What is the order in which Outpost rules and settings affect network traffic?
KB ID: 1000120, Added: 12-09-2006, Last updated: 14-06-2010

Applies To:
Outpost Firewall
Outpost Firewall 1.0
Outpost Firewall 2.0
Outpost Firewall 2.1
Outpost Firewall 2.5
Outpost Firewall 2.6
Outpost Firewall 2.7
Outpost Firewall 3.0
Outpost Firewall 3.5
Outpost Firewall 3.51
Outpost Firewall 4.0
Outpost Firewall Free
Outpost Office
Outpost Office 1.0
Outpost Security Suite 2007
Outpost Security Suite Pro 2008
Outpost Security Suite Pro 2009
Outpost Security Suite Pro 7
Outpost Firewall Pro 2008
Outpost Firewall Pro 2009
Outpost Firewall Pro 7
Outpost Network Security 2.0

This article is dedicated to the order in which Outpost processes its rules to help the end user to build his custom ruleset. In determining whether to allow or block traffic, Outpost applies its rules in sequence to each packet of data sent or received. Every Outpost group of rules (including internal ones) has a sequence (where earlier rules in the list take priority over those later in the list) and each packet is checked against these rules in their set sequence. The first rule that is found to match the requested connection-irrespective of whether the rule allows or blocks-is applied to the connection and no further rules are checked.

Note: If a packet is rejected, no message is sent to the sender; the packet is simply dropped without notifying the source via any (ICMP or TCP) message.

Because some details of the rules processing have been modified between versions of Outpost, a summary of the sequence for each version is listed and a full explanation of each rule is provided after the summaries. Entries in italics are internal rules, which cannot be edited.

For Allow Most, Block Most, and Rules Wizard modes the following rule sequences are set where priority is arranged in descending order. In Allow All and Block All modes Outpost Firewall Policy has the highest priority (i.e. is first on the list).

Outpost Firewall Pro 2008/2009/7 and Outpost Security Suite Pro 2008/2009/7

  • Block intruder's host (Attack Detection)
  • Trusted Zones
  • Global NetBIOS Block/Allow Rule
  • Low-Level System Rules with the "High Priority" flag set
  • Global Rules applied before application rules
  • Application Rules (Blocked/Trusted/Partially Allowed)
  • Low-Level System Rules
  • Global Rules applied after application rules
  • Allow NAT Packets
  • ICMP Rules
  • Outpost Policy
  • Block Transit Packets

Outpost Firewall 2.5 - 4.0 and Outpost Security Suite 2007

  • Plug-Ins
  • Application/Global Rules with the "Ignore Component Control" flag set
  • Trusted/NetBIOS Zones
  • Global NetBIOS Block Rule
  • Global Rules with the "High Priority" flag set
  • Application Rules (Blocked/Trusted/Partially Allowed)
  • Global Rules
  • ICMP Rules
  • Allow Outgoing NAT Packets to Internet
  • Outpost Policy
  • Allow Incoming NAT Packets from LAN
  • Block Transit Packets

Outpost Firewall 2.1

  • Plug-Ins
  • Trusted/NetBIOS Zones
  • Blocked/Trusted Applications Settings
  • Global NetBIOS Block Rule
  • Application Rules (Partially Allowed)
  • Global Rules
  • ICMP Rules
  • Allow Outgoing NAT Packets to Internet
  • Outpost Firewall Policy
  • Allow Incoming NAT Packets from LAN
  • Block Transit Packets

Outpost Firewall 2.0

  • Plug-Ins
  • Blocked/Trusted Applications Settings
  • Trusted/NetBIOS Zones
  • Global NetBIOS Block Rule
  • Application Rules (Partially Allowed)
  • Global Rules
  • ICMP Rules
  • Allow Outgoing NAT Packets to Internet
  • Outpost Firewall Policy
  • Allow Incoming NAT Packets from LAN
  • Block Transit Packets

Below is a detailed description of each group of rules given in the order they affect and control incoming or outgoing traffic.

Rules Description
Plug-Ins (Components) Outpost plug-ins (components) that can affect connection (i.e. block or allow it), control network data before any rules processing starts and can therefore take priority over any other rules. For example, an intruder will be blocked by the Attack Detection plug-in (component) regardless of whether his IP address belongs to a Trusted network. Among such plug-ins (components) are Attack Detection, IP Blocklist, BlockPost, SuperStealth. Plug-ins (components) process traffic according to the order of their registration in Outpost's kernel driver. Built-in Outpost plug-ins (components) process traffic before third-party plug-ins of the same priority.

Note: All other plug-ins (components) do not affect connection and have equal priority. They process traffic after all rules are processed according to the order of their registration in Outpost's kernel driver. Built-in Outpost plug-ins (components) process traffic before third-party plug-ins of the same priority.

Application/Global Rules with the "Ignore Component Control" flag set In Outpost Firewall 2.5 and higher product versions the Ignore Component Control flag increases a rule's priority, but disables component checks for that application, so it should be used sparingly.

This flag allows you to override NetBIOS and Trusted zone rules if necessary. It can also be used to avoid the data transceiving delay required for component checks as some processes can malfunction if given such delays.
Trusted/NetBIOS Zones If the source or destination IP address lies within a network/subnet designated as Trusted, then traffic will be allowed. If NetBIOS is allowed to or from those addresses, then only traffic to or from NetBIOS ports on those addresses will be allowed (TCP ports 137-139, 445 and UDP ports 137-138).
Global NetBIOS Blocking Rules Traffic to NetBIOS ports (TCP ports 137-139, 445 and UDP ports 137-138) is blocked, because traffic sent to or from a NetBIOS zone would have been matched by the Trusted/NetBIOS Zones rules above, so would not reach these global rules.
Global Rules with the "High Priority" flag set Outpost Firewall 2.5 and higher product versions allow for global rules to be Marked as High Priority. Such rules are processed before Application Rules, so this option should be used only in cases where certain network traffic is to be blocked completely.

Note: According to the current Outpost architecture, if the Ignore Component Control flag is set for a global rule, the High Priority flag for this rule does not affect the rule's priority.
Application Rules (Blocked/Trusted/Partially Allowed) Traffic to or from applications in the Trusted applications group is allowed. Traffic to or from applications in the Blocked applications group is blocked.

If an application from the Partially allowed applications group is sending or receiving traffic, its rules (including those introduced in Outpost Firewall 3.5 that are automatically created for recognized applications, which match Outpost's signature database) are then evaluated to see if they specifically allow or block traffic in the order they are specified in the Options > Application > Edit > Modify Rules list (top-down).

Application rules can only be set for TCP or UDP traffic. Other protocols can only be handled via global rules (except for ICMP, which is handled separately; see ICMP Rules).

Note: These groups have equal priority since an application cannot be in two or more groups at the same time.
Low-Level Rules These rules control system traffic transferred by protocol drivers that use IP protocols other than TCP or UDP, transit packets, and other non-application traffic that cannot be controlled at the application level.
Global Rules These rules (including those introduced in Outpost Firewall 3.5 that are automatically created for certain global traffic) are applied for all traffic that has not matched any of the previous sections. Rules for protocols other than TCP and UDP can only be set here by selecting the subtype of IP protocol.
ICMP Rules These rules handle ICMP activity on a type-by-type basis according to the settings in Options > System > ICMP > Settings window.
Allow Outgoing NAT Packets to Internet If Outpost detects that ICS (Internet Connection Sharing) is in use, then this rule and Allow Incoming NAT Packets from LAN will be applied. Packets coming from a network listed in LAN Settings to an outside address and replies coming back are allowed by these rules (i.e. Stateful Inspection is activated for these rules to allow further network connections to be established between each LAN/outside address pair).
Outpost Firewall Policy When no rules have been matched and the packets are local (either the destination or source address matches a network interface on the PC), the current Outpost Firewall policy takes precedence.

Allow Most mode will allow the traffic that is not specifically blocked by Outpost Firewall rules. Block Most mode will block traffic that is not specifically allowed by Outpost Firewall rules.

In Rules Wizard mode, if a connection is requested that uses some "other" (non-TCP, UDP, ICMP) protocol, a pop-up dialog box will ask whether the connection should be allowed or blocked. If the traffic is TCP/UDP and can be linked with an application, a dialog box will ask whether this application activity should be allowed or blocked. TCP/UDP traffic that cannot be linked with an application ("system" traffic) will be blocked with the reason Reject Connection to Port Opened by System.

Note: While a dialog box is waiting to be answered, the outgoing connections are frozen and incoming connections are blocked (the reply given will then apply to the next incoming connection that matches the rule created).
Allow Incoming NAT Packets from LAN See Allow Outgoing NAT Packets to Internet.
Block Transit Packets This is applied when neither the destination nor the source IP addresses match those of any of the system's network interfaces (i.e. the network packet is passing through the system to somewhere else). Such packets are blocked (with the reason Block Transit Packets given in the Outpost log).

Implications

  • Having a Trusted zone means that any application not specifically blocked can gain network access to the IP addresses in the Trusted zone, so it is recommended to only include local network addresses in the Trusted zone. If you need to use it, seriously consider listing individual IP addresses (with a subnet mask of 255.255.255.255) rather than network ranges to limit its scope as much as possible. For most home networks, Trusted status is only needed if running particular applications, such as network games, or if ICS is being used and for some reason is not being detected and handled properly by Outpost. For File and Printer Sharing select the NetBIOS check box only.
  • A global blocking rule will not affect application rules that allow the same type of traffic. This has been a particular issue with svchost.exe settings, which can contain Remote Procedure Call (RPC) and Universal Plug and Play (uPnP) rules. If you want to completely block a certain port or protocol, you will need to check every application rule to ensure that none are allowing them or mark the blocking rule as High Priority. Even so, an application rule with the Ignore Component Control flag set will override this blocking rule.

The Loopback Address - Security Concerns for Outpost Firewall 2.1 and earlier product versions

With Outpost Firewall 2.1 and earlier versions, applications sending data to the loopback addresses (127.0.0.0/255.0.0.0) can pose a security risk. The default "Allow Loopback" global rule allows any application to do this and should be disabled, since it does allow potentially malicious applications to access the Internet using the rules allowed for proxy servers, such as Proxomitron, WebWasher, MailWasher, and some antivirus utilities.

Even with this loopback rule disabled (which will then require you to define separate application rules for each program using a proxy), applications will still be allowed to receive traffic from the 127.0.0.0/8 address by Outpost Firewall. This could (potentially) have been exploited by a malicious application intercepting and altering data intended for a proxy, and this could have been used to affect the original application (e.g. causing a web browser to contact a different web page by sending back an HTTP redirect). This is because Outpost Firewall's rule processing will only check one set of application rules. For Internet traffic this is sufficient, but for localhost traffic the sending and receiving applications are on the same machine, and in this circumstance the receiving application's rules (if any) will not be considered.

This means that even an application from the Blocked applications group will be allowed to receive traffic from the 127.0.0.0/255.0.0.0 address by Outpost Firewall. This can only be avoided by ensuring that no application or global rules allow the sending of data to this address.

With Outpost Firewall 2.5 and later versions however, local proxy applications require a rule to allow incoming traffic, so such attempts should be detected (either triggering a Rules Wizard pop-up or being blocked depending on Outpost Firewall policy).

Other Protocols

Other protocols such as IPv6, IGMP, OSPF and others that use IP can only have rules defined within the global rules by selecting the subtype of IP protocol type.