Hi -NiCeGuY- :)

You ask me a copy of my experimental rules set. I'm glad to see you so deeply interested in learning LNS in general and my "experimental rules".

Here some preliminary explanations about the rules set and some codes used in rules names and rules descriptions.

One of the most frequent question about rules set firewall is: "Where I put that rule in the list?" I'll try to find a solution by adding to each rule name a code giving the relative position of the rule in the list.

The general syntax for the rule name will be easy to understand with this example of a rule for basic web browsing :

Name of the rule:

{R. 80,01}; [TCP] { HTTP }

Description of the rule:

[S/optional: else {S..0000000} or G]
[Hyper Text Transfer Protocol]
Firefox, Opera, IE

The "{R. 80,01}" means: a rule in the rules subset R , remote port 80, one remote port only.

The "; [TCP] { HTTP } " means : a rule using TCP protocol (The "Transport layer of the TCP-IP protocols) and using the port related to the HTTP ( the "Application level layer" of the tcp-IP protocols).

The description: "[S/optional: else {S..0000000} or G]" means : this is a specific rule (one program must be included at least in this rule othewise the more general rule {S..0000000} will be used instead.

The "or G" means: you may leave it as a general rule anyway... :o
[This will be more clear later...]

There is an other coded indication in the rule name:

{{ rule name }} means: packets authorised in and out for general rule
{ rule name } means : packets authorised in and out for specific rule
{{ rule name } means : packets authorised incoming only
{ rule name }} means: packets authorised outgoing only

<< rule name ! >> means: packets blocked in and out
<< rule name ! > means packets blocked incoming only
< rule name ! >>`means : packets blocked outgoing only

In the rule description there is also some codes:

G = general rule or for any program

S = specific rule: at least one program must be listed in that rule
(this is mandatory for server rules and Udp rules ...)[Exception: the DNS rule...]

S/C means Specific rule and must be configured: most of the time the port used in the rule must be configured also in the program like utorrent for example. Etc. [corrected may 10 20:00 h !!!]

u+e = if needed, this rule must be unblocked (remove the red dot) and enable ( check the first column...)

experimental = self obvious. This rule was not fully tested and may require some fixes...

recommended: not a mandatory rule but it's better to have it.

mandatory: you must have this rule!

optionnal: mostly for TCP applications. Normally TCP application used the general rule "{S..0000000}; [TCP] {{ Common Internet Applications }}" and you don't need more. Used these rules if you want it.

testing: some rules are created for testing or learning. This is for "Geek" fun !!! Mostly about the TCP flags used in connections. See rules
{S. 0}; [TCP] {{ ACK }} to {S. 7}; [TCP] {{ RST }}.

Needed: rule for a server or for Udp protocol. The rule must be specific!!!



:)

Hi -NiCeGuY- :)

Here an overview of the rules and rules "subsets" :

The rules subsets A concerned all rules used in local not between your PC and internet. Most of them are simply the same rules founded in the official LNS FAQ.

One rule for ARP, some rules for PC authorisation with a Raw rule (one rule per PC), rules for IGMP and routers, connection sharing rules, NetBios rules Udp and Tcp, Dhcp, file sharing and Virtual Private Network...

None of these rules was fully tested here and may required some works from you if you needs it.

Hi -NiCeGuY- :)

Here the subset B: IP addresses non-routables over internet.
They are illegal (IP ending with 0 or 255) or reserved for local used only, etc.

All incoming packets for any type, protocol and so on are blocked!

Hi -NiCeGuY- :)

Here the C subset: Icmp rules...

Hi -NiCeGuY- :)

Here the E subset ( no D or F ): TCP and UDP abnormal packets.

Hi -NiCeGuY- :)

Here the G and H subsets:
G for the DNS rule and H for abnornal / illegal TCP packets.
The last one for ACK RST may be removed... (This was for testing only: some side effects ...)

Hi -NiCeGuY- :)

Here the P subset: some server rules for FTP server, FTPS server (two not fully tested) and other server rules for Ident, P2P and Skype fully tested.

Hi -NiCeGuY- :)

Here the mandatory rule to block all incoming TCP packets with the flag SYN: The Q subset.

All server rules must be placed before this rule, all client rules must be placed after this rule.

This mandatory rule block all attempts of connection to your PC by worms like sasser, blaster and so on...

Hi -NiCeGuY- :)

The R subset:
Here a set of specific and optionnal rules.
At least one program is added to each rules.
So check each of these rules on your system to add or remove programs...
Ex. in HTTP , HTTPS and HTTP alt. rules, I put Firefox, Opera and IE.

If you're using only Firefox you may remove the other from the list of these rules... Sometimes you have to removed all programs included in the list, save and add it again...

Hi -NiCeGuY- :)

Here the S subset:

The first general rules (S.0 to S.7) are only for fun.
The only needed is the {S..0000000}; [TCP] {{ Common Internet Applications }}.

For TCP programs, this is the only required rule.

I put as local port the range 1 to 65535 to fit to Windows XP, Windows XP sp2 file sharing and Vista.

Hi -NiCeGuY- :)

Here the T subset: rules for applications using UDP.
This is mandatory to have specific rules if it's in UDP.

Some rules used a local specific local port like the rule {T.21047,10}; [UDP] { Skype }

port 21047 , 1 local port, all remote ...

Etc.

Hi -NiCeGuY- :)


And finally, last but not least, the subsets X, Y, Z ,
and the rule set
plus the list of "lns_known_tcp_ports.txt".
(make a backup copy of the original list and replace it with this one.
The changes appears after rebooting...).

{X. 9998}; [UDP] < Outgoing UDP Forbidden ! >>
is a Warning of a "T" rule to be created or modified.

and

{X. 9999}; [TCP] < Outgoing TCP Forbidden ! >>
is Warning of a Too Much Restrictive "P" or "S" or "R" rule
[ port(s), addresse(s)... ]

For the rules set, rename it by removing the .TXT

Have fun !!! ;D


EDIT: May 11, 2007, 21:30 EST
The rule name:
{A. 72}. [Local] [UDP] { DHCP Offer/Pack }

must be corrected to
{A. 72}. [Local] [UDP] { DHCP Offer/Ack }

Sorry for this mistake. ::)

EDIT: May 11, 2007, 21:56 EST
Orthograph error in {A. 72} rule is fixed!
;)


EDIT: May 13, 2007, 22:33 EST
In order to have an access to your router configuration and avoid blocking from one of the B subset rules
I create a new rule based on the tests done by the user -NiCeGuY-.

{A. 90}; [Local] [TCP] {{Router configuration }}

[G/Recommended] -NiCeGuY- Tested !
Router configuration access
192.168.2.1 <-- enter the IP addr. of your router

This rule must be modified to fit to your router config.
Here, in this example, the addr. is 192.168.2.1



:)

Great work!
Both ruleset and discription are nice.
Thank you very much,Climenole.
Best regards.

WOHOOOOOOOOOOOO , great !

TYVM , Climenole , appreciate it ;D

I have a very high regard for your abilities. 8) ;)

Hi lookcity:)

Thank you.

Questions are wellcome too...

Best regard

:)

Hi -NiCeGuY- :)

Thank you.

If you have any question about the rules set don't hesitate to ask question.

Have a nice day.

:)

Hi , climenole :)

Alright , first question is coming lol

I have 4 DHCP rules , My router Gateway = 192.168.2.1

create as this :

[DHCP rule 1]
Direction: inbound & outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
IP Address: Equal my @
port: 68
remote ip:192.168.2.1
remote port: 67


[DHCP rule 2]
Direction: inbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
IP Address: 192.168.2.1
port: 67
remote ip:255.255.255.255
remote port: 68


[DHCP rule 3]
Direction: outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
Frag. Flags: !DF+!MF
IP Address: 0.0.0.0
port: 68
remote ip:255.255.255.255
remote port: 67


[DHCP rule 4]
Direction: outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
Frag. Flags: !DF+!MF
IP Address: Equal my @
port: 68
remote ip:255.255.255.255
remote port: 67

These 4 DHCP rules , is it same as yrs DHCP rules ?Can i replace them ?
see picture ~

http://i128.photobucket.com/albums/p182/niceguy_hk/b8a247fd.jpg


yr DHCP rule {A. 70} [Local] [UDP] { DHCP }
Direction: inbound & outbound
Ethernet Type: IP
Protocol: UDP
Frag. Offset: all
Frag. Flags: all
IP Address: all
port: 67-68
remote ip: all
remote port: 67-68


yr DHCP rule {A. 71}[Local] [UDP] { DHCP Discover/Request }
Direction: inbound & outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: all
Frag. Flags: all
IP Address: 0.0.0.0
port: 68
remote ip: 255.255.255.255
remote port: 67


yr DHCP rule {A. 71}[Local] [UDP] { DHCP Offer/Pack }
Direction: inbound & outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: all
Frag. Flags: all
IP Address: Equal 192.168.1.1 or 0.0.0.0
port: 67
remote ip: 255.255.255.255
remote port: 68



The second question , its my gateway's ip connect to port@137 , why got blocked ?

blocked from this rule --> {B. 07}; [ALL] << Non-routable IP ! >

http://i128.photobucket.com/albums/p182/niceguy_hk/365b05b8.jpg

The third question , haven't Anti-Mac Spoofing & Anti-IP Spoofing rules in yr rules set ? If so , which one ?
If no , ami need add them , and place where ?

http://i128.photobucket.com/albums/p182/niceguy_hk/95cecb86.jpg

Sorry for so many question :P

ty for reply

Hi -NiCeGuY- :)

The "DHCP rule {A. 70} [Local] [UDP] { DHCP }" is a "generic" rule for DHCP.
Actualy the most simple possible.

I Suggest you to use that one in a first step (disable the others) and check what are the entries in your log.
Base on these entries you will be able to modify the other DHCP rules accordingly.

Presently you have 4 rules. Why not?

Actualy the DHCP process have 4 steps:

--------------------------------------------------------------------------

1- Discover: Src=0.0.0.0 Port=68 Dest=255.255.255.255 Port=67
Here the client (the PC) sent a broadcast on the network to find the DHCP server. Then:

2- Offers: Src=192.168.1.1 Port=67 Dest=255.255.255.255 Port=68
Here it's the server (with the IP add. 192.168.1.1 in this example).
The DHCP server sent to the client PC an IP add. like "192.168.1.2" for example

3-Request: Src=0.0.0.0 Port=68 Dest=255.255.255.255 Port=67
Here the client (The PC) accept the IP proposed by the DHCP server.
In this example: "192.168.1.2".

0.0.0.0 means any address...

4- acknowledgement: Src=192.168.1.1 Port=67 Dest=255.255.255.255 Port=68

Here the client(PC) with is accepted IP addr. (Here "192.168.1.2") accept and transmit the acknowledgement to the DHCP server...

[Please note that the rules was written {A. 72}. [Local] [UDP] { DHCP Offer/Pack }
instead of {A. 72}. [Local] [UDP] { DHCP Offer/Ack } :o


These are the 4 theorical DHCP steps. So I create 3 rules :
The generic one to study the entries in the log and two experimental rules to be modified accordingly to the entries founded.
I Guess it's possible to reduce the 4 steps into 2 rules.

The Discover and Request have similar parameters:

- Src=0.0.0.0 Port=68
- Dest=255.255.255.255 Port=67

So we have to put packets in and out for this combined rule...

The Offers and acknowledgement have also similar parameters:

- Src=192.168.1.1 Port=67
- Dest=255.255.255.255 Port=68

Here also we have to put packets in and out

--------------------------------------------------------------------------

An other experience is to used these 4 rules (and disable the other ones) and check again in the log to see if it's possible to simplify to a less number of rules.

I hope my answer give you some lights (not confusion) about the DHCP.

1 generic rule or 2 combined rules or your four rules ?
Choose the best for you. (And tell me which one(s)...)

Feed back , questions and comments are always appreciated.

Take care.

:)

Hi -NiCeGuY- :)

MAC addresses (such as your Ethernet adapter MAC Add.) are not transmitted over internet ...

To prevent MAC or IP spoofing in a local network is a complex job.
I'm not sure it's really required or possible with this rule...

I have an hypothesis about this:

ARP protocl is used to convert MAC addr. to IP, since in a local network it's possible to have a configuration of fixed IP local addr. (in the 192.168,*.*), it's also possible to create a rule rejecting all packets with a local IP and the wrong MAC address. This must be done on the LAN server.

1- We can create some rules to associates each local (fixed!) IP to the MAC addr. of the Ethernet adapter of the corresponding PC and authorised these packets. (With a raw rule editing ?)

2- Then create some rules to block any packet different than the previously authorised MAC+IP combination rules...

and (?) on each PC a rule to block any incoming packets equal to the PC's MAC addr. ???
(Assuming all incoming packets must be different than the PC MAC addr. ...)
This is my last idea for tonight... ;)

The only problem I see is with a configuration with dynamic local IP addr. ...
How to recheck each time the correct MAC+IP combination and put this in rules ?

Is this make sens? :-\

Tell me. Your opinion is important! (Don't be sorry for "so many questions" ;) )


:)

Hi , Climenole ;D

{anti - mac spoofing rule}
Direction: Inbounds
Etherent Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
[ source ]
Ethernet Address: Equal pc's mac address
ip: all
port: all
[ Destination ]
Ethernet Address: all
remote ip: all
remote port: all


{anti - ip spoofing rule}
Direction: Inbounds
Etherent Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
[ source ]
Ethernet Address: all
ip: Equal my @
port: all
[ Destination ]
Ethernet Address: all
remote ip: all
remote port: all

As yr question , isnt need anti-mac spoofing & anti-ip spoofing 's rule , i was no cue right now ??? ???

1) As yr rule set , u allow all ARP , is it a big problem ? So i create 2 anti-ARP rule before it

2) As i think yr DHCP rules was enough , so i will take it simple/easy , use yr original one 8)

Hi -NiCeGuY- :)

-{ Quote: "
{anti - mac spoofing rule}
Direction: Inbounds
Etherent Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
[ source ]
Ethernet Address: Equal pc's mac address
ip: all
port: all
[ Destination ]
Ethernet Address: all
remote ip: all
remote port: all
" }-

May be, may be... For sure incoming packets must have a different MAC addr. than the destination PC.

This rule is ok for a PC as client but not for the PC used as server...


-{ Quote: "
{anti - ip spoofing rule}
Direction: Inbounds
Etherent Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
[ source ]
Ethernet Address: all
ip: Equal my @
port: all
[ Destination ]
Ethernet Address: all
remote ip: all
remote port: all
" }-

Same comment.

The only problem I see here is how to test this?
You have to spoof IP and MAC addr. by editing packets and resend these modified packets to see what's happen.

May be with this:
http://www.networkchemistry.com/products/packetyzer.php


-{ Quote: "
As yr question , isnt need anti-mac spoofing & anti-ip spoofing 's rule , i was no cue right now ??? ???

1) As yr rule set , u allow all ARP , is it a big problem ? So i create 2 anti-ARP rule before it

2) As i think yr DHCP rules was enough , so i will take it simple/easy , use yr original one 8)
" }-

ARP is used locally to translate MAC addresses to IP addresses...
It's needed with a router for example.

ARP is not the problem, only the incomming packets which differ from the combination "MAC addr. + Fixed IP local Addr."

About the DHCP. So my 2 combined rules works well for yous system. Good news! :)

:)

Hi , Climenole ;D questions questions questions are coming coming more & more :blink:

Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >

Direction: inbounds
Ethernet Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
{Source}
Ethernet Address: all
IP Address: 192.168.0.0 - 192.168.255.255
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

[e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

[e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

Change & create another rule for this case ? ;D

Question 2) Wht's different around those protect rules ? from Phant0m rule set VS yr rule set

[ICMP][+MBONE broadcasts]
Direction: outbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Adress: Equals 244.0.0.2
Port: all


[ICMP][+MBONE broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[ICMP][+ICMP broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: all 0
ICMP Type: all 0
{Source}
Ethernet Address: all
IP Address: Mask 0.0.0.255/0.0.0.255
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN:Stealth Scan]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+XMAS:Stealth Scan]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-PSH-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+NULL:Stealth Scan]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST-PSH-ACK-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-ACK-PSH-RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST-PSH-ACK]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +ACK-PSH-RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST-PSH]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-PSH]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-RST]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-RST-PSH-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-PSH-RST-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-RST-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-RST-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-PSH]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-RST]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +FIN-RST
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+ACK-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-ACK
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all



{H. 04}; [TCP] << FIN & 13 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-FIN
TCP Frags: Set/Cleared +FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 05}; [TCP] << SYN RST & 4 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 06}; [TCP] << SYN PSH & 2 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 07}; [TCP] << SYN URG ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-SYN-FIN
TCP Frags: Set/Cleared +URG-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

Colour red = Phant0m , colour blue = you

Wht's different between those rules ? Am i need combine these 2 rule set( Phant0m & your) to form one big rules set ?

[+NULL:Stealth Scan] = {H. 02}; [TCP] << NULL ! >

[+SYN-FIN-RST-PSH-ACK-URG] = {H. 03}; [TCP] << FULL ! >

These 2 rules same , can u compare another(colour red & blue)wht's different between you & Phant0m 's Rules ?



TYVM for reply , have a nice day :thumb:

Hi -NiCeGuY- :)

-{ Quote: "Hi , Climenole ;D questions questions questions are coming coming more & more :blink:

Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >

Direction: inbounds
Ethernet Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
{Source}
Ethernet Address: all
IP Address: 192.168.0.0 - 192.168.255.255
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

[e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

[e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

Change & create another rule for this case ? ;D

" }-

Strange. That's why I put all local connections in the subset rules "A".
Just uncheck that rule for the moment and I'll try to find a solution...

For the other question about the TCP abnormal / illegal packets:
I'm using combination of "masks" and "active" (enable in Eng. version?)

For example the rule {H. 04}; [TCP] << FIN & 13 Variants ! >
block all these combinations:

FIN, FIN-SYN, FIN-RST, FIN-PSH, FIN-URG, FIN-SYN-RST, FIN-SYN-PSH, FIN-SYN-URG, FIN-RST-PSH, FIN-RST-URG, FIN-PSH-URG, FIN-SYN-RST-PSH, FIN-SYN-RST-URG, FIN-SYN-RST-PSH-URG.


and so on...

:-)

-{ Quote: "Hi -NiCeGuY- :)

For the other question about the TCP abnormal / illegal packets:
I'm using combination of "masks" and "active" (enable in Eng. version?)

For example the rule {H. 04}; [TCP] << FIN & 13 Variants ! >
block all these combinations:

FIN, FIN-SYN, FIN-RST, FIN-PSH, FIN-URG, FIN-SYN-RST, FIN-SYN-PSH, FIN-SYN-URG, FIN-RST-PSH, FIN-RST-URG, FIN-PSH-URG, FIN-SYN-RST-PSH, FIN-SYN-RST-URG, FIN-SYN-RST-PSH-URG.


and so on...

:-)" }-

ty , understood this way :thumb:

How about these 3 rules ?

[ICMP][+MBONE broadcasts]
Direction: outbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Adress: Equals 244.0.0.2
Port: all


[ICMP][+MBONE broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[ICMP][+ICMP broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: all 0
ICMP Type: all 0
{Source}
Ethernet Address: all
IP Address: Mask 0.0.0.255/0.0.0.255
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all

Seems yr rules set haven't these 3 rules , am i need add or not ?

tyvm ;D

Hi -NiCeGuY- :)

-{ Quote: "
y , understood this way :thumb:

How about these 3 rules ?
" }-

[ICMP][+MBONE broadcasts]
IP Adress: Equals 244.0.0.2

This one: {B. 09}; [ALL] << Reserved IP ! > >
Reserved by I.A.N.A . 240.0.0.0 - 255.255.255.255

[ICMP][+MBONE broadcasts]
ICMP Code: Equals 10
ICMP Type: Equals 10

This one: {C. 999}; << Icmp Lock ! >>


[I][ICMP][+ICMP broadcasts]
IP Address: Mask 0.0.0.255/0.0.0.255

This one: {B. 02}; [ALL] << Invalid IP ! >

:)

P.S.:

About the rule: {B. 07}; [ALL] << Non-routable IP ! >
I'm working on this issue...

What is your LAN configuration?

One router + PC(s) ?
or
One PC used as server for Internet Connection Sharing?
or
???

:)

Hi -NiCeGuY- :)

You say:
« Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >


Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

[e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

[e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

Change & create another rule for this case ? »

Try this rule : {B. 90}; [Local] [TCP] {{Router configuration }}

Tell me if it's okay...

EDIT`: I put the fixed new rule for router config. access in the post # 12 of this thread.
Thank you again for testing... :)

{A. 90}; [Local] [TCP] {{Router configuration }}

[G/Recommended] -NiCeGuY- Tested !

:)

-{ Quote: "Hi -NiCeGuY- :)

You say:
« Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >


Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

[e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

[e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

Change & create another rule for this case ? »

Try this rule : {B. 90}; [Local] [TCP] {{Router configuration }}

Tell me if it's okay...

:)" }-

If i use yr original one , its not work , So i changed rule's setting as this:

{B. 90}; [Local] [TCP] {{Router configuration }}
direction:inbounds
Ethernet Type: IP V4
Protocol: TCP
Source ip: 192.168.2.1
Source port: equal @ 80
Destination ip: Equal my @
Destination port: 1024 - 5000

I just testing , so source port just using 80 , as this setting , its work fine , i can use Web Browser access to my Router


http://i128.photobucket.com/albums/p182/niceguy_hk/3a46dc83.jpg

If i place rules here , its work very well ;D


http://i128.photobucket.com/albums/p182/niceguy_hk/dadfbb80.jpg

If place here , not working :wacko: B/c got {B. 07}; [ALL] << Non-routable IP ! > blocked :P

Hi -NiCeGuY- :)

Great ! :thumb:

So you find the solution to have an access to your router configuration:
congratulation -NiCeGuY- ! :thumb:

The position of the rule in the list is always important.
Your test with your new rule is an example of this.

Thank you very much -NiCeGuY- for your help, patience and feed-back.

For sure if you find some other problem or if you have question do not hesitate.

--------------------------------------------------------------------

About the Antispoofing for IP and MAC:

Did the local IP addresses of your system are fixed or dynamics?
I mean the IP add. of the PC 192.168.x.x ...

About other A subsets rules: did you try the:
{A. 21}; [Local] [Ethernet] { PC # 1} ?
and
{A. 60}; [Local] [IGMP] {{ Router }

:)

-{ Quote: "-{ Quote: "Hi -NiCeGuY- :)


About the Antispoofing for IP and MAC:

Did the local IP addresses of your system are fixed or dynamics?
I mean the IP add. of the PC 192.168.x.x ..." }--{ Quote: "



Hi , climenole , MY ip fixed :shifty:


-{ Quote: "-{ Quote: "About other A subsets rules: did you try the:
{A. 21}; [Local] [Ethernet] { PC # 1} ?
and
{A. 60}; [Local] [IGMP] {{ Router }

:)" }-" }-


I cant test A.21 , b/c i didnt Autorise other PC , & A.60 , i enable this rule , but how can i know this rule is working ? How can i see the effect ? ;D

ty 4 reply

I saw my log , i saw {X. 9998}; [UDP] < Outgoing UDP Forbidden ! > blocked my ip@UDP 137 connect to 192.168.2.255@UDP 137 , is it broadcasts ?

Another thing , when i using Packetyzer , Lns blocked my gateway 192.168.2.1@UDP1900 connect to 239.255.255.250@UDP 1900 , destination address = 01:00:5E:7F:FF:FA , i remember this case also happened when im using BT ??? ???

Hi -NiCeGuY- :)

-{ Quote: "


Hi , climenole , MY ip fixed :shifty:


I cant test A.21 , b/c i didnt Autorise other PC , & A.60 , i enable this rule , but how can i know this rule is working ? How can i see the effect ? ;D

ty 4 reply

I saw my log , i saw {X. 9998}; [UDP] < Outgoing UDP Forbidden ! > blocked my ip@UDP 137 connect to 192.168.2.255@UDP 137 , is it broadcasts ?

Another thing , when i using Packetyzer , Lns blocked my gateway 192.168.2.1@UDP1900 connect to 239.255.255.250@UDP 1900 , destination address = 01:00:5E:7F:FF:FA , i remember this case also happened when im using BT ??? ???
" }-

A.21 : ok.

A.60 : IGMP packets are used by routers combined with UDP packets.
If there is no IGMP blocked by any rule, forget it.
In this experimental rule set, there is no blocking rule specific to IGMP.
The blocking comes from the last rule Z.9999999
About this see the Patrice's post:
Configuring Look'n'Stop with Routers
http://www.wilderssecurity.com/showthread.php?t=9474

X.9998 : UDP packets on port 137 and in broadcast:
NetBios packets and or Router packets...
Check the rules A.80,81,82

UDP1900 : UDP packets from Simple Service Discovery Protocol, VideoLan Player, Azureus and may be uTorrent.
check this rule: {A. 61}; [Local] [IGMP] { IGMPv3 router}}

(Here may be the packets must in and out, not out only...)

Not a better idea for the moment.
Thank you and have a nice day.

:)

Hi , climenole ;)

-{ Quote: "A.60 : IGMP packets are used by routers combined with UDP packets.
If there is no IGMP blocked by any rule, forget it.
In this experimental rule set, there is no blocking rule specific to IGMP.
The blocking comes from the last rule Z.9999999
About this see the Patrice's post:
Configuring Look'n'Stop with Routers
http://www.wilderssecurity.com/showthread.php?t=9474" }-

I change rule A.60 , source address = MY router's mac , destionation addres equals 01:00:5e:00:00:01 , waiting effect ;D


-{ Quote: "X.9998 : UDP packets on port 137 and in broadcast:
NetBios packets and or Router packets...
Check the rules A.80,81,82" }-

About this , i will keep to block it , didnt change anything ;D


-{ Quote: "UDP1900 : UDP packets from Simple Service Discovery Protocol, VideoLan Player, Azureus and may be uTorrent.
check this rule: {A. 61}; [Local] [IGMP] { IGMPv3 router}}

(Here may be the packets must in and out, not out only...)" }-


Hmmm... about UPnP , gateway 192.168.2.1@UDP1900 connect to 239.255.255.250@UDP 1900 , destination address = 01:00:5E:7F:FF:FA . So i create UPnP rules for this case , now solve this problem too ;D

{A. 1900,01}[UPnP rule]
direction:inbounds
Ethernet Type: IP
Protocol: UDP
SourceEthernet Address: Router's Mac Add.
Source ip: 192.168.2.1
Source port: equal @ 1900
Destiantion Ethernet Address: 01:00:5E:7F:FF:FA
Destination ip: 239.255.255.250
Destination port: Equal @ 1900

Now everything runs good , will check any other problem happen later :shifty:

If you got other rules or ideas , let me know & test , Have a nice days ;D

Hi -NiCeGuY- :)

-{ Quote: "

I change rule A.60 , source address = MY router's mac , destionation addres equals 01:00:5e:00:00:01 ,
waiting effect ;D
" }-

Okay. If there is an "effect" you'll see it in the log...

-{ Quote: "
Hmmm... about UPnP , gateway 192.168.2.1@UDP1900 connect to 239.255.255.250@UDP 1900 , destination address = 01:00:5E:7F:FF:FA . So i create UPnP rules for this case , now solve this problem too ;D

{A. 1900,01}[UPnP rule]
direction:inbounds
Ethernet Type: IP
Protocol: UDP
SourceEthernet Address: Router's Mac Add.
Source ip: 192.168.2.1
Source port: equal @ 1900
Destiantion Ethernet Address: 01:00:5E:7F:FF:FA
Destination ip: 239.255.255.250
Destination port: Equal @ 1900
" }-

Great!

-{ Quote: "
Now everything runs good , will check any other problem happen later :shifty:

If you got other rules or ideas , let me know & test , Have a nice days ;D
" }-

Okay. I'm stil working about the Anti MAC + IP spoofing...
I let you know.

Thank you again and have a nice day!

-{ Quote: "

Okay. I'm stil working about the Anti MAC + IP spoofing...
I let you know.

Thank you again and have a nice day!" }-

Good , keep on ! ;D

hi Climenole and -NiCeGuY-

has it already a version of climenole-v3-Eng-GEEK.rlz in French ?

Hi / Salut zozot :)

Yes Sir! / Oui Monsieur!

I'll post it in the Fr, forum.

:)

thanks you

Hi All :)

About the rules:

{R.80443,02}; [TCP] { Http/Https Skype }
and
{R..9999999}; [TCP] < Skype: forbidden ports ! >>

They have to be used with the other «R» rules.
If these rules are used with only the «S» rules all programs using internet will be (obviously) blocked when Skype is in use...


Also: about IGMP packets and NetBios.

May be it's a good idea to add these blocking rules for IGMP and NetBios:

{A. 69}; [Local] [IGMP] << Block igmp ! >>
and
{A. 89}; [Local] [T/U] << Block NetBios !>>

[To be tested...]

:)

-{ Quote: "Hi All :)

About the rules:

{R.80443,02}; [TCP] { Http/Https Skype }
and
{R..9999999}; [TCP] < Skype: forbidden ports ! >>

They have to be used with the other «R» rules.
If these rules are used with only the «S» rules all programs using internet will be (obviously) blocked when Skype is in use... " }-

Hi , climenole :)

i never use skype , so i dunno & never test :P


-{ Quote: "Also: about IGMP packets and NetBios.

May be it's a good idea to add these blocking rules for IGMP and NetBios:

{A. 69}; [Local] [IGMP] << Block igmp ! >>
and
{A. 89}; [Local] [T/U] << Block NetBios !>>

[To be tested...]

:)" }-

about netbios , i create rules to block netbios b4 , as this:

Direction: in & out
Ethernet Type: IP
Protocol: UDP
Soucre IP: all
Socure port: 137 -139
Destination ip: all
Destination port: all

it's work well . ;D

about IGMP block rule... if i use this rule , is it against this 2 rules ?

{A. 60}; [Local] [IGMP] {{ Router }
{A. 61}; [Local] [IGMP] { IGMPv3 Router }}

let me know , ty 4 reply

Hi -NiCeGuY- :)

-{ Quote: "

about netbios , i create rules to block netbios b4 , as this:

Direction: in & out
Ethernet Type: IP
Protocol: UDP
Soucre IP: all
Socure port: 137 -139
Destination ip: all
Destination port: all

it's work well . ;D

about IGMP block rule... if i use this rule , is it against this 2 rules ?

{A. 60}; [Local] [IGMP] {{ Router }
{A. 61}; [Local] [IGMP] { IGMPv3 Router }}

let me know , ty 4 reply" }-

Your rule for NetBios blocking is excellent ! :thumb:

The remaining IGMP packets are blocked with the last rule "Z999" but I prefer to block this before... (this is optional...)

:)

-{ Quote: "Hi -NiCeGuY- :)



Strange. That's why I put all local connections in the subset rules "A".
Just uncheck that rule for the moment and I'll try to find a solution...

For the other question about the TCP abnormal / illegal packets:
I'm using combination of "masks" and "active" (enable in Eng. version?)

For example the rule {H. 04}; [TCP] << FIN & 13 Variants ! >
block all these combinations:

FIN, FIN-SYN, FIN-RST, FIN-PSH, FIN-URG, FIN-SYN-RST, FIN-SYN-PSH, FIN-SYN-URG, FIN-RST-PSH, FIN-RST-URG, FIN-PSH-URG, FIN-SYN-RST-PSH, FIN-SYN-RST-URG, FIN-SYN-RST-PSH-URG.


and so on...

:-)" }-

Hi , climenole ;D

seems you need lil update / rewrite these few rules :P

{H. 04}; [TCP] << FIN & 13 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-FIN
TCP Frags: Set/Cleared +FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 05}; [TCP] << SYN RST & 4 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 06}; [TCP] << SYN PSH & 2 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 07}; [TCP] << SYN URG ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-SYN-FIN
TCP Frags: Set/Cleared +URG-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

-{ Quote: "Originally Posted by nuser
(3) As for your above mentioned example, there seem 16 illegal combinations (not 14). You have missed F-R-P-U and F-S-P-U.
plz correct me if I am wrong.



FIN,
FIN-SYN,
FIN-RST,
FIN-PSH,
FIN-URG,
FIN-SYN-RST,
FIN-SYN-PSH,
FIN-SYN-URG,
FIN-RST-PSH,
FIN-RST-URG,
FIN-PSH-URG,
FIN-SYN-RST-PSH,
FIN-SYN-RST-URG,
FIN-SYN-RST-PSH-URG.

You're right: I missed these two:
FIN-RST-PSH-URG
FIN-SYN-PSH-URG

Thank you for this valuable remark !" }-

You may work hard on this weekend , have a nice day :)

Hi -NiCeGuY- :)

-{ Quote: "Hi , climenole ;D

seems you need lil update / rewrite these few rules :P

[...]

You may work hard on this weekend , have a nice day :)" }-


;D No Sir !

I forgot to list these 2 combinations but the rule blocked it (as far as I know... and I'll re-checked again but later...).

I' have to work hard this week-end but not on this... ;-)

Have a nice week-end.

:)

Hi climenole,

i took your great rules, and you did a great work. I used it to improve my rulesets, you help me very much, but i have a kind of problem with the rules
"[local] [Ethernet]" becouse yes they work, but they allow even other packets different than Ethernet protocol.
Exactly i see that by these rules even UDP and TCP packets are allowed. I'm using 2.05p3 version with RAW plug-in, and i want to know if this beahviour it's normal or not, and if not, i hope you can help me to solve this problem.

Sorry for my english.
Thx :thumb:

Hi WinCenzo :)

-{ Quote: "Hi climenole,
i took your great rules, and you did a great work. I used it to improve my rulesets, you help me very much, but i have a kind of problem with the rules
"[local] [Ethernet]" becouse yes they work, but they allow even other packets different than Ethernet protocol.
Exactly i see that by these rules even UDP and TCP packets are allowed. I'm using 2.05p3 version with RAW plug-in, and i want to know if this beahviour it's normal or not, and if not, i hope you can help me to solve this problem.
Sorry for my english.
Thx :thumb:" }-

Why are you using this rule ? ???

This rule is used for PC connected with a hub (as far as I know) and they have to be tested (as I stated here in this thread)...

You say you're using my experimental rules set to improve yours. That's ok.

This is not a "key in hand" rule set: it required some research and experiment from your part especially with the "A" rules...

Have fun!

:)

Hi climenole thx for you answer,
however i'm using this rule becouse i use a router and somethimes i saw that some connections with ETH protocol were forbidden, then i supposed that these rules were necessary for a correct working of my Lan. Infact i don't have problem with them. The only thing i saw and didn't understand was about some connection with UDP and TCP allowed locally by these rules, instead i think they were only for ETH.
So i'm not able to modify rules in RAW method, and i was asking you if these rules count to allow even those protocols.

Hi WinCenzo :)

Your router used IGMP and UDP packets I supposed...

The best for you is to read carefully the "sticky" post from Patrice:

Configuring Look'n'Stop with Routers
http://www.wilderssecurity.com/showthread.php?t=9474

Don't used the ETH rules we're talking about...

And keep things simple. ;)

:)

Thx Climenole i don't want abuse of your helpfulness,
but the reason of my choice was becouse in the post about configuration with router, Patrice spoke about the necessity of one rule for ETH too:

-{ Quote: "
The ETH Rule is a little bit different. Unfortunately you cannot specify this special packet more closely, so you have to write a more "general" rule." }-

So i thought that your rules may be the solution to this problem. ;)

But as i said this rule works even with other protocols and i don't know if this's my problem of it's simply normal.

Thx again :thumb:

Hi WinCenzo :)

As shows by Patrice you may add the MAC address in the IGMP rule...
Seems that's better than the ETH rule...

:)

Hi

For assistance in connection with version 3 you can contact me by email if it's necessary.
I will make my best to answer you according to my availabilities.

climenole[AT]gmail[DOT]com

Thank you.

Great work!

lovely man !