction of traffic. In one case the local client computer might own the source port, whereas in another case the remote computer might own the source port.
Local and remote
The local host computer always owns the local port, and the remote computer always owns the remote port. This expression of the port relationship is independent of the direction of traffic.
You specify the direction of traffic when you define the protocol.
You can define multiple protocols. For example, a rule might include the ICMP, IP, and TCP protocols. The rule describes multiple types of connections that may occur between the identified client computers, or are used by an application.
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Hi Rafeeq. I don't
Hi Rafeeq.
I don't understand.
The default installation of the product creates a rule (one of the 15 or so created during install) called All all other IP traffic. This rule is as follows:
App=any
host=any
time=any
service=IP
adapter=all
screen=any
action=allow
logging=none
If you double click on the IP in the service box area, it opens up the service list. In the service list, the top service is enabled, service name is blank and content=IP. If you edit this, you will see that protocol is IP, type is blank and direction is both. Apply to fragmented packets only is unchecked.
This makes sense to me also. Otherwise, you would have to create hundreds of rules to allow (or deny as I want to do) all traffic. So, it makes sense in this case that this is how Symantec deals with creating a rule that addresses all traffic types.
To summarize, I want to create a set a rules for a location that denies all traffic incoming except for EAPOL wireless and DHCP. This location would kick in when the client was not able to see the mgmt server. I should only have to create three rules in this case I would think:
In order:
1) Allow EAPOL.
2) Allow DHCP
3) Block all incoming IP, all hosts, all adapters, any app
Comments appreciated.
Hi
I got your point
when you select ip
Protocol number (IP type)
it should be followed by ip type (numbered ones)
otherwise it does not know what to allow or block
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
why does symantec create a
why does symantec create a rule like this then during install?
Hi
Olstall,
You are correct, it allows all ip traffic however same can be achieved by adding two rules, one for incoming and outgoing.
the first one would be IP:[Incoming}
the second one would be IP {outgoing]
or what you said was correct IP and blank should allow all IP traffic..
Here firewall rules are applied based on priority the first rule is applied first and then so on.
This is rule is listed 14th, I dont think it would ever come for this policy,
However disabling this would be a good security decision... Let me know your thoughts.
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
The default firewall rules
The default firewall rules have been made taking all the users into consideration basically so that it doesn't block any expected traffic.
However there are many options with help of which you can create a very strict firewall policies its just that you will have to play with it for some time.
I would suggest create a blank rule change allow to block that become BLOCK ALL
then create one more policy above it and set it to allow EAPOL ( Wireless ) Traffic.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Would you like to reply?
Login or Register to post your comment.