I'm not a network guru, so please be indulgent to my thoughts.
I'm using Outpost Free;
for an application, I created 3 rules:
1. "Where the protocol is ...
and Where direction is Outbound
and Where the host is ...
Allow it";
(values doesn't matter);
2. "Where direction is Outbound
Deny it";
3. "Where direction is Inbound
Deny it".
Is it correct to restrict the traffic _only_
by the direction criteria? (i.e. TCP & UDP at once)
Will this block any other protocols? (suppose the app
has something implied for spying or alike?)
(I noticed this probably doesn't work as expected,
the application show some nonzero in the "bps" field
of a restricted inbound connection)
Using a proxy server, like Proxomitron, changes everything. Traffic goes through that so you control the server rather then the application. Having never used it I'm not sure of the rules but there are others here that do. A search of the forum for Proxomitron might reveal an appropriate rule set.
It would also be wise to start a new thread with Proxomitron in the title so people can address that issue directly. Having an appropriate thread title makes a big difference in the quality of responses you receive.
a proper way would be to set the rule #3 as the first rule since no inbound traffic at all is allowed (I know it's quibbling :D)
also I think you don't even have to bother making block rules if you specified "Block Most" as a policy, because Outpost will therefore deny any traffic that is not explicitly allowed by your rules
but in this case, you have to make sure that no global rule will permit your apps to "bypass" this policy
Welcome to the forum Mike.
All you need is rule 1 but I would add the remote port. The others aren't necessary since any new outbound connections will popup the wizard and ask you. Unsolicited inbound connections are automatically dropped. This works well for applications where you can define the remote host and port. For a browser you can't, of course, define the remote host unless your browsing is very limited.
UDP doesn't need a direction because its a stateless protocol but TCP does. Any other protocol will initiate the wizard for you to decide what to do.
However, to achieve the tighest configuration there are other considerations for which we have: 1
Thank you, Manny, too.
Let me reveal some backgrounds of my problem.
True, this unnamed "application" is the IE browser.
I'm using it with conjunction of a filtering proxy,
the Proxomitron.
That's why I restricted the browser to the only
outbound connection (rule #1).
The overall problem is inspired by the IE's behaviour,
which is acting like a trojan on my system.
It raises a UDP listening connection on ports
ranged from 1025 to 1300 (chosen randomly, and seen
at the OutPost Firewall connections list),
and then, after some period
of staying at a website, suddenly raises an outbound
TCP connection to that site. Looks like OutPost doesn't
deny this activity clearly, and initially showing
some "bps" for that TCP connection.
After that, IE refuses to access internet anymore.
Only total PC restart relieves.
I would appreciate any similar systems' action reports,
and workarounds the user taken.
Welcome to the forum Mike.
UDP doesn't need a direction because its a stateless protocol but TCP does. Any other protocol will initiate the wizard for you to decide what to do.
Oh, this may be a clue!
I probably need another rule denying the UDP specifically.
Possibly some UDP packet sneaks the initial rules (based
on direction criteria), thus stiring the problem.
a proper way would be to set the rule #3 as the first rule since no inbound traffic at all is allowed (I know it's quibbling :D)
also I think you don't even have to bother making block rules if you specified "Block Most" as a policy, because Outpost will therefore deny any traffic that is not explicitly allowed by your rules
but in this case, you have to make sure that no global rule will permit your apps to "bypass" this policy
thank you, RAD, for taking your time & efforts.
but I need an opinion of somebody who set similar rules for himself,
and have probably noticed the same package leaks.
As for your post: I agree, "Block Most" fixes the issue; but I stick to
"Learning mode", while prohibiting the traffic for known apps.
I'm still waiting for a surprise message: "The XXX.exe is willing
to establish the outbound connection to remote host/port/etc ... "
 I could use some help again...
 Lost Licences |
Are my rules correct?