Filter
Top Products
71
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
State table functionality
If firewall rule sets change, all active connections are checked against the new rule
set. If no matching rule is found, the connection entry is discarded from the state
table.
If an adapter obtains a new IP address, the firewall recognizes the new IP
configuration and drops all entries in the state table with an invalid local IP address.
All entries in the state table associated with a process are deleted when the process
ends.
How firewall rules work
Firewall rules determine how to handle network traffic. Each rule provides a set of
conditions that traffic has to meet and has an action associated with it: either permit or
block traffic. When Host Intrusion Prevention finds traffic that matches a rule’s
conditions, it performs the associated action.
Host Intrusion Prevention uses precedence to apply rules: the rule at the top of the
firewall rules list is applied first.
If the traffic meets this rule’s conditions, Host Intrusion Prevention allows or blocks the
traffic. It does not try to apply any other rules in its rule list.
If, however, the traffic does not meet the first rule’s conditions, Host Intrusion
Prevention looks at the next rule in its list. It works its way down through the firewall
rule list until it finds a rule that the traffic matches. If no rule matches, the firewall
automatically blocks the traffic. If Learn mode is activated, it prompts for an action to
be taken; if Adaptive mode is activated, it creates a permit rule for the traffic.
Sometimes the intercepted traffic matches more than one rule in the list. In this case,
precedence means that Host Intrusion Prevention applies only the first matching rule
in the list.
Ordering the firewall rule list
When you create or customize a firewall rules policy, place the most specific rules at
the top of the list, and more general rules at the bottom. This ensures that Host
Intrusion Prevention filters traffic appropriately and does not miss rules based on
exceptions to other, more general rules.
For example, to block all HTTP requests except those from IP address 10.10.10.1, you
need to create two rules:
Permit Rule: Allow HTTP traffic from IP address 10.10.10.1. This rule is the most
specific.
Block Rule: Block all traffic using the HTTP service. This rule is more general.
You must place the more specific Permit Rule higher in the firewall rule list than the
more general Block Rule. This ensures that when the firewall intercepts an HTTP
request from address 10.10.10.1, the first matching rule it finds is the one that allows
this traffic through the firewall.
Note
Host Intrusion Prevention handles precedence differently for domain-based rules and
wireless rules. If a rule specifies a remote address as a domain name or a wireless
802.11 connection, it is applied first regardless of its position in the list of rules.