AtGuard/NIS Trojan Horse Settings/Final Block RulesThe following are some examples of rules that could be used in the Trojan Horse Settings portion of Internet Access Control in newer versions of NIS/NPF, and should be placed at the end of the rule set. Creating a Final Block Rule (pg.2) Inbound block rules in this section of the rule set can trigger the Autoblock feature, create a log entry and the flashing exclamation in the system tray icon if it is enabled regardless of the tracking/logging/alerting options selected for the rule. As noted in the Settings section, if you want detailed logs of blocked inbound events, disable Autoblock. ***Note: Denotes any comments on the rule.
***Note: This final block rule for all other ICMP traffic could also be placed in the System Wide/General Rules at the beginning of the rule set after your permitted ICMP rules. This could also be separate block rules for inbound and outbound traffic if desired.
***Note: See below.
(You could have a single final block rule for all inbound TCP/UDP) These rules could replace the default trojan rules which add unnecessary clutter to the rule set. They also cover off things like inbound netbios (137-139), epmap (135), microsoft-ds (445) and eliminate the need for specific block rules elsewhere in the rule set. Specific block rules for services such a these could be created if there was a need to monitor/log that blocked traffic specifically. Under logging/tracking options, select Log Entry only unless you really want all the blinking icons, alert tracker pop outs and alert pop ups every time an event is logged. Instead make use of your logs and review them routinely. The key is to create very specific permit rules in your system wide and application rules above your final block rules that meet your needs. Paying close attention to your logs will help you determine what else may be required once you have a custom rule set in place.
Customizing Your Rule Set Contributors: CrazyM, jvmorris Last updated: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
***Note: Final block rules for inbound traffic.
***Note: A final block rule for all other outbound traffic could also be used here. Not recommended for new users as it will stop the rule assistant/Internet Access Control from popping up/prompting when a new application is encountered. For those that have customized their rule set and have allowed for all traffic they will use, it is a rule that could be used as a final lock down rule. Note the recommended addition for security alert in the logging/tracking option. The alternative is to just let the rule assistant/Internet Access Control alert to any outbound requests.