Fine-tuning rules for applications and packet filtering packet filtering

The New rule window for advanced rule settings is practically identical for applications and data packets (see Figure 51).

Figure 51. Creating a new application rule

Step One:

Enter a name for the rule. The program uses a default name that you should replace.

Select network connection settings for the rule: remote IP address, remote port, local IP address, and the time that the rule was applied.

Check all the settings that you want to use in the rule.

Configure settings for user notifications. If you want a popup message with a brief commentary to appear on the screen when a rule is used, check Notify user. If you want the program to record invocations of the rule in the Firewall report, check Log event. The box is not checked by default when the rule is created. You are advised to use additional settings when creating block rules.

Note that when you a create a blocking rule in Firewall training mode, information about the rule being applied will automatically be entered in the report. If you do not need to record this information, deselect the Log event checkbox in the settings for that rule.

Step Two in creating a rule is assigning values for rule parameters and selecting actions. These operations are carried out in the Rule Description section.

1. The default action of every new rule is allow. To change it to a block rule, left-click on the Allow link in the rule description section. It will change to Block.

Kaspersky Internet Security will still scan network traffic for programs and packets for which an allow rule as been created. This could result in data being transmitted more slowly.

2. If you did not select an application prior to creating the rule, you will need to do so by clicking select application. Left-click on the link and, in the standard file selection window that opens, select the executable file of the application for which you are creating the rule.

3. Determine the direction of the network connection for the rule. The default value is a rule for a bi-directional (both inbound and outbound) network connection. To change the direction, left-click on incoming and outgoing and select the direction of the network connection in the window that opens:

Inbound stream. The rule is applied to network connections opened by a remote computer.

Inbound packet. The rule applies to data packets received by your computer, except for TCP-packets.

Inbound and outbound streams. The rule is applied to inbound and outbound traffic regardless of which computer, the local one or the remote one, initiated the network connection.

Outbound stream. The rule is only applied to network connections opened by your computer.

Outbound packet. The rule is applied for inbound data packets that your computer sends, except for TCP-packets.

If it is important for you to specifically set the direction of packets in the rule. Select whether they are inbound or outbound packets. If you want to create a rule for streaming data, select stream: inbound, outbound, or both.

The difference between stream direction and packet direction is that when you create a rule for a stream, you define the direction of the connection. The direction of packets when transferring data on this connection is not taken into consideration.

For example, if you configure a rule for data exchange with an FTP server that is running in passive mode, you must allow an outbound stream. To exchange data with an FTP server in active mode, you must allow both outbound and inbound streams.

4. If you selected a local or a remote IP address as a network connection property, left-click specify the address and enter the IP address, a range of addresses or subnetwork address for the rule in the window that opens. You can use one type of IP address or several types for one rule. Several addresses of each type can be specified.

Please note that a Windows environment variable may be used in lieu of an IP address in a packet rule.

5. Set the protocol that the network connection uses. TCP is the default protocol for the connection. If you are creating a rule for applications, you can select one of two protocols, TCP or UDP. To do so, left-click on the link with the protocol name until it reaches the value that you need.

If you are creating a rule for packet filtering and want to change the default protocol, click on its name and select the protocol you need in the window that opens. If you select ICMP, you may need to further indicate the type.

6. If you selected network connection settings (address, port, time range), you will have to assign them exact values as well.

After the rule is added to the list of rules for the application, you can perform its additional configuration (Figure 52):

If you want the rule to be applied to the application opened with certain settings in the command line, check Command line and enter the string in the field to the right. The rule will not be applied to the applica-tions, started with different command line settings.

If you do not want the Firewall to control modification of files belonging to the controlled application each time it attempts to reach the network, check Do not monitor application files modification flag.

Figure 52. Advanced new rule settings

After the rule is added to the list of rules for the application, you can further configure the rule (see Figure 52). If you want it to apply to an application opened with certain command line parameters, check Command line and enter the parameter string in the field to the right. This rule will not apply to applications started with a different command line.

You can create a rule from the network activity detection alert window (see 12.3 on pg. 172).