About rule making

A blank TCP or UDP field means that all ports, 1 - 65535, are then allowed for that protocol.
Putting a value 0 in either field will disable that protocol.
'Remote Server Ports' are used for outgoing connections.
'Local Ports' are your computer's ports for the incoming connections.

Basic application rules

A typical rule for browser connections:

Browser_rule.jpg

Outgoing connections are allowed the whole remote port range for TCP and UDP.
In application rules it is not possible to restrict the connection initiating local ports.
No incoming connections are allowed since they are not needed.


This is an example of a (Saunalahti) netphone program firewall rule:

SJPhone_rule.jpg

The netphone service providing operator had told in their web page that firewall needs to allow both
outgoing and incoming UDP connections for the whole port range for the remote IP ranges:
62.142.14.0 - 62.142.14.128
62.142.43.0 - 62.142.43.255
TCP protocol is allowed also for the outgoing connections, but NOT for the incoming ones.

Above is the basics of how application rules are made.


Making more restrictive rules

Now I am going to use a browser, Firefox to be specific, as an example of how to make more restrictive rules.

A browser needs TCP port 80 for the outgoing connections to be allowed.
But it also needs in many sites some other ports.
You could put into 'Remote Server Ports'  TCP field the values like 80,443.
Problem is that if some other port is needed, then that connection is blocked with no popup prompt given.
Some web content is not simply seen or the page is not working properly.
Traffic log is then the solution from where to find out what port(s) were blocked and then need to be added, if desired.
So this is cumbersome with browsers, but a safe solution. Maybe you should leave port 443 out though.
With many other kinds of software like email clients, security software etc. this is a really nice solution. They have a limited number of ports to allow.

The 'Advanced Rules' come to rescue here with new unknown ports to browsers.
Though with advanced rules some features like Anti-Application hijacking get lost .
So this is just an example of advanced rules and maybe not such a good one.
It is a one choice only and an example.
Sygate is best used in my opinion with application rules when they suffice.

The "advanced rules" are considered before 'application rules' and they are rulebased rules.
SPF free has a limit of upto 20 rulebased rules. The order of them is important.
Notice that these rules can be ticked on/off when desired.

Advanced%20rules.jpg
 
Since Sygate logs these with a number only and the first rule is given implicitly the number 100,
it is best to add the numbers into the rule description too, to aid the traffic log reading,
since the actual rule description is not logged.

Now the Firefox rule, (Tools) / Advanced Rules...
Use the 'Add' button and go through the various tabs to build the following rule

Firefox_rule.jpg

Important is to read the 'Rule Summary' on the bottom and verify  it before accepting the rule.
Notice that with a rulebased rule it is possible to restrict local ports to a so called ephemeral port range, 1024-5000.
In general to specify both source and destination ports for the connection data packets.

Leave the Firefox 'application rule', the first picture in this page, as it is.
Make the rule to be asked.

Application_rules.jpg

Now you will get asked for the first unknown outgoing connection that does not match the Firefox made 'Advanced Rules'.
Or you can block the application rule. Or you can allow it.
Offers some more choices how to use the firewall.


11. January, 2007
JS