How and Why Expert Rules are Written

This section is to explain how to decide what expert rules you need to write and why.

Why they are Written

The reason you write expert rules are to control a program better. Take a pop3 email client. In this day and age you get a lot of HTML email that is also spam. They come advertising online pharmacies, miracle diets, Adult sites, and Adult toys. You don't want to get these anymore than I do, but you also get emails from friends and relatives that are in HTML because they don't know better, and can't remember that you told them not to send them to you. So you want to let the emails come through, but you also want to filter stuff out. Creating expert rules for your email client allows you to get all your emails, and look at them, but when the email goes to the net to get all the "cool" graphics that you don't need, its blocked cold. Along with webbugs and any kind of script that is written to try and get around adblockers. Basically you end up with a text email (still in HTML so the formating is as it was written) but everything else has been blocked.

There are many programs that do things that you want to stop them from doing it, or to keep them from straying, or to try and prevent an exploit from beig takenadvantage of. Writing Program Expert Rules helps limit programs to exactly what you want them to do.

And you can use them to make your kids mad by placing a time period in them as well.

The How

One thing you need to know is how to use the tracking option. If you are unsure on if the rule is working or not, then place the tracking option to log. I personally don't use the alert and log much, as it can get real annoying depending on how much traffic there is. Then after the rule should have worked then you can go to zalog.txt and check to see if it worked the way you wanted it to. That option is your choice. Once the rules are working the way they should, I recommend you turn this to none, that way you won't fill your logs with these entries.

The first rule I recommend you write in all sets of program expert rules is a DNS rule. Place your DNS servers in the destination area, and then go to the protocol section and you want port 53 added for the source and destination. This way the program will always have access to the DNS servers without having to check and see if it has permission.

The last rule you always need in Program expert rules is the blocking rule. All you need to do to create this is give it a name and then set the action to block and click OK and its done.

The rest of the rules that you need are what's going to give you ulcers. For folks using Windows 2000 or newer its almost easy to figure out. I use a program called Active Ports from www.protect-me.com . This program when run gives you the program name, and then both the local port and remote port and both the local and remote IP address's. So all you have to do is run the program in question with no expert rules, write down the information and then write the expert rules to match.

Now for Windows 98 and ME, its a lot harder. You are going to have to poke around on the internet for the protocols and ports needed to be opened, before you can add them to an expert rule. You might get TCPView from sysinternals to get this information much in the same way that Active Ports does for the newer OS's.

Once you have written the expert rules and they are as good as you can make them, then try them out. If they don't work, check zalog.txt and see if something is getting blocked. If you can't tell, then go to the blocking rule and set the track option to log, and then try again. Then once again look in the log. If something has gotten blocked, you need to decide if you wrote a rule incorrectly, or forgot something and create a new rule to take care of the problem.

For those running Win2K and newer, one program will give you fits. Generic Host Process's for Win32 Services. The reason it will give you fits is because Windows Update uses this to check for updates. I have tried writing a rule for this but they keep changing their servers so I have given up. The best thing you can do with GHP is add your DNS servers to the trusted zone, then allow GHP trusted zone server rights and below. I am using Treewalk from www.ntcanuck.com then setup expert rules for it, and then pointed all my DNS lookups at it. This way I can control Treewalk with expert rules, and GHP no longer asks for server rights to the internet.