TCP SPI is designed slightly differently then how I see in other Software Firewalls, truth be told this slight difference in this design that been implemented in Look ‘n’ Stop isn’t good thing.

How long will be required to fix this problem? How long must i keep that crucial feature disabled?

Do I need to even go there?

TCP SPI...

gimme gimme gimme.... but it's deactivated for now... slight problem with it. I have to agree with phant0m.

Anything on this Frederic?

-{ Quote: " quoting: Phant0m`` link=board=13;threadid=23453;start=0#msg138812 date=1078268706]
TCP SPI is designed slightly differently then how I see in other Software Firewalls, truth be told this slight difference in this design that been implemented in Look ‘n’ Stop isn’t good thing.

How long will be required to fix this problem? How long must i keep that crucial feature disabled?
" }-

Hi Phant0m`` ! Could you please explain to me what's wrong with that? And why you've been keeping it disabled?
Thx!

Hey manuangi

I’ll explain to you since you’ve appear to not seen my previous posts and of course not seen my E-mails on this subject;

Look ‘n’ Stop offers restrictions of maximum number of monitored/allowed connections, 64 was how many before v2.05b2, so now its 128. This increase does zip for me, the only Software Firewall I’ve seen to provide these types of restrictions. It does offer some benefits, but the benefits are far less important to me.

thanks!
I'd actually read about that, but was not sure it was the topic you've been discussing here, I couldn't understand it from your 1st post..

:-\ (sorry)

You weren’t actually meant to, this is directed to Frederic and Frederic knows about the anomaly perfectly.

teehee theeheheheh ;D

-{ Quote: " quoting: Phant0m`` link=board=13;threadid=23453;start=0#msg139067 date=1078315339]
You weren’t actually meant to, this is directed to Frederic and Frederic knows about the anomaly perfectly.
" }-


right...but remember that other users may read your words...as I did...if you want to talk to Frederic only, use PMs instead... ;)

(I don't want to hurt you, you're a friend!)

-{ Quote: " quoting: manuangi link=board=13;threadid=23453;start=0#msg139077 date=1078319492]
-{ Quote: " quoting: Phant0m`` link=board=13;threadid=23453;start=0#msg139067 date=1078315339]
You weren’t actually meant to, this is directed to Frederic and Frederic knows about the anomaly perfectly.
" }-


right...but remember that other users may read your words...as I did...if you want to talk to Frederic only, use PMs instead... ;)

(I don't want to hurt you, you're a friend!)

" }-

teehee teehehehe teeheee ;D

-{ Quote: " quoting: manuangi link=board=13;threadid=23453;start=0#msg139077 date=1078319492]
-{ Quote: " quoting: Phant0m`` link=board=13;threadid=23453;start=0#msg139067 date=1078315339]
You weren’t actually meant to, this is directed to Frederic and Frederic knows about the anomaly perfectly.
" }-


right...but remember that other users may read your words...as I did...if you want to talk to Frederic only, use PMs instead... ;)

(I don't want to hurt you, you're a friend!)

" }-

The way I choose to direct Frederic about Look ‘n’ Stop is my choice and my choice alone, and if I want to talk to Frederic only I can do so simply ignore everyone else who invades on this topic. ;)

OHH OHHH OHHHHH can I say something ?

teeheee teehee teeheheheh ;D

Frederic - any news on that one?? Any fixes ???

Ruben

This behaviour is by design, so no fix is really to be expected.
However, perhaps we will change the design in a future version to remove this limitation.
Normally it only affect P2P application which opens a lot of simultaneous TCP ports.

Frederic

I know a SPI which can handle all connections from a P2P program... it is NetFilter Linux firewall _on a dedicated server_ (with his own CPU, memory, etc...).

If you want your personal firewall to handle such amount of traffic, but at same time to still be able to use your computer, you should expect a large increase of mem usage and CPU usage, and a little research from Frederic to find a way to not lock up the computer.
SPI was first created (as far as i know) to handle all network connections from a LAN to the Internet, on, a dedicated computer/router.
Such feature has been well built in into Look'n'Stop, and to make it work with P2P is i think a hard task.

I like Look ‘n’ Stop a lot but it comes down to it, this Software Firewall is telling me what I’m authorized to run and do. I’ve been more then patient, every since TCP SPI been implemented into Look ‘n’ Stop I’ve been wanting this problem resolved, but now It is about time I use another Software Firewall with properly functional Stateful Packet Inspection Feature, and from what I see there are good variety.

It is not easy for me to say these things; you couldn’t see a more dedicated Look ‘n’ Stop user than me. I’ve been so since the day I begin using Look ‘n’ Stop in Jan 13, 2002, what I’ll do is take a spell away from Look ‘n’ Stop and perhaps if I don’t become attach to whatever times Look ‘n’ Stop TCP SPI improves I’ll return.

Regards,

I too have been suffering from this *anomally Frederic. Sometimes my log gets full of statefulll packet blocks, and it eventually stops me surfing. I too would like to see a fix for this as soon as possible as surfing without SPI seems to defeat the object.

Thanks.

Reason I installed and registered Look n Stop because of Phant0m.
From the reading I had been doing I know I’m surely not the only one.
I can sympathize with Phant0m, I too have been also experiencing problems with LNS TCP SPI and must disable just to continue my normal activities, and from what I read Frederic design of this feature is indeed different from other software firewalls I’ve used with SPI.
It is clear why there is a limitation here, to avoid possible memory consumption. And I’m not saying this doesn’t make sense especially depending on the design but I’ve used many software firewalls with SPI that working perfectly and no noticeable slowdowns on system or internet performances regardless of how many connections there are.
And my opinions are this firewall is only half as good without Phant0m, and I’m jumping ships along with.

Bests wishes to all!

Please note that there was a bug in 2.04 and 2.05b1 versions about TCP SPI: sometimes, some incoming connections were rejected. This problem has been fixed in the 2.05b2 and is different from the limitation of the number of TCP simultaneous connections.
However the symptoms are very similar.

I know the limitation is still an issue, especially for persons using P2P applications.

Frederic

@MrX

can you quote firewalls names having the SPI feature ??

SPI is known to be available in routers or in Linux, but in windows personal
firewalls i don't rememeber to have seen it, thought i could have miss it, i don't remember to have seen like in Look'n'Stop a checkbox with "enable SPI", can you shed some light on many firewalls names having such feature ?

Hey guys

Hey gkweb

Where have you been? There are number of today’s Software Firewalls that offers at the minimum TCP SPI capabilities such as Sygate Personal Firewall, Advanced Firewall aka Ambra Firewall aka VisNetic Firewall aka 8Signs Firewall… ;D

.

.

@Frederic

I've had my share of problems with the SPI feature too. I was forced to choose between turning off SPI which would greatly decrease my firewall security effectiveness or be brutally raped by TCP Packet as seen below (will be kept on server for a few weeks unless notified otherwise):

http://my.sanbrunocable.com/fubash/TCP_SPI.gif

Please fix this limitation problem up Fred! Btw, the picture above shows LNS v2.05b2. However, the problem exists in all versions that I've seen.

Visnetic is NOT a personal firewall for home user, but a packet filter for servers (it has no outbound application filtering) so a full SPI can be implemented easily on a dedicated server (dedicated CPU + Memory).

So about personals firewalls, Sygate (from their website) has a basic SPI not a full SPI, and does not support ICMP.

@FuBash

It has been said plenty of time, and unless you didn't read a single post of this forum, you must know that SPI isn't compatible with all P2P softwares, which turn your computer in a server with heavy traffic.

SPI basically (as i said but i say it again) was to be on a dedicated server to handle LAN connections, if you take a 50 computer LAN with each 10 connections (while surfing the Internet) then you have 500 connections handled by a dedicated server.
But P2P software, like eMule you use, can make jump your pending connections to +1500, nothing to do with a normal "home user" or client computer use, it turns your computer on a server with an amazing number of connections.
If Look'n'Stop had a conection limit to 2000 and not to 128, i guess your computer would be totally unusable, in one hand eMule consuming all your bandwidth and in the other hand Look'n'Stop eating all your CPU and memory to check in real time 2000 connections.

Did you know that even real full SPI was burst by P2P traffic ?
Yea really, there is hardware routers which simply locks up over 300 or 500 conections.

Now that you know all of that, you can see that in one hand to do a real full SPI to handle so much traffic isn't so obvious even on a dedicated hardware, so on *you* computer already used by Windows and by other applications it is even worst.

May be it is possible to add, but even if under so hard conditions it would be, i don't see what it would worth something because someone to who you connect using eMule, could use the traffic caracteristics (dst IP, src port etc...) to simply flood you and DoS you using allowed criteria by the SPI (the incomming traffic would be a come back of something you have initiated).

If you just browse the web and SPI blocks you, ok, it has to be fixed, but if you use P2P, just temporarly disable SPI, it is not meant to handle P2P.

Firstly you get what you asked; you should have been specific in your post, then I probably would have replied to suit you.

In any case what makes a true “Software Firewall” is the packet filtering, hey Jim did you ever see a Software Firewall without Packet filtering?

Man I don’t know what the heck you going on about but anyways basic, full SPI discussions is irrelevant to this topic.

Let me tell you something; I’ve been using number of “Personal Software Firewalls” lately and thoroughly testing its SPI Feature with p2p Software among other things WITHOUT any system delays/freezes or FW Applications Delays/Freezes. And guess what else? Ideal thing for p2p Software and does NOT provide any Monitored/Allowed connection restrictions…

irrelevant personal remark removed - paul

It’s okay to make excuses for Look ‘n’ Stop, god help me I have many times but I’m tired now..irrelevant and personal remark removed and not allowed - paul

As for any further discussions on this topic for myself is not necessary, I made my point and that is it!

Bests Regards,

-{ Quote: "
And something else.." }-

quoted irrelevant personal remark removed - paul

First, you are wrong, i know deeply this subject and modify my Linux kernel accordingly and set it up in user land far deeply than you can probably imagine...
Second, i don't see where from what i have said you can see that i know nothing about SPI, you can just said we have different opinions.

I was hoping to not fall in this kind of discussion, i have nothing to add in a discussion where i provide arguments and where in return people try to bash me.

I said my points, nothing to add.

Hey guys I do have no idea of spi but I would like LnS to stay topnotch getting rid of this limit thing.

Frederic, please look into it

Ruben

Gents,

Since we all are human, discussions can on rare ocassions turn into sort of a personal fight, and personal comments are posted that really are uncalled for.

It's just fine to agree to disagree without any bashing. As you might have noticed, I have removed all that has been posted in this particular context.

Please lay back for a while, take some rest if needed, and after that let's proceed in the usual and respectful way.

regards.

paul

why not making a rule for allow SPI with few applications only?

a standart NAT can handle 25000 connections, you are a bit short with your array of 128 entry :)

The default under Netfilter is 16376 ;)
(and for a whole LAN, here we talk about a single computer, you can't really compare :))
Of course you can increase it if you have a very good server.

I think the difference is that you use your computer for something else too, it isn't dedicated to SPI.
But i agree that we could try to increase the current number on Look'n'Stop, at least may be to do a special beta that people who want can try.

About your idea to only use SPI for particular applications, it sounds good, we could specify an app, let's say a P2P prog, and entries about it would not be written in the connection tracking buffer/file. So, at the other side, when packet are coming back, they would not be automatically allowed (because not tracked) and would need a specific rule that we all know, like allow incomming packets on P2P ports when the app is running.

So increase the number of connections being tracked and/or switch on/off SPI for particulars apps are good ideas i think :)

EDIT : may it is not easy to link traffic owned by apps if the SPI is only done by the driver at network layer, only Frederic can tell.

I absolutely disagree!

VisNetic Firewall IS a Personal Firewall and some; it isn’t Application-based Personal Firewall no, do the research and you’ll see. And this also applies for 8Signs Firewall, and as I said do the research and you’ll see.

Just because something only offers Packet Filtering Layer, doesn’t necessary mean it isn’t a Personal Firewall.


-{ Quote: " quoting: gkweb link=board=13;threadid=23453;start=15#msg141224 date=1078744252]
Visnetic is NOT a personal firewall for home user, but a packet filter for servers (it has no outbound application filtering) so a full SPI can be implemented easily on a dedicated server (dedicated CPU + Memory).

So about personals firewalls, Sygate (from their website) has a basic SPI not a full SPI, and does not support ICMP.

" }-

I was just talking with my criteria, if you use yours, you can call it whatever how you want, it still doesn't have outbound application filtering, period.

You must be Software Firewall expert more so then James Grant? Because he says it’s a Personal Firewall….

Just because it’s not Application-Based Personal Firewall, it is still Personal Firewall! ;)

It is not a matter of to be more expert than someone else or not, *I* assume that a home user for _personal_ use needs an application filtering, and that in enterprise or firm (where i already worked) you put on a server (generally a gateway) a firewall without application filtering, because it isn't a personal computer for personal use.
So you can throw me all your experts, you can past my sentence and give them.

Now, you perfectly know that english isn't my native language, and if you want to play on words, you will always win.
So if you have something against me, use PMs instead, if not, stay back on topic, i would be really gratefull to you for that.

Thanks you.

A Personal Firewall WITH TCP Stateful Packet Inspection that has no limitation of simultaneous connections, and there are absolutely no problems with use of p2p Software. In-fact I’ve tested quite a few Software Firewalls for Windows with SPI and with no limitation of simultaneous connections, and no problems with use of p2p Software! ;)

-{ Quote: " quoting: gkweb link=board=13;threadid=23453;start=30#msg145724 date=1079569189]
It is not a matter of to be more expert than someone else or not, *I* assume that a home user for _personal_ use needs an application filtering, and that in enterprise or firm (where i already worked) you put on a server (generally a gateway) a firewall without application filtering, because it isn't a personal computer for personal use.
So you can throw me all your experts, you can past my sentence and give them.

Now, you perfectly know that english isn't my native language, and if you want to play on words, you will always win.
So if you have something against me, use PMs instead, if not, stay back on topic, i would be really gratefull to you for that.

Thanks you.

" }-

Thank you gkweb!

The clarity of this post is what I respect... Again Thanks!

Enjoy the cookie gkweb! Again most appreciated!

The security expert said: "a good firewall MUST HAVE Stateful packet inspection"

In the case we are in a compagny with around 100 computers on a NAT or in the case with use a P2P software or some client application who use massive SQL query, so each user must take a ticket for make a TCP connection with looknstop and SPI enable when the 64 or 128 entry are full? lol

-{ Quote: "
The security expert said: "a good firewall MUST HAVE Stateful packet inspection"
" }-

I would like to know the names of your so called "expert".
SPI is a feature, a good one i totally agree, but i have never heard that the firewalls without SPI was bad firewalls.

If i believe a real firewall expert, Robert L.Ziegler, SPI has a lot of issues and scalability problems, and not every corporate network use them, to use a stateless firewall is in many cases (not all) better than a statefull one.
If however it is possible to use it, it might improve security, but for sure it will ask more work from the admin, because in the case the SPI table entries is timed out (althought the connection is still alive) a "hard coded" _additional_ filter rules is needed to anyway accept the connection in case of SPI failure, you can't in firm allow the possibility that your VPN connection will be unexpectedly terminated while transferring critical files.

So to sume up, you have to use a stateless firewall start ruleset which can handle every traffic you want to allow, and then, if your computer power allows it, to activate SPI over it.
If you do not, and if the SPI has a failure, the default policy will be called and your connection will be probably dropped, which can be critical in corporation.

To say SPI is an awesome feature, really great and interesting, very powerfull, is ok.
But to say that to not use it is BAD, that you "MUST" use it, if not you have a BAD firewall, is senseless, and i doubt any expert would say that.
May be you don't know, but many routers for personal use locks up when handling P2P traffic.
May be you still don't know that many routers company has removed the SPI feature from their router firmware because they were causing too much issues to their customers.

Then, all experts apart, if you think a little by yourself, you can probably see that not the SPI in itself, but the implemention (the way to build it into the software) is not that easy.
Users computers power can be from the lowest to the highest, from Pentium III 500Mhz to P4 3.2Ghz, and to simply add a SPI which can handle 10 000 connections instead of 128 will break the weakest computers users, may be *you* don't care, but a firewall vendor for home users can't do it that way.
A computer can have 128Mo RAM or 1Go (even more) and should the 128Mo user take a BSOD because he "must" upgrade ?

I know Phant0m is a power user and has a very good computer ;)

Here we talk about a product which has to work on every computer in any cases, not a single gateway packet filter which will work on a big server. If Look'n'Stop is meant to be used as well as in corporate gateway and in personal home computer, then may be indeed Look'n'Stop should provide an option "corporate / not corporate", but i think it is not what you would like, you just want Look'n'Stop handling P2P traffic on *your* computer.


Now, please read this : we can throw us as many experts as it exists on the earth, even them do NOT agree, this is why i read their comments, but that i rather think by myself instead of being a quoting robot. Saying expert "xxx" said that won't solve our current problem.

You can play chit-chat as much as you want, we will just won't go anywhere. Why ? because in a respectfull manner, i would rather say i have this or this problem, i would like that this product be improved that way, to work like this, is this will be done, will it be a special beta just to test huge ammount of connection in SPI, but certainly not to attack people as well as the firewall vendors and other LnS users for their _opinion_ on the subject, telling them that if they don't think what an expert thinks they are wrong and idiot.


For every software i use, i report politely bugs and ask my personal feature request. When other users comments my requests, i discuss with them, i share my ideas, and often the next software version is improved and better, and all is fine.

This thread is all BUT that, so obviously it will lead to nothing good, and for sure you won't have official answers, but hey, may be it isn't what you want ?




If someone want to get back on topic and to continue this thread in a respectfull manner, and respect others forums reader/writer and Look'n'Stop users, the subject is "Stateful Packet Inspection problems" with _Look'n'Stop_, what are yours ideas, how would you like to see LnS SPI improved, etc...

I agree that I didn't study the complexity to implement SPI feature but if the only problem is CPU power so you can do different version of looknstop, a server, a home user, etc... but if you are a crafty programmer, you can let the user to set the minimum and maximum SPI connection he want in function to his processor speed and memory size.
I have a P133 with 64 Mo of Ram so you will do a special version for me or you will decrease SPI of 128 to 32 ? ;)

About SPI, an interesting thing to do is to see what other product offer like Isa Server 2000, Cisco PIX, Checkpoint firewall, etc...
This is expensive firewall (around 4000 euros) but why they are so expensive ?

cryptic,

-{ Quote: "I have a P133 with 64 Mo of Ram so you will do a special version for me or you will decrease SPI of 128 to 32 ?" }-

This thread is on watch. There's no need for sarcasm - and it will not be tollerated either.

Please stay on topic.

regards.

paul

-{ Quote: "
so you can do different version of looknstop, a server, a home user, etc...
" }-

an interesting idea, i don't know however what would Fredric thinks of it, but i think to have a server version without application filtering and with a SPI able to handle a lot of connection would be great, why not a special beta ? :)

about the current home user version, i would like an option "activate full SPI" and by clinking it, a popup warning the user of ressources requirements while using P2P applications etc...

a good deal between low ressouces computers and power users ;)
(just my opinion thought)


-{ Quote: "
This is expensive firewall (around 4000 euros) but why they are so expensive ?
" }-

Cisco and checkpoint are very famous router and firewall brand, they are in networking since many years and have products very reliable (in corporations you will see a lot of 3com, Cisco, and Checkpoint products).

The price is often indeed expensive, but i think it is because their products are supposed to never locks up whatever the traffic flow, and are made by a well known brand which have many years of experience, may be....

In fact i don't know, ask them :)

You are definitely not getting anymore cookies from me!

gkweb how often you ever see me post on here about bugs/issues with Look ‘n’ Stop? Very rare I do so; I prefer E-mailing and which I have been doing on this subject for months since the very beginning of TCP SPI implementation. And finally I just decided to take this to the forum, because I needed user-feedback on this, because I’ve been told over and over that that I’m the only one coming forth about this when indeed throughout this people on the English AND French forums were experiencing the same problems. And if it wasn’t for you posting in a manner you done so in response to others posts, I could have quite a number of users posting but see you intimidated them and I know this very well because I have E-mails, ICQ and MSN Messages that I’ve been reading. And just thinking of future TCP SPI topic readers who possibly feel the same way and not post, makes me tad bit frustrated since this is what I want in the first place is users-feedback!

OK so these people who been experiencing TCP SPI issues and posts about it on Look ‘n’ Stop Forums gets told by the a vendor or someone else to disable the Look ‘n’ Stop “TCP SPI” feature and so they do so, normally no questions ask EVEN though they don’t know what TCP SPI is and the purpose for it. And there is much to TCP SPI which I won’t get into, but to make this simple TCP SPI will block all incoming "unsolicited” packets. And to simply point out specifically a type of incoming "unsolicited" packets that requires TCP Stateful Packet Inspection for protection is TCP packets with ACK Flag set. This is problem with all Packet Filtering systems that doesn’t offer TCP SPI; this isn’t a fairy tale, this is fact.

i'm sorry if you take something for you Phant0m, all my last posts were for Cryptic.

-{ Quote: "
And if it wasn’t for you posting in a manner you done so in response to others posts, I could have quite a number of users posting but see you intimidated them and I know this very well because I have E-mails, ICQ and MSN Messages that I’ve been reading.
" }-

About feedback, to suggest idea and explain his own needs is feedback, to attack other people or the product itself isn't feedback.

I'm sure you perfectly know that *I* don't attack people, i help them, and i know people know it.
But to say that when someone attack a product and when i react, i am sudenly a bad guy is a nonsense.
Me too i have emails/MSN/voice chat of people thanking me, but unlike you, i don't create imaginary bad guy on this forum, if there is, it's certainly not me.

Honnest people wanting to give their ideas _knowns_ they can, but you actually, trying to show me as someone i am not, is something i don't really appreciate, and is totally out of topic. You have already threats me to "hammered" me in previous post, and you actually do it, indeed.

A forum is to share ideas, and if when i see people a bit rude i can't explain them why they shouldn't be rude (so to keep peace on forum), it's a total nonsense as i said.

May be bad guys aren't those you believe Phant0m, i'm sorry that once again you do all that you can to disturn the thread, really sad.

Let look at an example of a response of course to FuBaSh...

-{ Quote: "It has been said plenty of time, and unless you didn't read a single post of this forum, you must know that SPI isn't compatible with all P2P softwares, which turn your computer in a server with heavy traffic. * " }-

Little remarks may not be big thing to you, but doesn't necessary mean it isn’t to others...

gkweb I’m not sure how you can expect other people to stay on topic when you bring additional posts that shows you moving further off topic…

Phant0m, too much is too much, you will stop that now !

to do partial quoting is the easiest way to make people saying what they didn't say, and out of context, it means nothing.

So stop now this childish chit-chat

You did have my feedback, you don't like it, and you attack me, it tells everything about WHO you are.

Stop that now, i am getting f** up of your child behaviour.

Hot Topic :) Quite interesting to see the views of each :)

KARMA for GKWEB and PHANTOM :)

Phat0m all the way for some reason ! :)

This will do. I for one am a strong believer in a good and adult discussion. This does imply those involved have the decency and respect to withold from playing hard ball and getting purely personal issues in the way.

Since this doesn't seem possible for one reason or another, there's no other option left then closing this thread.

regards.

paul