Endpoint Protection

Hello,

Since the default rule "allow all applications" also opens incoming traffic if the program needs it, we try to create a rule that allows outgoing traffic by default unless it is specifically blocked.

Rule is like this:

Action=Allow,  

Application=Any,  

Host=Any,  

Services=TCP[Outgoing] IP[Outgoing] UDP[Stateful Outgoing] Ethernet[Outgoing], 

Severity=15-information.

Rule works but any outgoing block rule is not working any more.
And it doesn't matter if that allow rule is at the top or bottom, before or after the block rule in list.

How i can make rule to allow any outgoing traffic and block ports like 445, 137 to the external network?

Your allow rule makes no sense -- it allows outgoing packets but doesn't permit any answers.

The "Allow all applications" already allows all outbound traffic; it lets local applications initiate connections with remote services. Any blocking rules should be placed above it. And usually you should set direction of any rule to "Both"; most internet traffic is an exchange of packets in both directions and the only important distinction is the initial connection, inbound or outbound i.e. is the service port local/remote or destination/source? A rule is for outbound traffic when the service port is remote and inbound if service port is local. After connection is made, packets go in both directions. 

To block 445, 137 you create a rule blocking inbound connections-- local ports 445, 137--  and leave remote ports blank.

Specifying service port as destination is for a rule that allows inbound OR outbound connections, e.g. specify destination port 22 for a rule that blocks inbound or outbound SSH.

Original Message:
Sent: Oct 23, 2023 08:47 AM
From: Esa Poutala
Subject: Firewall rule to allow outgoing traffic

Hello,

Since the default rule "allow all applications" also opens incoming traffic if the program needs it, we try to create a rule that allows outgoing traffic by default unless it is specifically blocked.

Rule is like this:

Action=Allow,  

Application=Any,  

Host=Any,  

Services=TCP[Outgoing] IP[Outgoing] UDP[Stateful Outgoing] Ethernet[Outgoing], 

Severity=15-information.

Rule works but any outgoing block rule is not working any more.
And it doesn't matter if that allow rule is at the top or bottom, before or after the block rule in list.

How i can make rule to allow any outgoing traffic and block ports like 445, 137 to the external network?

There is a small problem with "Allow all applications" rules.
It open inbound port if a running program on the computer needs it.
Example RDP is enabled by default on computers.
some computers is on a public network. They get massively attacked.
RDP is common knowledge issue and firewall rule to denay is not a problem.

But if you have let's say 30 000 computers to be maintained the situation becomes difficult.
The network scan reports open ports from time to time.
You always have to start by finding out what program is on the computer and why it opens the port to the public network.

If a program needs port opening in both directions, it is created with a rule by aware of which program needs such a thing.
Before this, the program will not work and the user will definitely contact service desk

"Allow all outgoing traffic" rule is done for basic things to work on machines.

Your allow rule makes no sense -- it allows outgoing packets but doesn't permit any answers.

The "Allow all applications" already allows all outbound traffic; it lets local applications initiate connections with remote services. Any blocking rules should be placed above it. And usually you should set direction of any rule to "Both"; most internet traffic is an exchange of packets in both directions and the only important distinction is the initial connection, inbound or outbound i.e. is the service port local/remote or destination/source? A rule is for outbound traffic when the service port is remote and inbound if service port is local. After connection is made, packets go in both directions. 

To block 445, 137 you create a rule blocking inbound connections-- local ports 445, 137--  and leave remote ports blank.

Specifying service port as destination is for a rule that allows inbound OR outbound connections, e.g. specify destination port 22 for a rule that blocks inbound or outbound SSH.

Original Message:
Sent: Oct 23, 2023 08:47 AM
From: Esa Poutala
Subject: Firewall rule to allow outgoing traffic

Hello,

Since the default rule "allow all applications" also opens incoming traffic if the program needs it, we try to create a rule that allows outgoing traffic by default unless it is specifically blocked.

Rule is like this:

Action=Allow,  

Application=Any,  

Host=Any,  

Services=TCP[Outgoing] IP[Outgoing] UDP[Stateful Outgoing] Ethernet[Outgoing], 

Severity=15-information.

Rule works but any outgoing block rule is not working any more.
And it doesn't matter if that allow rule is at the top or bottom, before or after the block rule in list.

How i can make rule to allow any outgoing traffic and block ports like 445, 137 to the external network?