Packet Filter

Note

By default, packet filter is disabled on Dr.Web Server. When a station connects to Dr.Web Server, packet filtering settings specified on Dr.Web Server are set on the station. Thus, packet filter will be disabled even if it was enabled and configured on the station.

 

By default, packet filter is disabled on Dr.Web Agent provided with Enterprise Security Suite 13.0. At that, if Agent has already been installed with a previous version, than packet filter will be disabled during the update. If not, Agent is installed with disabled packet filter by default.

Packet filtering allows you to control access to network regardless of what program initiates the connection. These rules are applied to all network packets transmitted through a network interface of your computer.

To configure packet filtering settings, select the following options:

Option

Description

Enable packet filter

Use this option to enable and configure filtering packets for known network interfaces. If the check box is cleared, you will be allowed to configure the access to network resources only for specific applications.

Enable dynamic packet filtering

Use this option to filter packets according to the state of existing TCP connections. Firewall will block packets that do not match the TCP protocol specification. This option helps to protect your computer from DoS (denial-of-service) attacks, resource scanning, data injection and other malicious operations.

It is also recommended that you select this check box when using protocols with complicated algorithms of data transfer (FTP, SIP, and so on.)

Disable this option to filter packets regardless of the TCP session state.

Process fragmented IP packets

Use this option to ensure correct processing of large amounts of data. The maximum transmission unit (MTU) may vary for different networks, therefore large IP packets may be fragmented. When this option is enabled, the rule selected for the first fragment of a large IP packet is applied to all other fragments.

Disable this option to process fragmented packets independently.

Packet filter rules

Dr.Web Firewall uses the following predefined rule sets:

Default Rule—rules that identify common network configurations and widespread attacks (this rule set is used by default for new network interfaces).

Allow All—all packets are passed through.

Block All—all packets are blocked. At that, the Agent—Dr.Web Server connection might be blocked. It is recommended to test the rule set operation on a limited number of stations before distributing the settings to all the stations.

For the fast switching between filtering modes, you can create custom sets of filtering rules.

To set an existing set of rules by default, select it in the list and click icon-new-check;

To edit an existing set of rules, select it in the list and click icon-new-edit;

To copy an existing set of rules, select it in the list and click icon-new-copy.

To remove an existing set of rules, select it in the list and click icon-new-delete.

To create a new set of rules

1.In the Rule sets window, click icon-new-add.

2.Enter the name of a new rule set.

3.Click Save. The Creating a new rule form appears.

4.Configure the necessary rule parameters.

Note

If the parameters of the rule are not saved, a new rule set is not created.

To configure a new rule

1.In the Rule sets window, select the rule set that you want to add.

2.In the Rules window, click icon-new-add to create a new rule. This opens a rule creation window for packet filters.

3.Configure the following parameters:

Parameter

Description

Rule name

The name of the created/edited rule.

Description

The rule description.

Action

The action for Firewall to perform when a packet is intercepted:

Allow packets—passes the packet through.

Block packets—blocks the packet.

Direction

The direction of the connection:

Inbound—the rule is applied when a packet is received from the network.

Outbound—the rule is applied when a packet is sent into the network from your computer.

Any—the rule is applied regardless of packet transfer direction.

Logging

The logging mode for the rule. This parameter defines which information should be stored in the log:

Disabled—no information is logged.

Headers only—log the packet header only.

Entire packet—log the whole packet.

Criterion

Filtering criterion. For example, transport or network protocol. To add a filtering criterion, select the necessary criterion from the Criteria list and transfer it to the left field using the arrow. You can add any number of filtering criteria. For certain criteria, there are additional parameters available:

Any—configures the rule for all remote hosts or ports.

Equal and Not equal—configures the rule for a certain address or port.

In range and Out of range—configures the rule for a range of addresses or ports (for example, 192.168.0.1-192.168.0.2).

Matches the mask and Does not match the mask—configures the rule for a mask of a certain subnetwork (for example, 192.168.1.0/255.255.255.0). Only for IPv4, IPv6, Ethernet.

Note

Masks cannot be used for MAC-addresses. Create a new rule or add the addresses of all devices, separated by commas without spaces, to add a new device.

Coincides with station IP address and Not coincides with station IP address—configures the rule for the IP address of a network interface. Only for IPv4, IPv6.

Coincides with station MAC address and Not coincides with station MAC address—configures the rule for the MAC address of a network interface. Only for Ethernet.

To delete a criterion, select it in the list and click icon-item-remove.

Note

If you do not add any criterion, the rule will allow or block all packets depending on the setting specified in the Action field.

 

Some filtering criteria are not compatible with the others. When you add/delete a criterion, only criteria that are compatible with the existing ones are shown in the Criteria list.

4.When the editing is over, click Save to save the changes.

Note

The packet should meet all the criteria of the rule in order for the rule action to be applied to the packet.

Enable and disable a rule

To enable a rule, select the check box to the left of its name.

To disable a rule, uncheck the box to the left of its name.

To change the order the rules are applied

1.Select the rule that you want to change the order of.

2.Move the cursor to the area to the left of the option to enable or disable the rule.

3.Hold down the left mouse button and drag the rule to the top or bottom of the rules list.

To edit a rule

1.In the Rule sets window, select the rule set that you want to edit.

2.In the Rules window, select the rule from the list.

3.Click icon-new-edit. This opens a rule modification window.

4.Configure the rule parameters.

5.When the editing is over, click Save to save the changes.

6.To remove a rule, select it from the list and click icon-new-delete.

Network interfaces

Note

This setting is available after selecting the station only.

In the Network interfaces section, you can select a rule set to be used for filtering packets transmitted through a certain network interface.

To set rule sets for network interfaces, select the appropriate rule set for the required interface. If the appropriate rule set does not exist, you can create a new set of packet filtering rules.