Best Practice: Firewall settings guide
When you configure a firewall policy, you may want more information about some of the settings and why you should (or shouldn't) enable them.
This article contains the 'factory default' rules and configuration settings for the Sophos firewall when configured using the Advanced Settings button in the Firewall Policy. Whenever possible, we have described the security implications of the setting or explained why the default was chosen.
We recommend that you use the firewall rollout guide before deploying to your endpoint computers.
For other Best Practice articles, please see our Best Practice Index
In this article
Advanced configuration:
General settings | Location detection settings | Checksum settings | Log settings
Primary or secondary location configuration:
General settings | ICMP settings | LAN settings | Global rules | Application rules | Process-control settings
Advanced configuration
General Settings tab
| Setting name | Default | Comments |
|---|---|---|
| Primary location: Allow all traffic | Disabled |
This setting is in place for special circumstances only. This will disable the firewall whilst at the primary location. Generally, it shouldn't be used. If you need to allow an application or connection, set up an Application rule, an ICMP rule or a Global rule instead. |
| Add configuration for a secondary location | Disabled | This setting should only be used for laptops and other computers that are regularly connected to an additional network, such as home or public wireless network. |
| Applied location | Apply the configuration for the detected location |
Disabled until you select the option to 'Add configuration for a secondary location'. Allows you to set which policy is applied when a new location is detected. The default 'Apply the configuration for the detected location' will ensure that the firewall automatically detects the current network and selects the associated configuration. If your end users belong to the SophosPowerUsers or SophosAdministrators group, they could also manually choose to use the primary or secondary when they are at a third location. You should inform these laptop users that they can do this when connecting to a new network and explain which configuration they should choose. |
Location detection tab
| Setting name | Default | Comments |
|---|---|---|
|
Detection method |
DNS, none configured | We recommend that you use Gateway MAC Address detection, if possible. The firewall will easily detect the gateway's settings and use its primary or secondary location as a result. |
Checksum tab
| Setting name | Default | Comments |
|---|---|---|
| Application/ Version/ Checksum |
None configured | Before you roll out the firewall, you should enter the MD5 checksums of the commonly used applications on your network in this screen. This will save you time and duplication of effort when responding to firewall requests during roll out. |
Log tab
| Setting name | Default |
|---|---|
| Keep all records/Delete old records | Delete old records |
| Delete records after x days | 1 day disabled |
| Keep no more than y records | 200 records disabled |
| Keep size under z MB | 50 MB enabled |
Primary or secondary location configuration
Note: no secondary location is preconfigured. If one is added its default settings are identical to the primary location.
General tab
| Setting name | Default | Comments |
|---|---|---|
| Working mode | Block by default |
When first setting up the Sophos Client Firewall on a sample computer, it is safest to use the default 'block by default' until you're ready to start authorizing the applications that need to access the network. When you are ready to begin your firewall rollout, switch to 'Interactive' mode to establish policies for your commonly used applications and processes. In general, once all approved applications have been allowed access through the firewall, computers should be set to 'Block by default' mode, as this will stop all unauthorized traffic from accessing the network. Please note: if you have both primary and secondary locations enabled, if the primary mode is interactive, then the secondary mode will be automatically set to 'block by default. |
| Block processes if memory is modified | Enabled | This option can prevent threats from infecting your computer. This option should usually remain selected. |
| Block hidden processes | Enabled | This option should always be enabled in order to block malicious programs from executing on your endpoints. |
| Drop packets sent to blocked ports | Enabled | This option prevents an outsider from being aware that a port on your computer exists, and so helps defend against attack. This option should usually remain selected. |
| Use checksums to authenticate applications | Enabled | This option helps the firewall to distinguish legitimate applications from malicious programs with the same name. This option should usually remain selected. |
| Block IPv6 packets | Enabled | At the moment, IPv6 is still only used by a handful of applications and ISPs, so this setting will allow you to block IPv6 traffic to your endpoints if, for instance, they are using a P2P application. To block all use of P2P applications on your network, configure an Application Control policy instead. |
| Display an alert in the management console if local changes are made to the global rules, applications, processes, or checksums | Enabled | Selecting 'Display an alert in the management console...' permits you to see if the firewall settings on your workstations have been changed either by the user, or by malware. In most circumstances, this option should remain selected. |
| Report unknown applications and traffic to the management console | Enabled | We recommend always keeping this option selected in order to monitor your end users' actions. |
| Report errors to the management console | Enabled | This option enables the administrator to view firewall error messages on workstations via the console. This option should usually remain selected. |
| (Desktop messaging) Show warnings and errors |
Enabled |
We recommend that you keep this option enabled in order to inform your users when there is a problem. |
| (Desktop messaging) Show unknown applications and traffic |
Disabled | This setting will only show unknown applications and traffic if interactive mode has been selected. |
ICMP tab
| Setting name | Default | Comments |
|---|---|---|
| Echo Reply (0) | Blocked IN | Used to reply to echo requests (pings). Enabling Echo Reply could make your computer vulnerable to smurf attacks. |
| Destination Unreachable (3) | Blocked IN and OUT | Enabling this option could make your computer vulnerable to a destination unreachable attack. |
| Source Quench (4) | Not set | To manage overload, source quench messages request that the amount of information sent to the message originator is reduced. Enabling Source Quench could make your computer vulnerable to man in the middle attacks and Denial of Service (DoS) attacks. |
| Redirect Message (5) |
Not set |
If you do not need redirection on your network, we recommend keeping this unset, as redirection can be used to change the routing tables on routers and computers in order to facilitate a DoS attack |
| Echo Request (8) | Blocked OUT | Used to ascertain if a networked computer is active (e.g. ping). Enabling Echo Request could make your computer vulnerable to smurf attacks. |
| Router Advertisement (9) | Blocked IN | Router advertisement messages are sent in response to router solicitation messages, or to broadcast the presence of the router. Spoofed router advertisement messages can be used to change routing tables within routers so as to facilitate man in the middle and DoS attacks, which is why we have blocked inbound advertisements by default. |
| Router Solicitation (10) | Blocked OUT | Router solicitation messages are sent to locate routers within a network as a form of network scanning. Malicious users can use router solicitation to search for computers to attack, which is why we block this by default. |
| Time Exceeded (11) | Blocked IN | |
| Parameter Problem (12) | Not set | |
| Timestamp Request (13) | Not set | |
| Timestamp Reply (14) | Not set | |
| Information Request (15) | Not set | |
| Information Reply (16) | Not set | |
| Address Mask Request (17) | Not set | |
| Address Mask Reply (18) | Not set |
LAN tab
| Setting name | Default | Comments |
|---|---|---|
| LAN (IP Address and subnet) | Nothing set | NetBIOS allows file and printer sharing with other computers on the LAN or trusted subnet. This option should be sufficient for most normal office work.
Trusted allows all traffic between computers on the LAN. Only use this option where completely necessary. |
Global rules tab
| Setting name | Default | Comments |
|---|---|---|
| Allow loopback TCP connection |
Where the protocol is TCP and the remote address is 127.0.0.0 (255.0.0.0) |
A loopback connection allows applications to check that a network connection exists. Web browsers often check for a connection this way. |
| Allow GRE protocol |
Where the protocol is IP and the type is GRE |
This will allow GRE in IP tunnels to run to or from the client computer, i.e. virtual private network (VPN) connections. |
| Allow PPTP Control Connection | Where the protocol is TCP and the direction is Outbound and the remote port is 1723 and the local port is 1024-65535 Allow it |
This will allow PPTP in IP tunnels to run to or from the client computer, i.e. virtual private network (VPN) connections. |
| Allow loopback UDP connection |
Where the protocol is UDP |
|
| Block RPC Call (TCP) | Where the protocol is TCP and the direction is Inbound and the local port is 135 Block it |
This setting prevents Remote Procedure Call (RPC) calls using TCP from being made on the client computer. This stops an intruder from running legitimate code on the local computer in an unwanted manner. Note: The port used by the RPC port mapper (135) is associated with several high profile vulnerabilities used by network worms for replication and propagation. |
| Block RPC Call (UDP) | Where the protocol is UDP and the local port is 135 Block it |
This setting prevents Remote Procedure Call (RPC) calls using UDP from being made on the client computer. This stops an intruder from running legitimate code on the local computer in an unwanted manner. |
Applications tab
The most common and important Windows services are listed here. You will likely need to add more applications while you are rolling out the firewall in interactive mode.
| Application name | Default |
|---|---|
|
alg.exe |
Allow ALG Redirect Where the protocol is TCP and the direction is Inbound Allow it and stateful inspection |
|
Microsoft Application Layer Gateway Service connection | |
|
lsass.exe |
Local Security Authority Service Kerberos UDP connection Where the protocol is UDP and the remote port is 88 Allow it and stateful inspection |
|
Local Security Authority Service Kerberos TCP connection | |
|
LSASS LDAP connection to Global Catalog Server | |
|
Local Security Authority Service LDAP UDP connection | |
|
Local Security Authority Service LDAP TCP connection | |
|
Local Security Authority Service DCOM dynamic port allocation | |
|
Local Security Authority Service DCOM connection | |
|
Allow DNS Resolving (TCP) | |
|
Allow DNS Resolving (UDP) | |
|
services.exe |
Services DCOM connection Where the protocol is TCP and the direction is Outbound and the remote port is 135 Allow it |
| Services DCOM dynamic port allocation Where the protocol is TCP and the direction is Outbound and the remote port is 1090-1110 Allow it | |
| Services LDAP connection Where the protocol is TCP and the direction is Outbound and the remote port is 389, 3268 Allow it | |
| Allow DNS Resolving (TCP) Where the protocol is TCP and the direction is Outbound and the remote port is 53 Allow it | |
|
Allow DNS Resolving (UDP) | |
| Allow DHCP Where the protocol is UDP and the remote port is 67 and the local port is 68 Allow it | |
| Allow DHCP (v6) Where the protocol is UDP and the remote port is 547 and the local port is 546 Allow it | |
|
svchost.exe |
Allow DNS Resolving (TCP) |
|
Allow DNS Resolving (UDP) | |
|
Allow DHCP | |
|
Allow DHCP (v6) | |
|
userinit.exe |
Microsoft Userinit LDAP connection |
|
Microsoft Userinit DCOM Connection | |
|
winlogon.exe |
Microsoft Winlogon LDAP connection Where the protocol is TCP and the direction is Outbound and the remote port is 389, 3268 Allow it |
|
Microsoft Winlogon DCOM Connection |
Processes tab
| Setting name | Default | Comments |
|---|---|---|
| Warn about new launchers. | Enabled | This option is only available if you are using Interactive mode. |
| Warn about the use of rawsockets. | Enabled | This option is only available if you are using Interactive mode. |
If you need more information or guidance, then please contact technical support.
- Article ID: 57757
- Created: 28 Apr 2009
- Last updated: 5 Sep 2011
