Tiny Firewall Freeware Tools !

Tiny Personal Firewall

Freeware Tools

Tiny Personal Firewall Ruleset How-to & Examples

Purpose

Firewall rulesets
TPF Security Levels
How to build a rule
TPF Ruleset how-to

Example 1 : Strict ruleset
Example 1 optional rules
Example 2 : Open ruleset

Purpose
These rulesets can give you simple ideas in order to properly configure TPF because don't forget that a misused firewall is more dangerous than no firewall ! (What's worse than having too much confidence in something ?).
So, before explaining the following rulesets, a few words about Firewall rulesets, TPF security levels, how to build a rule and finally the TPF Ruleset how-to.

Firewall rulesets

A Firewall ruleset is a determined set of rules in a specific order.
This rule is composed of 5 main characteristics (related to the network request) :
- An action : Permit or Block
- A direction : incoming, outgoing or both requests
- A protocol : TCP, UDP, ICMP, NetBeui, IPX,...
- An origin : where the request come from (host, port, service,...)
- A destination : Where the request is going to (host, port, service,...)

To know how to order the rules, you've got to know how a firewall process your ruleset. As you have probably thought, when the firewall receive a network request, it tests each rule from the first one (at the top of your ruleset) to the last one until it finds one who matchs the request, and applies it.
So, for example, if your first rule blocks everything from everywhere, no more rule can apply.
In the same way, always check that a previous rule never override another rule following.
This policy seems obvious but when you've got to manage a corporate firewall with lot of rules applying to many groups with cross connections, times of validity,... it easily become impssible to manage if you did a 'mistake'.
So, as any development, think before write, design first !

TPF Security Levels

The TPF security rules match the common firewall policies :
- 'Every thing which is not explicitly forbidden is allowed'
- 'Every thing which is not explicitly allowed is forbidden' (more common)
1. So the TPF minimum security level match the first one, you've got to set what should be blocked, other requests are allowed without any prompt. And of course Interactive learning is disable. Use this option with caution, not recommended at all if you're not sure that your ruleset hasn't got any hole.
2. The TPF medium security level is an alternative choice (and I think the best choice for beginners), a visual warning will occurs for every request which not matchs any rule in order to interactively set a rule (or permit/block the request for this time if you need to think about it). This is interactive learning mode.
But there is a drawback, it could generate a lot of unsorted and unused rules. So after creating a rule, check your ruleset and try to gather similar rules (example, if you deny requests to a specific host and then to all hosts,...). Use carefully the automatic rule creation.
3. The TPF high security level is the most secure level, everything which is not allowed is blocked without any prompt. So before running your firewall, you have to define the whole ruleset to apply.

How to build a rule

Considering you have already design the whole ruleset, I mean what you want to permit and deny and how you will organize this plan, to add a rule to your TPF ruleset, you may know :

What your rule may do
There is no previous rule why disable this one
There is no rule after this one it will disable (possible next rules may enlarge this one)
If this rule can be gathered to another one, if it need to be explicitly alone (easier logging)
The rule action, direction(s), origin(s) and destination(s)
The protocol(s), services, application who used this rule
The logging/warning level

TPF Ruleset how-to

Simply, I would like to say 'Just follow the previous points' but in fact, due to TPF limitations and features, I have to say some words about TPF functionalities.
First of all, this is a personal firewall so don't expect to manage IP masquerade, NAT, routing, proxy, antivirus, URL filters, Novell protocol,... features, TPF is just a great product to manage your 'low levels' TCP/IP connections. So it is able to filter TCP, UDP, TCP & UDP and ICMP (only at the moment Echo requests 'PING') protocols.
Another limitation, you can't create groups of objects (like groups of IPs, groups of services like HTTP, FTP, HTTPS) to be used many times. You must enter a list/range of IP, ports each time you need. And if you need to apply a same rule for many registered applications, you must duplicate this rule to each application. So store somewhere groups you want to manage many times and copy/paste ! In fact you can only create one hosts group called Trusted Addresses (What a pity...)
Other limitation, you can't enter hostnames (must be his IP address, take care if you're using a DHCP Server, use mask of addresses) neither port aliases (e.g. enter 21 and not 'FTP').
You can't define users and authentication process, only host addresses, network masks, range of addresses.
However, you can for each rule specify the time of validity (time range, days)
If this rule should be logged
If you must be warned (Alert box)
And great feature, if this rule applies to only a specified application, to include his unique signature (MD5 Message digest) to avoid a trojan to rename itself as a authorized application and fake your firewall.

Now ? Time to work !

Example 1 : Strict ruleset, no learning possible, high and medium security levels

Number Type Rule Description Direction Protocol Local Port Application Remote Host Remote Port Explanation Logging

1
Permit
Loopback Both UDP/TCP Any Any 127.0.0.1 Any This rules allows loopback, e.g. all local to local connections No

2
Permit
Outgoing PING Outgoing ICMP Echo Any Any Any Any This rules allows you to perform ICMP Echos (ping) wherever you want No

3
Deny
Incoming PING Incoming ICMP Echo Any Any Any Any This rules blocks all ICMP Echos (ping) requests from everywhere (except local due to the first rule)
Yes

4
Permit
NetBT Datagram Both UDP 137, 138 Any Trustful addresses Any This rules allows NetBios (Windows Neighborhood protocol) datagrams (UDP) issued by every computers in the local network in order to identify themselves No

5
Permit
NetBT Session Outgoing TCP Any Any Trustful Addresses 139 This rules allows your computer to access Windows shares resources in the local network and to trustful addresses) No

6
Permit
NetBT Session Incoming TCP 139 Any Trustful Addresses Any This rules allows trusted computers from your local network to access your Windows shared resources (This rule can become Deny if you want to block any NetBios access) No

7
Permit
Web browsing Outgoing TCP Any Your Web navigator Any or your corporate proxy 80, 8080, 3128, 443 (keep only ports you might use) This rules allows you to surf the web (HTTP, HTTPS, usual Proxy ports) with only your current browser. Allowing only your browser can block adware trojans to access the web No

8
Permit
Corporate DNS Both UDP/TCP Any Any Corporate Name Servers IPs (DNS) 53 This rules allows your computer to dialog with your Provider's Name Servers to resolve hostnames No

9
Deny
Other DNS Both UDP/TCP Any Any Unknown DNS 53 This rules block requests to/from unknown DNS
Yes

10
Permit
Telnet Outgoing TCP Any Your current Telnet client Any 23 This rules allows you to connect to Telnet servers everywhere with your 'normal' telnet client No

11
Permit
FTP Outgoing TCP Any Your current FTP client Any 21 This rules allows you to connect to FTP servers everywhere with your 'normal' FTP client No

... ... ... ... ... ... ... ... ... ... ...

If needed, insert here the desired optional rules with no particular order

... ... ... ... ... ... ... ... ... ... ...

12
Deny
Block Common Ports Incoming UDP/TCP 113, 79, 21, 80, 443, 8080, 143, 110, 137, 139, 138, 25, 23 Any Any Any This rules blocks and logs every requests issued to your computer on common ports : FTP, HTTP, POP3, SMTP, Telnet, NetBios,... This rules implies that you want to block access to these services of course !
Yes

13
Deny
Back Orifice Incoming UDP/TCP 54320, 54321, 31337, 54320 Any Any Any This rules blocks and logs requests from a well-known trojan : Back Orifice (many versions)
Yes

14
Deny
Netbus Incoming TCP 12456, 12345, 12346, 20034 Any Any Any This rules blocks and logs requests from a well-known trojan : NetBus (many versions)
Yes

15
Deny
Bootpc Incoming UDP/TCP 68 Any Any Any This rules blocks and logs requests from a well-known trojan port : bootpc
Yes

16
Deny
RPCSS Incoming UDP 135 Any Any Any This rules blocks and logs requests from the Microsoft RPC Service (coulf be a trojan...)
Yes

17
Deny
Block other UDP/TCP ports Incoming UDP/TCP Any Any Any Any This rules blocks and logs every unwanted UDP/TCP requests, this rule disables the learning option (unknown incoming request)
Yes

18
Deny
Block unauthorized outgoings Outgoing UDP/TCP Any Any Any Any This rules blocks and logs every unwanted UDP/TCP requests issued from your PC (could be a trojan, a worm,...), this rule disables the learning option (unknown outgoing request)
Yes

Example 1 : Optional rules
To be continued...
Example 2 : Open ruleset, learning possible, low and medium security levels
To be continued...

Number	Type	Rule Description	Direction	Protocol	Local Port	Application	Remote Host	Remote Port	Explanation	Logging
1	Permit	Loopback	Both	UDP/TCP	Any	Any	127.0.0.1	Any	This rules allows loopback, e.g. all local to local connections	No
2	Permit	Outgoing PING	Outgoing	ICMP Echo	Any	Any	Any	Any	This rules allows you to perform ICMP Echos (ping) wherever you want	No
3	Deny	Incoming PING	Incoming	ICMP Echo	Any	Any	Any	Any	This rules blocks all ICMP Echos (ping) requests from everywhere (except local due to the first rule)	Yes
4	Permit	NetBT Datagram	Both	UDP	137, 138	Any	Trustful addresses	Any	This rules allows NetBios (Windows Neighborhood protocol) datagrams (UDP) issued by every computers in the local network in order to identify themselves	No
5	Permit	NetBT Session	Outgoing	TCP	Any	Any	Trustful Addresses	139	This rules allows your computer to access Windows shares resources in the local network and to trustful addresses)	No
6	Permit	NetBT Session	Incoming	TCP	139	Any	Trustful Addresses	Any	This rules allows trusted computers from your local network to access your Windows shared resources (This rule can become Deny if you want to block any NetBios access)	No
7	Permit	Web browsing	Outgoing	TCP	Any	Your Web navigator	Any or your corporate proxy	80, 8080, 3128, 443 (keep only ports you might use)	This rules allows you to surf the web (HTTP, HTTPS, usual Proxy ports) with only your current browser. Allowing only your browser can block adware trojans to access the web	No
8	Permit	Corporate DNS	Both	UDP/TCP	Any	Any	Corporate Name Servers IPs (DNS)	53	This rules allows your computer to dialog with your Provider's Name Servers to resolve hostnames	No
9	Deny	Other DNS	Both	UDP/TCP	Any	Any	Unknown DNS	53	This rules block requests to/from unknown DNS	Yes
10	Permit	Telnet	Outgoing	TCP	Any	Your current Telnet client	Any	23	This rules allows you to connect to Telnet servers everywhere with your 'normal' telnet client	No
11	Permit	FTP	Outgoing	TCP	Any	Your current FTP client	Any	21	This rules allows you to connect to FTP servers everywhere with your 'normal' FTP client	No
...	...	...	...	...	...	...	...	...	...	...
If needed, insert here the desired optional rules with no particular order
...	...	...	...	...	...	...	...	...	...	...
12	Deny	Block Common Ports	Incoming	UDP/TCP	113, 79, 21, 80, 443, 8080, 143, 110, 137, 139, 138, 25, 23	Any	Any	Any	This rules blocks and logs every requests issued to your computer on common ports : FTP, HTTP, POP3, SMTP, Telnet, NetBios,... This rules implies that you want to block access to these services of course !	Yes
13	Deny	Back Orifice	Incoming	UDP/TCP	54320, 54321, 31337, 54320	Any	Any	Any	This rules blocks and logs requests from a well-known trojan : Back Orifice (many versions)	Yes
14	Deny	Netbus	Incoming	TCP	12456, 12345, 12346, 20034	Any	Any	Any	This rules blocks and logs requests from a well-known trojan : NetBus (many versions)	Yes
15	Deny	Bootpc	Incoming	UDP/TCP	68	Any	Any	Any	This rules blocks and logs requests from a well-known trojan port : bootpc	Yes
16	Deny	RPCSS	Incoming	UDP	135	Any	Any	Any	This rules blocks and logs requests from the Microsoft RPC Service (coulf be a trojan...)	Yes
17	Deny	Block other UDP/TCP ports	Incoming	UDP/TCP	Any	Any	Any	Any	This rules blocks and logs every unwanted UDP/TCP requests, this rule disables the learning option (unknown incoming request)	Yes
18	Deny	Block unauthorized outgoings	Outgoing	UDP/TCP	Any	Any	Any	Any	This rules blocks and logs every unwanted UDP/TCP requests issued from your PC (could be a trojan, a worm,...), this rule disables the learning option (unknown outgoing request)	Yes

http://www.bigfoot.com/~TinyFirewall - 2001 By Kephren