Situation:
This document describes the default firewall rules for Norton Internet Security and Norton Personal Firewall.

Solution:
The Norton Internet Security and Norton Personal Firewall default firewall rules include System-Wide Rules, Trojan Horse Rules, and Application Rules. This document lists only the default System-Wide firewall rules and Trojan Horse firewall rules. The default rules, which are also known as preconfigured rules, are contained in the Firewall.dat file.

Click an icon to either expand ( ) or collapse ( ) each section. (If you cannot expand a section, then read the document Cannot expand sections in a Symantec Knowledge Base document.)

Differences in Norton Internet Security, Norton Internet Security Professional, and Norton Personal Firewall 2003
In Norton Internet Security, Norton Personal Firewall, and Norton Internet Security Professional 2003, the System-Wide Rules are named General Rules. Though the following table of System-Wide Rules applies to Norton Internet Security and Norton Personal Firewall 2002, most or all of the rules are also used in Norton Internet Security , Norton Internet Security Professional, and Norton Personal Firewall 2003.

In Norton Internet Security, Norton Internet Security Professional, and Norton Personal Firewall 2003, the following list of Trojan Horse Rules has been expanded to include more default Trojan Horse Rules.


System-Wide Rules
The following table lists the sixteen default System-Wide firewall rules.

---

Note: The following default rules are grouped by subject rather than by the order in which they are applied. The order in which they are applied is indicated by the number.

---

Subject	Rule	Order Applied	What it does	Consequences of removing or changing the rule
Network probing	Default Outbound ICMP	2	Allows the computer to send network-probing commands such as PING and TRACERT.	Network-probing commands such as PING and TRACERT fail. No command is sent over the network.
	Default Inbound ICMP	1	Allows the computer to receive responses to network-probing commands such as PING and TRACERT that were sent from this computer.	Network-probing commands such as PING and TRACERT fail. No response is received at the computer.
	Default Block Inbound and Outbound ICMP	11	Prevents this computer from sending or receiving messages that use the ICMP protocol unless those messages are specifically permitted by other firewall rules.	Network-probing commands such as PING and TRACERT fail.
Name resolution	Default Outbound DNS	4	Allows the computer to send DNS queries.	Removing this rule causes DNS to fail. To increase security without removing the rule, change the rule to allow the computer to send DNS queries only to the user's primary DNS server.
	Default Inbound DNS	3	Allows the computer to receive responses to DNS requests.	Removing this rule causes DNS to fail. To increase security without removing the rule, change the rule to allow the computer to receive responses to only those DNS requests that are sent from the user's primary DNS server.
	Default Inbound NetBIOS Name	5	Prevents NetBIOS requests from finding the name of the local computer. NetBIOS cannot find the computer name by sending a query to the local computer.	Another computer can use NetBIOS to identify the computers that are on the network.
Assigning an IP address	Default Outbound Bootp	14	Allows the computer to send a request to the BootP or DHCP server for a dynamic IP address that is for the local computer.	Computer cannot obtain an IP address from the Bootp or DHCP server, and must use a static IP address instead. If the computer does not have a static IP address, the computer cannot receive subsequent communications from the server.
	Default Inbound Bootp	13	Allows the computer to receive responses from the BootP or DHCP server regarding the local computer's request for a dynamic IP address.	Computer cannot obtain an IP address from the Bootp or DHCP server, and must use a static IP address instead. If the computer does not have a static IP address, the computer cannot receive subsequent communications from the server.
File and print sharing	Default Inbound NetBIOS	6	Prevents other computers from accessing shared files that are on this computer. Also prevents other computers from using shared printers that are attached to this computer. Shared files are files that have been marked in Windows Explorer as shared or files that are in folders that have been marked as shared.Shared printers are printers that have been marked in Windows as shared.	Other computers can access some or all of the shared files. Other computers can use the printer that is attached to the local computer.
	Default Outbound NetBIOS	7	Allows this computer to access shared files that are on other computers. Allows this computer to use a shared printer that is attached to another computer. Note that the Default Outbound NetBIOS rule at this computer will not override a Default Inbound NetBIOS rule that is at the other computer. That is, the user cannot use this rule to gain access to a shared file or printer at another computer that is using the Default Inbound NetBIOS rule.	Prevents users at this computer from accessing shared files or shared printers that are at other computers, or prompts the user. The prompt allows the user to permit or disallow the communication, or to create a rule that allows the communication.
	Block Windows File Sharing	12	Prevents other computers from accessing shared files that are on this computer. Also prevents other computers from using shared printers that are attached to this computer. When this rule is moved up in rules list so that it is applied before other rules regarding file and print sharing, this rule provides an easy method to turn file and print sharing on or off.	Unless another rule specifically blocks file and print sharing, removing or modifying this rule permits other computers to access shared files that are at this computer and to use printers that are attached to this computer, or Norton Internet Security or Norton Personal Firewall prompts the user. The prompt allows the user to permit or disallow the communication, or to create a rule that allows the communication.
	Default Block Microsoft Windows 2000 SMB	15	SMB is a Microsoft Windows feature that can be used to provide an alternate method for file and print sharing. This rule prevents SMB from being used to permit file and print sharing.	SMB can be used to allow file and print sharing, or Norton Internet Security or Norton Personal Firewall prompts the user. The prompt allows the user to permit or disallow the communication, or to create a rule that allows the communication.
Local communications	Default Outbound Loopback	9	Allows the computer to send messages to itself by means of a loopback mechanism, which uses the IP protocol.	A significant number of programs use the IP protocol to communicate between processes on the computer. These programs fail or display error messages, or Norton Internet Security or Norton Personal Firewall prompts the user. The prompt allows the user to permit or disallow the communication, or to create a rule that allows the communication.
	Default Inbound Loopback	8	Allows the computer to receive the messages that it sends to itself by means of a loopback mechanism, which uses the IP protocol.	A significant number of programs use the IP protocol to communicate between processes on the computer. These programs fail or display error messages, or Norton Internet Security or Norton Personal Firewall prompts the user. The prompt allows the user to permit or disallow the communication, or to create a rule that allows the communication.
Access to Secure Web sites	Block access to secure sites	10	Secure Web sites use special privacy protections so that information sent to those Web sites (such as the information you provide when filling out a form) is protected from being accessed by others. Secure Web sites use an URL address that includes https, as compared to http. This rule does not prevent access to secure Web sites. It blocks outbound privacy information. The rule is created when you choose the Norton Internet Security or Norton Personal Firewall option "Enable secure http connections."	The computer can access secure Web sites.
Remote control of local services	Default Block EPMAP	16	EPMAP is a protocol that can be used by one computer to change the configuration of the services that are running at another computer. This rule prevents EPMAP from modifying the services that are at the local computer.	Another computer that uses EPMAP can change the configuration of services that are at the local computer, or Norton Internet Security or Norton Personal Firewall prompts the user. The prompt allows the user to permit or disallow the communication, or to create a rule that allows the communication.

Application rules
The default Application Rules are too numerous to list in a single document.

Norton Internet Security and Norton Personal Firewall do not install all the default Application Rules on your computer. Instead, Norton Internet Security and Norton Personal Firewall only install default Application Rules for applications that Norton Internet Security or Norton Personal Firewall detects on your computer.

To see the Application Rules that have been installed for your computer, open Norton Internet Security or Norton Personal Firewall, click Personal Firewall, and click Internet Access Control. The table lists each application that Norton Internet Security or Norton Personal Firewall has installed a rule for, and any rules that you added or had Norton Internet Security or Norton Personal Firewall add automatically.


Trojan Horse Rules
These are the 64 default Trojan horse firewall rules (in the order that they are processed):

Default Block Back Orifice 2000 Trojan horse
Default Block NetBus Trojan horse
Default Block GirlFriend Trojan horse
Default Block WinCrash Trojan horse
Default Block DeepThroat Trojan horse
Default Block Hack 'A' Tack Trojan horse
Default Block Backdoor/SubSeven Trojan horse
Default Block Master Paradise Trojan horse
Default Block Bla Trojan horse
Default Block Donald Dick Trojan horse
Default Block Portal of Doom Trojan horse
Default Block NetSphere Trojan horse
Default Block NetMonitor Trojan horse
Default Block TransScout
Default Block Doly Trojan horse
Default Block FC Infector Trojan horse
Default Block Dmsetup Trojan horse
Default Block FireHotcker Trojan horse
Default Block RASmin Trojan horse
Default Block Stealth Spy Trojan horse
Default Block Attack FTP
Default Block Dark Shadow Trojan horse
Default Block Silencer Trojan horse
Default Block Netspy Trojan horse
Default Block Extreme Trojan horse
Default Block Ultor's Trojan horse
Default Block Whack-a-Mole Trojan horse
Default Block WhackJob Trojan horse
Default Block FTP99CMP Trojan horse
Default Block Shiva Burka Trojan horse
Default Block Spy Sender Trojan horse
Default Block ShockRave Trojan horse
Default Block Remote Explorer Trojan horse
Default Block Trojan Cow Trojan horse
Default Block Ripper Trojan horse
Default Block Bugs Trojan horse
Default Block Striker Trojan horse
Default Block Phinneas Phucker Trojan horse
Default Block Rat Trojan horse
Default Block Filenail Trojan horse
Default Block Sokets de Trois v1. Trojan horse
Default Block Blade Runner Trojan horse
Default Block SERV-Me Trojan horse
Default Block BO-Facil Trojan horse
Default Block Robo-Hack Trojan horse
Default Block 'The Thing' Trojan horse
Default Block Indoctrination Trojan horse
Default Block GateCrasher Trojan horse
Default Block Priority Trojan horse
Default Block Remote Grab Trojan horse
Default Block ICKiller Trojan horse
Default Block iNi Killer Trojan horse
Default Block Acid Shivers Trojan horse
Default Block COMA Trojan horse
Default Block Senna Spy Trojan horse
Default Block Progenic Trojan horse
Default Block GJammer Trojan horse
Default Block Keylogger Trojan horse
Default Block Proziack Trojan horse
Default Block EvilFTP, UglyFTP Trojan horse
Default Block Delta Source Trojan horse
Default Block Trin00 DDoS Trojan horse
Default Block SubSeven 2.1/2.2 Trojan horse
Default Block QaZ Trojan horse

Technical Information:
More information
By default, Norton Internet Security and Norton Personal Firewall block some or all communications to and from your computer that go over the Internet or a network. How much is blocked by default depends on the choices you make for Personal Firewall Settings (the choices are High, Medium, and Minimal) and for additional settings such as Privacy Control, Ad Blocking, and Productivity Control. Note that some of the additional settings are not available in all Norton Internet Security and Norton Personal Firewall versions.

Personal Firewall Settings
Your choice of Personal Firewall Settings determines which firewall rules are applied by default. Firewall rules include System-Wide rules, Application rules, and Trojan Horse rules, which are applied in the order listed.

High blocks all communications to and from the computer with the following exceptions:

• When a firewall rule already exists for the communication, the firewall rule determines whether the communication is blocked. If the communication is permitted, then Privacy Control, Ad Blocking, and Productivity Control may affect what information is passed in that communication.
• When the communication triggers a Norton Internet Security or Norton Personal Firewall alert, you may choose at that time to permit the communication. The alert prompts you for whether to permit or disallow the communication, or to create a rule for that communication.

When a communication is not specifically described by an existing firewall rule, Norton Internet Security and Norton Personal Firewall use an implicit block rule that blocks the communication unless you specify whether to permit or disallow the communication, or to create a rule for that communication. That is, if the communication is not specifically permitted by an existing firewall rule and does not trigger a Norton Internet Security of Norton Personal Firewall alert, then Norton Internet Security or Norton Personal Firewall blocks the communication.

Note that when you use High and you remove all the system-wide firewall rules, the result is that Norton Internet Security and Norton Personal Firewall block more communications rather than less, because you removed rules that specifically permit commonly-used communication types.

Medium blocks only those communications that use a port that is typically used by Trojan horses. Depending on the individual Trojan horse rule, this setting may prompt for whether to permit, disallow, or create a rule for that port.

Low does not block communications, and does not display a prompt for each communication.



References:

• For instructions on how to restore default firewall rules, read the document How to restore the default firewall rules for Norton Internet Security or Personal Firewall.
• For instructions on how to back up the firewall rules, read the document How to back up the Norton Internet Security or Personal Firewall program options and firewall rules.
• For a list of the default firewall rules for previous Norton Internet Security and Norton Personal Firewall versions, read the document Default firewall rules for Norton Internet Security and Personal Firewall versions 2.x and 3.x.
  
  

   

  Available Translations:

  --choose a language--- 한국어