……
I think it is time to explain how it works a little more.
There are 2 types of rules in 3.0. Application rules and global rules.
Application rules are used to handle all application based traffic. i.e. the traffic that applications in your computer generate.
Global rules are used to filter both the application based and non-application based traffic.
For outgoing connections, first application based rules are applied, if passed, then global rules are applied.
For incoming connections, first global rules are applied. If passed, then application based rules are applied.
If the traffic is the routed traffic, it is considered applicationless, hence only the global rules are applied. If the traffic is applicationless, there is no "application is trying to connect to the Internet" popup.
Rule handling :
Rules are applied from top to bottom. So the first rule which matches the packet is applied.
Yes there are. The traffic generated by your computer is bound by application rules hence the SPI. In your case, it is the routed traffic hence only the global rules are applied.
Here are some test scenarios to better see CFP in action:
Operating System: Windows XP SP2, 32 bit
VM : VMWare (bridged networking)
Host OS : Windows XP x64
CFP 3.0
----------
Firewall->Advanced->Attack Detection Settings->Monitor other ndis protocols than TCPIP is ENABLED(requires a restart, not necessary if you are using Windows Vısta or XP 64 bit)
Scenario 1 :
One example default CFP configuration, normally has the following GLObAL Rules
1 - ALLOW IP OUT FROM ANY TO ANY WHERE PROTOCOL IS ANY
2- BLOCK IP IN/OUT FROM ANT TO ANY WHERE PROTOCOL IS ANY
the Virtual Machine will be able to connect to the internet successfully. Why?
1 - CFP 3.0 sees the traffic being SENT(BRIDGED) from VM to the bridged network adapter
2 - CFP 3.0 checks where this traffic comes from and sees that it is a routed traffic
3 - Routed traffic can not be generated by an application inside the PC where CFP is operating so it applies only the GLOBAL rules.
4 - The rule 1 allows the outgoing requests thus the traffic is allowed.
Some points to clarify :
Q - Does this mean if I am in a network, by default, my internet connection can be shared with other PCs without any further configuration?
A - No. In a LAN, you will be invisible to the other PCs because unlike this VM example, your computer will reject any incoming packets because of the global rule 2.
Scenario 2
GLOBAL RULES :
1- BLOCK IP IN/OUT FROM MAC XX-XX-XX-XX-XX-XX TO ANY WHERE PROTOCOL IS ANY
2- ALLOW IP OUT FROM ANY TO ANY WHERE PROTOCOL IS ANY
3- BLOCK IP IN/OUT FROM ANT TO ANY WHERE PROTOCOL IS ANY
where XX-XX-XX-XX-XX-XX is the MAC address of the adapter INSIDE the VM.
If the the VM tries to connect, then
1 - CFP 3.0 sees the traffic being SENT(BRIDGED) from VM to the bridged network adapter
2 - CFP 3.0 checks where this traffic comes from and sees that it is a routed traffic
3 - Routed traffic can not be generated by an application inside the PC where CFP is operating so it applies only the GLOBAL rules.
4 - The rule 1 matches request thus the traffic is BLOCKED.
Note that this will only BLOCK the VM but not the real operating system.
You can use your logical reasoning to create a set of global rules which can do the same.
for example,
BLOCK the traffic NOT FROM MY ETHERNET Adapter or
OR
ALLOW the traffic from MY ETHERNET ADAPTER
BLOCK the rest
etc etc. it is upto your reasoning.
ı have tested all these scenarios personally and did not see any problems.
with CFP you can filter based on layer 2 address. Layer2 protocols like ARP/RARP are not supported. We believe MAC address based filtering should do good enough in the environments where CFP is intended to operate.
For me to be able to understand your case properly, you need to list your rules in exact order as they appear. Note that if you dont enter a description for a rule, CFP automatically generates one for showing in the grids. So if you can use them to post your rules, that would be better.
Hope this helps,
Egemen
[ 本帖最后由 rcbblgy 于 2007-9-16 17:06 编辑 ] |
发表于 2007-9-16 14:57:19
楼主
