eEye Digital Security

I just installed Blink Personal (free version, not the beta), and of course it discovered a bunch of services running on first install and wanted to create rules for them - good so far.  The problem is, a few of those services (inbound RDP & VNC) I want to limit to my local network and VPN, but when I go into the advanced settings for the rules I can't select anything in the remote IP address list, and the buttons to add/edit/delete a remote IP address are disabled.  If I go change the direction to "outgoing" the boxes enable and I can set addresses, then switch back to "incoming" and the addresses remain.  This seems to work (i.e. it's only allowing connections as specified) but it's a bit unwieldy - am I doing something wrong?

FYI:  I upgraded to the 3.1 beta and am seeing the same behavior there. 

This a technical limitation imposed by the fact that servers are controlled when they start listening and not when clients are connecting to them.

 It is also not possible to stop and delay a client incoming connection request (as it may timeout, plus it comes from the NIC adapter which doesn't really like being stalled) in order to ask the user if to allow or deny it.

However it is possible to complement these rules with System Firewall rules that can offer the granularity that you are looking for.

Thank you for responding - I think I see the picture now, but I hope you'll help make sure I've got it right.  :-)

Within the application firewall the controls are limited - I can determine whether a process is allowed to act as a server on specific ports (or not) when it starts up.  I cannot determine which IP addresses the server will listen for at this point.
 
BUT - I can augment the application firewall by setting rules in the system firewall, and those will allow specification by IP address as well as port.  So, using the example of a VNC server that I only want available to specific subnets, I would have something like the following:

• In Application Firewall, VNCServer is allowed to listen on port 5900
• In System Firewall, I allow incoming traffic to port 5900 from specific IP subnets
• In System Firewall, I deny incoming traffic to port 5900 for all addresses
  

Actually, that last item shouldn't be needed if the System Firewall has been left setup to deny undefined connections, right?  I'm assuming that the flow here is that for an inbound connection it has to match on the system firewall rule (and filtering stops at the first match?), then it'll pass to whatever task (if any) is listening on the port as defined by the app firewall.

Does outbound filtering work differently?  I have app-specific rules defined allowing outbound port 80 and port 443 for the browsers and apps I've allowed, but no active system firewall rule covering those ports as far as I can determine (I'll go back for a closer look).  If an app has been permitted to use an outbound connection in the app firewall, does that bypass the system firewall entirely, or does it just give it a pass unless a specific deny rule is in effect (i.e. a system firewall rule to block port 80 to IP 1.2.3.4 applies to every app that's allowed to use port 80 outbound?)

Thanks much!

cbarn:

Within the application firewall the controls are limited - I can determine whether a process is allowed to act as a server on specific ports (or not) when it starts up.  I cannot determine which IP addresses the server will listen for at this point.
 
BUT - I can augment the application firewall by setting rules in the system firewall, and those will allow specification by IP address as well as port.  So, using the example of a VNC server that I only want available to specific subnets, I would have something like the following:

• In Application Firewall, VNCServer is allowed to listen on port 5900
• In System Firewall, I allow incoming traffic to port 5900 from specific IP subnets
• In System Firewall, I deny incoming traffic to port 5900 for all addresses
  

Actually, that last item shouldn't be needed if the System Firewall has been left setup to deny undefined connections, right? 

That is correct!

cbarn:

I'm assuming that the flow here is that for an inbound connection it has to match on the system firewall rule (and filtering stops at the first match?), then it'll pass to whatever task (if any) is listening on the port as defined by the app firewall.

It stops at the first match and then is passsed to the application

cbarn:

Does outbound filtering work differently?  I have app-specific rules defined allowing outbound port 80 and port 443 for the browsers and apps I've allowed, but no active system firewall rule covering those ports as far as I can determine (I'll go back for a closer look).  If an app has been permitted to use an outbound connection in the app firewall, does that bypass the system firewall entirely, or does it just give it a pass unless a specific deny rule is in effect (i.e. a system firewall rule to block port 80 to IP 1.2.3.4 applies to every app that's allowed to use port 80 outbound?)

For outgoing traffic, the application firewall will create temporary hidden system firewall rules to allow the traffic as necessary. That is why you don't need system firewall rules. You can disable this behavior if you disable the Stateful mode feature but then you will have to create system firewall rules AND Application firewall rules.

These hidden rules are processed AFTER your rules, so you can always modify the default behavior by adding deny rules to limit the outgoing traffic.

Thanks for the detailed answer, Laurentiu, that makes everything very clear!