fluid

How to create rule template and where best to put a simple blocklist?

Recommended Posts

New to EIS but been using desktop firewalls for a very long time. Just upgraded one of my Anti-Malware licenses to EIS as I need to get familiar with Windows 10 and EIS one of the few to support Win 10 right now. I have installed it and I have some fast questions:

 

1) In application rules, under custom rules there are 4 pre-set templates there. This is pretty weak but easy to fix as I can easily whip up a few dozen templates I will need as I set things up. However, I can't figure out how to create a template. Any instructions anyone can point me to?

 

2) Where would I put a simple list of IPs/domains I wish to block?   Looks like surf protection is the best place, right?

 

3) Is there a way to copy/duplicate rules? I wish to apply the same 9 rules to 26 executables. Do I have to go and manually enter those 9 rules 26 times? 

 

4) I assume rules are processed in order of top to bottom (ie top of the list is processed first)? So if I have a rule that says allow x.x.x.x.0/24 traffic and then a rule that blocks all traffic, EIS will allow all x.x.x.x.0/24 traffic but then block everything else? 

 

Thanks!

  • Upvote 1

Share this post


Link to post
Share on other sites

1) In application rules, under custom rules there are 4 pre-set templates there. This is pretty weak but easy to fix as I can easily whip up a few dozen templates I will need as I set things up. However, I can't figure out how to create a template. Any instructions anyone can point me to?

Template? You mean such as the "All allowed" and "All blocked" options in the dropdown menus in the Application Rules? There is currently no way to make a pre-set configuration like that.

2) Where would I put a simple list of IPs/domains I wish to block?   Looks like surf protection is the best place, right?

Yes, for domain names the Surf Protection is the best place. You should also be able to block specific IP addresses and IP ranges via the global firewall rules, as long as you move the rule above the one to process Application Rules.

3) Is there a way to copy/duplicate rules? I wish to apply the same 9 rules to 26 executables. Do I have to go and manually enter those 9 rules 26 times?

Currently we don't have any way in the UI to copy rules, although theoretically you could export your Application Rules, edit them in something like Notepad++, and then import them back into EIS.

4) I assume rules are processed in order of top to bottom (ie top of the list is processed first)? So if I have a rule that says allow x.x.x.x.0/24 traffic and then a rule that blocks all traffic, EIS will allow all x.x.x.x.0/24 traffic but then block everything else?

That is essentially correct. Please note that if a global firewall rule is below the rule for Application Rules then it won't apply to any applications on your system.

  • Upvote 1

Share this post


Link to post
Share on other sites

Template? You mean such as the "All allowed" and "All blocked" options in the dropdown menus in the Application Rules? There is currently no way to make a pre-set configuration like that.

Well that would be ideal and please make that a feature request (Kaspersky, Comodo and Outpost all have this basic UI feature), but no actually. What I am referring to is what EIS itself calls a "template" such as "Email Server" or "Web Server" in incoming rules or "Email Client" or "FTP Client" in outgoing rules. In the UI, EIS calls these "templates". Where are these "templates" stored and how can I add my own?

 

Yes, for domain names the Surf Protection is the best place. You should also be able to block specific IP addresses and IP ranges via the global firewall rules, as long as you move the rule above the one to process Application Rules.

Great thanks! And thanks HazBeen!

 

Currently we don't have any way in the UI to copy rules,

Ouch, copying is beyond basic UI, I hope this is coming?

 

although theoretically you could export your Application Rules, edit them in something like Notepad++, and then import them back into EIS.

Without any other GUI way, I will take this. Do you have a link to more info on this method and what is the correct syntax?

 

That is essentially correct. Please note that if a global firewall rule is below the rule for Application Rules then it won't apply to any applications on your system.

Ok thanks! So I have a follow up. In "Manage Network" in Firewall settings, I have set the SSID I am connected to as a "Private Network". EIS reports the IP as 192.168.1.220 and this LAN is a /24 subnet. So does that mean all traffic to JUST this subnet (e.g. 192.168.1.0/24) is considered Private and any other destination IPs outside of this range would be considered "Public"?

A follow up to that is, so I have my rules such that the untouched inbuilt rules are ordered like this: "Windows Services (TCP)" for public networks is blocked and first. Followed by "Windows Services (UDP)" public and blocked, followed by "Trusted Traffic (TCP/UDP)" private and allowed, followed by "Trusted Traffic (ICMP)" Private and allowed, followed by "Traffic handled by Application Rules (TCP/UDP)". Then I have my "Automatic rules settings" set to "ask" for everything.

My question is, this should mean that all LAN traffic (192.168.1.0/24) is allowed and processed before application rules are processed, right? If so then why, when an executable is connecting to a LAN IP in the 192.168.1.0/24 range, am I still being ask to allow or disallow the traffic? I understand that I set "Automatic rule settings" to "ask" but I have explicitly already allowed that traffic with the 2 rules of "Trusted Traffic (TCP/UDP)" and "Trusted Traffic (ICMP)", right? EIS should just allow that traffic and not ask me about it.

Is there a fix for this? Because with the extremely limited rule making UI, its becoming a serious pain to make an allow LAN rule for every single windows executable and all the 3rd party apps. In fact, after having had to write over 30 of the exact same Allow LAN rule so far, I am starting to wonder what I am missing or how everyone is coping with this extremely repetitive activity.

Thanks GT500 and HazBeen!

Share this post


Link to post
Share on other sites

Well that would be ideal and please make that a feature request (Kaspersky, Comodo and Outpost all have this basic UI feature), but no actually. What I am referring to is what EIS itself calls a "template" such as "Email Server" or "Web Server" in incoming rules or "Email Client" or "FTP Client" in outgoing rules. In the UI, EIS calls these "templates". Where are these "templates" stored and how can I add my own?

Ah, you're referring to the list in the following screenshot:

post-18745-0-98475600-1442041919_thumb.p
Download Image

Currently there's no way to edit these, and as far as I know they are hardcoded.

 

Without any other GUI way, I will take this. Do you have a link to more info on this method and what is the correct syntax?

Unfortunately this method is undocumented, and there's no information about the file format beyond what you see in the file itself when you export it. This is really just an unofficial workaround to try to accomplish what you are wanting to do.

Ok thanks! So I have a follow up. In "Manage Network" in Firewall settings, I have set the SSID I am connected to as a "Private Network". EIS reports the IP as 192.168.1.220 and this LAN is a /24 subnet. So does that mean all traffic to JUST this subnet (e.g. 192.168.1.0/24) is considered Private and any other destination IPs outside of this range would be considered "Public"?

My understanding is that this is essentially correct, however I have asked one of our developers to be certain.

A follow up to that is, so I have my rules such that the untouched inbuilt rules are ordered like this: "Windows Services (TCP)" for public networks is blocked and first. Followed by "Windows Services (UDP)" public and blocked, followed by "Trusted Traffic (TCP/UDP)" private and allowed, followed by "Trusted Traffic (ICMP)" Private and allowed, followed by "Traffic handled by Application Rules (TCP/UDP)". Then I have my "Automatic rules settings" set to "ask" for everything.

My question is, this should mean that all LAN traffic (192.168.1.0/24) is allowed and processed before application rules are processed, right? If so then why, when an executable is connecting to a LAN IP in the 192.168.1.0/24 range, am I still being ask to allow or disallow the traffic? I understand that I set "Automatic rule settings" to "ask" but I have explicitly already allowed that traffic with the 2 rules of "Trusted Traffic (TCP/UDP)" and "Trusted Traffic (ICMP)", right? EIS should just allow that traffic and not ask me about it.

Is there a fix for this? Because with the extremely limited rule making UI, its becoming a serious pain to make an allow LAN rule for every single windows executable and all the 3rd party apps. In fact, after having had to write over 30 of the exact same Allow LAN rule so far, I am starting to wonder what I am missing or how everyone is coping with this extremely repetitive activity.

Rules below the "Traffic handled by application rules (TCP/UDP)" rule will be overridden by that rule, so if you'd like for your custom rules to override that rule then you'll have to move them above it.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks again GT500!

 

Ah, you're referring to the list in the following screenshot:

attachicon.gif outgoing_rule_template.png]http://support.emsisoft.com/index.php?app=core&module=attach&section=attach&attach_rel_module=post&attach_id=50152]outgoing_rule_template.png[/url][/url]

Currently there's no way to edit these, and as far as I know they are hardcoded.

Yup thats the template I meant. Ouch ok.

 

Unfortunately this method is undocumented, and there's no information about the file format beyond what you see in the file itself when you export it. This is really just an unofficial workaround to try to accomplish what you are wanting to do.

Ok. Can I ask, given your user account labels I assume you are offical support? There seems to be absoloutely nothing in the UI to aid in making rules in EIS, even the very basic stuff that other Windows desktop firewalls have had for a long time (copying rules, setting up presets, etc). I am wondering how do non-caual users handle this and is this a high priority area on the list for improvement?

My understanding is that this is essentially correct, however I have asked one of our developers to be certain.

Thanks! I will await their confirmation.

 

Rules below the "Traffic handled by application rules (TCP/UDP)" rule will be overridden by that rule, so if you'd like for your custom rules to override that rule then you'll have to move them above it.

Ok so a bit of miscomunications here, my bad. I was avoiding posting up a screenshot, but its really the best way. So this is my firewall rules.

VHBM8JC.jpg

I just added that "lopback" rule today as I was testing, otherwise these are the stock rules.

So, this should mean that all LAN traffic (192.168.1.0/24) is allowed and processed before "Traffic handled by Application Rules (TCP/UDP)", right? If so then why, when an executable is connecting to a LAN IP in the 192.168.1.0/24 range, am I still being ask to allow or disallow the traffic?

I understand that I set "Automatic rule settings" to "ask" but I have explicitly already allowed that traffic with the 2 rules of "Trusted Traffic (TCP/UDP)" and "Trusted Traffic (ICMP)", which are processed before applications rules are processed. So EIS should just allow the LAN traffic and the internal cycle should end there. Why is it then asking me to allow or block the traffic in a pop up? Is there a fix for this?

Thanks again!!

  • Upvote 1

Share this post


Link to post
Share on other sites

Ok. Can I ask, given your user account labels I assume you are offical support? There seems to be absoloutely nothing in the UI to aid in making rules in EIS, even the very basic stuff that other Windows desktop firewalls have had for a long time (copying rules, setting up presets, etc). I am wondering how do non-caual users handle this and is this a high priority area on the list for improvement?

Yes, I am an official Emsisoft support representative.

EIS isn't intended for advanced users, and while more advanced features are not completely off the table, they are not currently a priority.

Thanks! I will await their confirmation.

OK, the official word is that EIS doesn't treat different IP ranges differently (unless you manually create rules to do that). When you set your network adapter as "Private", all traffic (regardless of source or destination) is handled by the same set of rules for a private network. If you want specific IP ranges to be handled differently, then you would need to create specific rules for those IP ranges, however please note that if you are behind a router with NAT (Network Address Translation) that this is more than likely not necessary, as no connections originating from outside of your network will make it to your computer unless you have set up specific port forwarding rules in your router. If you are not behind a NAT, then we obviously recommend setting your network adapter as "Public" rather than "Private".

So, this should mean that all LAN traffic (192.168.1.0/24) is allowed and processed before "Traffic handled by Application Rules (TCP/UDP)", right? If so then why, when an executable is connecting to a LAN IP in the 192.168.1.0/24 range, am I still being ask to allow or disallow the traffic?

If your "Allow Lopback" rule is for all local LAN traffic, then that is correct.

You're being asked because your settings tell EIS to ask, and EIS will ask if there is no rule in the Application Rules. If it didn't ask, then there would be issues with traffic from that application which did not match any of the rules in your global rules.

There is currently no way around this, other than to restore the default settings about whether or not to ask before creating Application Rules.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thanks again GT500 and thanks for your direct answers!

 

You're being asked because your settings tell EIS to ask, and EIS will ask if there is no rule in the Application Rules. If it didn't ask, then there would be issues with traffic from that application which did not match any of the rules in your global rules.

There is currently no way around this, other than to restore the default settings about whether or not to ask before creating Application Rules.

As feedback to the devs, I would say that this is logically flawed. If the rule is to explicitly allow all x.x.x.0/24 traffic and it is placed before the rule for processing any application rules, then there is no reason why EIS should ever ask about x.x.x.0/24 traffic. EIS should get to the rule that allows all x.x.x.0/24 traffic, see that it is allowed and stop that process thread. It should never even get to the rule to process per application rules and therefore there is no reason for it to ask if the traffic should be allowed, as it already knows the answer is yes.

 

Yes, I am an official Emsisoft support representative.

EIS isn't intended for advanced users, and while more advanced features are not completely off the table, they are not currently a priority.

Yes, I have regretfully come to the same conclusion. Can I ask if there is a way to downgrade my license from EIS back to Anti-Malware? I still really like Anti-Malware. I will eat the difference in price, but I would like to go back to the Anti-Malware binaries.

Thanks!

Share this post


Link to post
Share on other sites

As feedback to the devs, I would say that this is logically flawed. If the rule is to explicitly allow all x.x.x.0/24 traffic and it is placed before the rule for processing any application rules, then there is no reason why EIS should ever ask about x.x.x.0/24 traffic. EIS should get to the rule that allows all x.x.x.0/24 traffic, see that it is allowed and stop that process thread. It should never even get to the rule to process per application rules and therefore there is no reason for it to ask if the traffic should be allowed, as it already knows the answer is yes.

The Application Rule still needs to be created, even if it will be overridden by another rule.

Yes, I have regretfully come to the same conclusion. Can I ask if there is a way to downgrade my license from EIS back to Anti-Malware? I still really like Anti-Malware. I will eat the difference in price, but I would like to go back to the Anti-Malware binaries.

Sure, just send me a private message with your license key for Emsisoft Internet Security, and I can convert it to an Emsisoft Anti-Malware license key for you.

  • Upvote 1

Share this post


Link to post
Share on other sites

Just wanted to say thanks! GT500 not only converted my license but added time to my license commiserate with the price difference between EIS and Anti-Malware. This is more than fair considering I was willing to eat the price differnce. Great support, hope EIS can catch up and I can come back to it one day!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.