Lavasoft FAQ pages

Rules Processing Sequence

Below is a detailed description of each group of rules given in the order they affect and control incoming or outgoing traffic.


Rules Description
Plug-Ins (Components) Personal Firewall plug-ins(components) that can affect connection (i.e. block or allow it), control network data before any rules processing starts and can therefore take priority over any other rules. For example, an intruder will be blocked by the Attack Detection plug-in (component) regardless of whether his IP address belongs to a Trusted network. Among such plug-ins (components) are Attack Detection, IP Blocklist, BlockPost, SuperStealth. Plug-ins (components) process traffic according to the order of their registration in Personal Firewall's kernel driver. Built-in Personal Firewall plug-ins(components) process traffic before third-party plug-ins of the same priority.

Note: All other plug-ins (components) do not affect connection and have equal priority. They process traffic after all rules are processed according to the order of their registration in Personal Firewall's kernel driver. Built-in Personal Firewall plug-ins (components) process traffic before third-party plug-ins of the same priority.

Application/Global Rules with the "Ignore Component Control" flag set In Personal Firewall 3.0 the Ignore Component Control flag increases a rule's priority, but disables component checks for that application, so it should be used sparingly.

This flag allows you to override NetBIOS and Trusted zone rules if necessary. It can also be used to avoid the data transceiving delay required for component checks as some processes can malfunction if given such delays.

Trusted/NetBIOS Zones If the source or destination IP address lies within a network/subnet designated as Trusted, then traffic will be allowed. If NetBIOS is allowed to or from those addresses, then only traffic to or from NetBIOS ports on those addresses will be allowed (TCP ports 137-139, 445 and UDP ports 137-138).
Global NetBIOS Blocking Rules Traffic to NetBIOS ports (TCP ports 137-139, 445 and UDP ports 137-138) is blocked, because traffic sent to or from a NetBIOS zone would have been matched by the Trusted/NetBIOS Zones rules above, so would not reach these global rules.
Global Rules with the "High Priority" flag set Personal Firewall 3.0 allow for global rules to be Marked as High Priority. Such rules are processed before Application Rules, so this option should be used only in cases where certain network traffic is to be blocked completely.

Note: According to the current Personal Firewall architecture, if the Ignore Component Control flag is set for a global rule, the High Priority flag for this rule does not affect the rule's priority.

Application Rules (Blocked/Trusted/Partially Allowed) Traffic to or from applications in the Trusted applications group is allowed. Traffic to or from applications in the Blocked applications group is blocked.

If an application from the Partially allowed applications group is sending or receiving traffic, its rules are then evaluated to see if they specifically allow or block traffic in the order they are specified in the Options > Application > Edit > Modify Rules list (top-down).

Application rules can only be set for TCP or UDP traffic. Other protocols can only be handled via global rules (except for ICMP, which is handled separately; see ICMP Rules).

Note: These groups have equal priority since an application cannot be in two or more groups at the same time.

Low-Level Rules These rules control system traffic transferred by protocol drivers that use IP protocols other than TCP or UDP, transit packets, and other non-application traffic that cannot be controlled at the application level.
Global Rules These rules are applied for all traffic that has not matched any of the previous sections. Rules for protocols other than TCP and UDP can only be set here by selecting the subtype of IP protocol.
ICMP Rules These rules handle ICMP activity on a type-by-type basis according to the settings in Settings > Firewall > Network Rules > ICMP Settings... window.
Allow Outgoing NAT Packets to Internet If Personal Firewall detects that ICS (Internet Connection Sharing) is in use, then this rule and Allow Incoming NAT Packets from LAN will be applied. Packets coming from a network listed in LAN Settings to an outside address and replies coming back are allowed by these rules.
Personal Firewall Policy When no rules have been matched and the packets are local (either the destination or source address matches a network interface on the PC), the current Personal Firewall policy takes precedence.

Allow Most mode will allow the traffic that is not specifically blocked by Personal Firewall rules. Block Most mode will block traffic that is not specifically allowed by Personal Firewall rules.

In Rules Wizard mode, if a connection is requested that uses some "other" (non-TCP, UDP, ICMP) protocol, a pop-up dialog box will ask whether the connection should be allowed or blocked. If the traffic is TCP/UDP and can be linked with an application, a dialog box will ask whether this application activity should be allowed or blocked. TCP/UDP traffic that cannot be linked with an application ("system" traffic) will be blocked with the reason Reject Connection to Port Opened by System.

Note: While a dialog box is waiting to be answered, the outgoing connections are frozen and incoming connections are blocked (the reply given will then apply to the next incoming connection that matches the rule created).

Allow Incoming NAT Packets from LAN See Allow Outgoing NAT Packets to Internet.
Block Transit Packets This is applied when neither the destination nor the source IP addresses match those of any of the system's network interfaces (i.e. the network packet is passing through the system to somewhere else). Such packets are blocked (with the reason Block Transit Packets given in the Personal Firewall log).

Applies to:

Back to FAQs