This article is not for the masses, is not about the configuration of personal firewalls as XP and Zone Alarm. If you are considering setting up a firewall to protect your network, the article would be something for you.
Building firewall rules
All firewalls configured can be weak than they need to be, giving hackers and others the opportunities that should not be present. Indeed, it is relatively frequently encountered that firewalls may not be outright failures to be configured but can easily be tightened up without jeopardizing the ability of users to use their programs and go online. Generally speaking, the longer a firewall has been in operation, the more loose ends will be there potentially. You should review/consider your settings regularly.
The following article is an examination of the considerations and options that should be reviewed when its firewall rules are set up, and again before we examine settings again.
Inbound and outbound Settings
Most consider a firewall as something to protect their computer or network from any use to access it, so the incoming rules attached the greatest importance. Eg. Windows XP's built-in firewall. It contains only inbound filtering and allows all outgoing traffic. The firewall in Vista includes both, but by default only the input filter configured. A step in the right direction but not enough. This is a critical mistake in my eyes that makes both XP's and Vista's firewalls usefulness limited. Firewall is to provide security against viruses and worms entering the machine initially, but the infected machine by other means (email or infected files and documents), your machine could spread both viruses and worms without restriction. Security from hackers is also more limited than if there had been a reasonable outbound rules.
The reason for outbound rules are at least as important as depth to be found in the way hackers and worms often works. A vulnerability in your system is exploited through an exploit to get your machine to connect itself to the attacker's machine, after which the attacker retrieves the necessary tools for your machine. Often, the attacker could use Internet Explorer to retrieve data and tools with it, or browser, is available on most systems. If the attacker "only" have access to a command prompt (ie he can write text commands to/with your computer), he will be able to use ordinary FTP commands, and connect to its FTP server. In other words it is not the attacker who breaks in, but him taking your machine to break out if there had been set reasonable outbound rules, this traffic may have been stopped at the firewall and attack disapproved.
Close gaps or Open holes
Again, we get something really basic. Should we start allowing everything so it is easy for both users and administrator, and then close the dangerous gaps? Or will it start to close everything and then open it absolutely necessary? Microsoft has for years followed the first principle in order to facilitate ease of use, but there is no doubt that the security is much better to start with that is out entirely and then just open it when it is positively necessary and reasonable. Make a positive list of what users need, and allow this, instead of a negative list of what they should not.
Rules order
The order of a firewall's list of rules is very important, you can create inappropriate and genuine mistake, if you do not think very closely. The errors occur very often when the rules are added later or moved around the rules, probably because you do not have as good overview of all rules, which were since the first time settings.
This problem occurs because the traffic handled by the first rule to match, and thus not necessarily the best rule. Basically there are two "things" you can follow. You should always put the most specific rules first and least specific last, and you can then choose between firewall prioritize applications' performance or latency. If you place the most frequently used rules first, you will optimize the rulebook to firewall performance. If you place the rules that "serve" the most important applications, that will optimize the applications. Often you can combine the two, since it is always essential to check that you have not made a hole for yourselves by placing a less specific rule before a more specific.
A relevant example could, for example, be that you have made a specific rule which allows only your DNS server to access the IP address of your external DNS server that is only on port 53. Later you discover that the rule that all your machines must access everything on port 80, used all the time, so you move it up first in the rulebook. You have now created a hole in your rules, because your DNS server can now access everything on port 80 and it will not, of course, a DNS server will not surf the net, and if it does, something is seriously wrong. Note that an attacker has control of it and might have used the browser to download the tools up.
Bookmarks