Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 8029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall - Overriding Trusted LANs with Application Rules

MPGTucker

I am attempting to block a specific application (developed internally) from accessing an internal server on our local LAN. The problem is, I need all other applications to be able to access this server for other services, and need everything else in the IP range to be trusted. When I created the application rules with the range still trusted, the trusted status of the range ends up overriding the application rule and allowing the application to communicate.

I know this is a stupid question, because we're kind of in a stupid situation thanks to this application, but is it possible for the application rule to override the LAN rule? If not, is it possible to create exceptions in the LAN rule for a spcific IP I do not want to trust?

:58002


This thread was automatically locked due to age.
  • 0

    Hello MPGTucker,

    ends up overriding the application rule

    the order of rules is clearly documented so this the expected behaviour. And obviously (all traffic [...] is allowed with no further checks) you can't override the LAN.

    create exceptions in the LAN rule

    the LAN tab is for "fast-allow", if any box is checked a matching connection attempt is allowed - otherwise the rest of the rules is processed. Furthermore there is, AFAIK, no relevance applied to the order (I assume the address/range definitions are merged with the most permissive setting retained). No dice.

    You don't have to use LAN at all (of course then you also can't use Block file and printer sharing for other networks). This would (with a slight performance penalty) defer the decision to the application rules. In addition consider global rules: They are ordered, they allow to specify ports, and they give you the option to block a connection. Normal priority global rules are applied when the connection has not yet been handled by an application rule. If the specific application (developed internally) uses a  specific port (but guess this is not the case, otherwise you could handle this on the server) you can even use a high-priority global rule.

    You aren't using checksums, are you?

    Christian

    :58006
  • 0

    Thanks for the information.

    Checksums would be a mess for this application. I was looking at it yesterday and found out that even though the splash screen says "v21.0.0", the version in the application metadata and Windows Installer registry is "v1.0.0". I asked the project manager if there was a way of tracking what clients had what version of the application, but unfortunately that feature had not been considered. I believe my immediate response was "Can these people do anything right!?"

    Back to the firewall issue... I had assumed you were going to give the response that you did, so yesterday I broke down the range (172.17.0.0/255.255.255.0) into 18 separate entries with varying subnets to work around the two addresses I actually needed to block for that specific application. It's a filthy method and I don't like it, but it appears to be my only option until the next re-write of the software. The policy will only be applied to about 50 systems running this application anyway.

    :58014