Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall 2.0 functionality (Sophos Enterprise Console)

jb1111

Hi.  I am using Firewall 2.0 clients and managing via the console.  I've looked through the various documents and have a  lingering question.  "Allow by default" - it says traffic which has no matching rule is allowed.  Does this mean all Outbound and Inbound are allowed?  I am looking for a setting that allows all Outbound but blocks most inbound (except what I have set in the rules).

:3380


This thread was automatically locked due to age.
  • 0

    I also wanted to add, all the events in the console log DO NOT state which direction they are going.  I would consider this important information.  Inbound is more concerning to me...........unless my entire network is, "Owned"

    :3381
    • 0

      "Allow by default" means that all inbound and outbound traffic will be allowed through the firewall unless there is a rule the specifically states otherwise.

      :3386
      • 0

        Hello jb1111,

        if you use Block by default and add global rules allowing Outbound TCP and UDP this should do what you want (this will still block outbound traffic for the other IP protocol types). Or you could add "block inbound IP" as the last global rule.

        As to the events: what's the console log? Just checked SEC/View->Firewall Events ..., SEC/View Computer Details
         and the client's Firewall Log. They all show the direction. Could you give an example please?

        Christian

        :3387
        • 0

          Hi.  I believe this question was answered thoroughly.  Thanks to all for the quick reponse.  To answer QC, I open the Firewall Policy, select Advanced Firewall Policy, select Configure, select Applications tab and hit Add.  I sort by last month/event type, "New Application".  The events show count, name, version, direction <---This says Unknown.  I assume Direction means Inbound/Outbound. 

          I will look into the logs.  Cheers.

          :3395
          • 0

            Hello again,

            event New Application

            New or Modified Application events are generated when you're using checksums to authenticate applications and an application with an unknown checksum requests network access (in other words, when a communication endpoint is created). At this time it is not yet known whether the application intends to write to or read from the network. Therefore Direction is Unknown. If you select No application rule events you will see either Inbound or Outbound for the Direction.

            Christian

            :3400
            • 0

              Question if I create a Block Inbound global rule, what should my General Rule be?  I'm thinking not, "Block by default".  Which one over rides?  Thanks

              :3441
              • 0

                In this case you'd select the Allow by default mode. See the SESC9 User's guide section 7.5.2 About the order in which rules are applied for a description.

                Christan

                :3459
                Unfiltered HTML