Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Application Control: Ability to allow Applications without a packet filter rule. Would be nice - at the moment you have to to set up a packe

Ability to allow applications without a packet filter rule. Would be nice - at the moment you have to to set up a packet filter rule even if you have a Application Control rule that accepts the usage of a specific application.The current behaviour makes no sense for me.

9 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Fabian LorenzFabian Lorenz shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    3 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Alan ToewsAdminAlan Toews (Admin, Sophos Features & Ideas Laboratory) commented  ·   ·  Flag as inappropriate

        The purpose of application control presently, is to give application level visibility or to restrict restrict application traffic on ports that are otherwise allowed. if port 443 is open, and Skype tries to use port 443 to get out of the network, application control will see Skype's connection, and after a few packets, determine that skype is using that port, then stop it. App control allow rules only exist presently, so that you could allow applications for some users, that you're blocking for others.

        Application control can't always determine what the application is on the first packet. Firewall ports need to be open to allow some packet exchange, before application level control can identify the traffic and step in. If you create an application control rule to allow http or https traffic, it might be safe in most cases, to assume that you need to allow ports 80 and 443 traffic outbound, but what about skype? What ports should the firewall open? Skype has no fixed default port, and may randomly choose any port. I'm not sure how appcontrol could do this safely.

      • SylvainSylvain commented  ·   ·  Flag as inappropriate

        This would also make it easier to support firewall/unfriendly apps like Windows Remote Assistance (requiring outgoing ports TCP/UDP 49152:65535 open). This way, when the app is allowed for a specific user, it would trigger/autorise the "one" random TCP/UDP port used for that session, at that moment, instead of having to carve such a huge hole intro your firewall. And people would probably stop asking for UPnP support, since it wouldn't be required for that type of apps anymore. Also, when the application is not in use, no ports are opened and therefore can't be abused by other apps/users/malwares.

      • BarryGBarryG commented  ·   ·  Flag as inappropriate

        The documentation (in 9.006) is very confusing about this point; it implies that you don't need a PF rule, which is incorrect afaics.

      Feedback and Knowledge Base