Re: Application based FW but add grant/deny rules per application?

From: Orlando (
Date: 02/26/02

From: "Orlando" <>
Date: Tue, 26 Feb 2002 09:43:34 +0100

"Joseph V. Morris" <> wrote in message

> Well, you should be able to do this in Tiny (or Kerio), as far as I know.

I will download Kerio and give it a try. Thanks for the suggestion.

> You can certainly do it in NIS/NPF. I'm not sure as regards ZA Pro,
> Outpost or LooknStop.

According to the manual you cannot do it in ZAP, I am not yet aware of the 2
other products.

The TPF/KPF default PERMIT rules for an application
> are pretty much equivalent to those for ZA (free).

I will try Kerio. Sygate is pretty equivalent too but offers more tuning

The NIS/NPF defaults
> (for applications that NIS/NPF are already aware of) are usually a bit
> tighter than the ZA/ZAP default rules.

I don't know NIS/NPF. I will search for a trial version if one exists or
maybe you can point me to a downloadable manual? I like to read manuals
before I install stuff (yes oldfashioned, I know).

Some of what you are discussing
> may well require multiple rules for an application; I think this is
> relevant to your comments below about Sygate.
> Actually I was a bit surprised at your statement about Sygate below. I
> wasn't aware of that.
> I take the above statements as meaning that Sygate does not provide for a
> custom DENY rule at the level of individual ports or IP addresses.

No, Sygate has a custom deny rule at the level of individual ports or IP
addresses. What I meant is: it cannot deny a PARTICULAR APPLICATION at the
level of individual ports or IP addresses, as far as I can see. So, if I
block a port it is blocked for all applications.
> assume that what you desire to do is something like (in English) "for
> application X, allow all remote IP addresses except the following: x, y,
> z ...". Is that correct?
> What you typically have to do in a rules-based, application-specific PSF
> is to create a DENY rule for x,y,z, ... immediately PRIOR TO the the
> (likely) DEFAULT rule of PERMIT Any IP address.
> But I may have misunderstood your objective here.

There is indeed an advanced rule configuration capability in Sygate and it
allows blocking traffic based on NI card, destination address, protocol and
time/date but this applies prior to the application-specific rules and for
ALL applications (as far as I can see) and there seems to be no way of
denying a particular application to go to a particular IP or to use a
particular port. If you add an advanced rule it is valid for all
applications (and overrrides the application settings of course). Maybe I am
not understanding this right.

My objective is to find an easy-to-install firewall that is
application-based so that I can stop unwanted spyware and also easily get
the system functional by answering simple permit/deny questions every time a
wizard pops up during the first few days (like ZoneAlaem or Sygate). Then,
as time passes and all applications have been learned, I want to be able to
manually edit permit or deny rules for every specific application. For
instance I want to allow my mail checker to access my POP3 mailboxes but
stop it from calling home to check for updates or ads, and do this without
blocking those ports for all other applications. Thank you.