The Pool Firewall is designed to limit access to specific folders. This is done by specifying an application (or process), and a target folder (this can be multiple processes and multiple folders). By default, when a mount point is created, a single rule is also created that allows both reading and writing of the entire mount point. Under the default rule, any application can read and write to the mount point.
Default firewall settings
Tip - When setting up firewall rules, enable debug mode to log firewall processing. The log output can be viewed via the log files (blue entries), or via the Log option in the Manager.
The rules are denoted as "L" for list operations, "R" for read operations and "W" for write operations. A "+" indicates this is allowed, a "-" indicates it is not allowed. Clicking on the default rule, you can see it uses wildcards for allowed processes and folders.
Setting up a new rule
For this exercise, we are going to protect some text files located in a folder called "\My Safe Text Files".
For this, we are going to need to add two new rules. The first will detail the application (or process) that is allowed to read and write files in the folder "\My Safe Text Files", the second rule, will only allow reading of files in the folder "\My Safe Text Files", we'll specify a wildcard for the processes, to catch everything not caught by the first rule for this folder.
Important - Rules are processed in the order they are listed. The default rule is automatically pushed to the end of the list when a new rule is added. If no valid rule is found for a given operation, unless modified, the default rule can be processed and will allow access. When protecting a folder, it is important that you specify a rule for "what processes are allowed", and a second rule for all processes that denies write access to the same folder.
To create the first rule, select "Create new rule", then add a name, in the case we've called it "Allow Notepad", you can call it what you like. Next, add the process "c:\windows\system32\notepad.exe" (you enter the process name in the bottom textbox, then select "Add"). Next, add the folder we wish to protect, in the case "\My Safe Text Files". Finally ensure the rule access level is set to "Write, read and list access", then select "Finished editing rule".
To create the second rule, select "Create new rule", then add a name, in the second instance, we've called it "Disallow Other". Next, add a wildcard for the processes, then add the same folder "\My Safe Text Files", finally select "Finished editing rule".
Once done you should have a rule list similar to this...
Finally, you must apply the rule to the mount point, select "Update firewall on server". Once done it is important you test the rule, try editing a file using notepad under the folder "\My Safe Text Files", you should be able to open and save the file. Now try with Wordpad, or some other application, you should receive an access denied error.