I can not update via http://update.microsoft.com when I have LnS on.

It works fine when I switch it off.

Do I create a rule for this? What about Automatic Updates?

Where do I check...in the Log?

Cheers

Neggy

I had about 10 different things in my log when I tried to update.

I chose to create a rule for the last one.

ICMP: Allow Type 3 This rule allows your computer to send a receive packets of type 3 on ICMP protocol.

Now update works fine.

Is this all I need t do.

Is it safe?

What is ICMP?

What are Type 3 packets?

Any advice would be appreciated.

Neggy

Hi Neggy :)

You can create 4 rules for Windows Updates:
for the applications : Generic Host Process and Internet Explorer.

All those rules have as Source your IP
local ports 1025 to 5000 , protocol TCP

Destinations:

1- IP address range 206.24.0.0 to 206.24.254.254 port 80
2- IP address range 66.77.0.0 to 66.77.254.254 port 80
3- IP address range 207.46.0.0 to 207.61.254.254 ports 80 and 443
4- IP address range 64.4.0.0 to 64.254.254 ports 80 and 443


You must check in IE to put the security level to default values.
Be sure there is no malwares glued in that IE otherwise they may
prevent WU ...

(A good idea is to used IE only for MS stuff such as W updates
and surf on the web with an alternate Browser such as Firefox or Opera...)

Thoses rules must be placed after Allow internet standards programs
or the equivalent in your rule set.

Works with WU v.5 V. 6 and Microsoft Updates for office pprducts (WU 6
option)

:)

Thanks you for your reply.

Does this mean what I have done is (as above) is wrong?

Neggy

Hi Neggy :)

Used one of the 2 rules set provided by L'n'S
and add the 4 rules i gave you after allow standard internet stuff...

I joint the rules here in a text file.
Change the extension for .rie then import the rules in your Firewall ...

:)

Hi Climenole,

I deleted the rule I created and inmported the 4 rules you sent me.

But Windows update still didn't work?

I added the rule I mentioned in my previous post and it works again?

Hi Neggy :)

Very strange ...

What is your Operating system ?

W xp or ... ?

But, first thing first.
In my previous post I stated that those 4 rules was ok for WU :
this was uncorrect !
those addresses ranges must also to be added :
66.71.*.* and 208.72.*.* ... remote port 80.
and the protocols are TCP and UDP not only TCP like I said... :-(
Sorry for this mistake.

Please note that those rules must included as authorized applications
Internet explorer (iexplore.exe) and Generic Host Process (svchost.exe)

Now about the ICMP Protocol.

In the beginning of the rules list you must block
the incomming ICMP code 0 type 10


In the section of ICMP protocol such as the one in standard
rule set provided by L'n'S you must have those 4 rules:
(They comes with rules sets provided by L'n'S...)

1- allow outgoing icmp code 0 type 8 "echo"
This allow your system and application to send a "ping" when needed.

2- Allow incoming Icmp code 0 type 0 "answer to echo".
This allow your system and application to received the answer to their "ping".

3- Allow outgoing and incomming Icmo code 0 type 11. This is "Tracert".
This allow you to trace all computers between your PC and the target.

4- Last but not least :
Block all other Icmp signals.

With thoses rules I can update Windows and Office 2003...


Suggestion :

Create a single temporary rule for internet explorer and svchost
with no restrictions (all ports on both side) and set it to log all access.

Then run Windows Update ...
(The service Windows Uopdate must be started and in automatic mode :
start | run | services.msc ...)

When WU will be finished check in the log for all entries related to
Windows Updates : port in , port out, IP address etc.

That way you will be able to create your own rules...

Don't forget to remove the temporary "allow all" rule after this check up. ;-)

Examples:

http://cjoint.com/?hzg7frzysl
http://cjoint.com/?hzhaayb5tz

Hope this help.
Let us know.

:)

HI Neggy :)

You ask also for hints about ICMP and the code meaning ...

You'll find everythings (and more !) at Wikipedia:

http://en.wikipedia.org/wiki/Icmp

Cheer :)

Thank you for your reply.

This doesn't seem very simple for me. :-\

I will need to take my time to learn.

Do you know if Phant0ms rule set has the WU included?

http://www.wilderssecurity.com/showthread.php?t=86193

Which rule set would you advise me on using ....enhanced or phant0m?

Thanks again

Neggy

Hi Neggy,

I've never had problems using WU with Phant0m's ruleset (or Enhanced set) :)
Phant0m's ruleset is more restrictive then the Enhanced set. This means that using Phant0m's set could give some extra protection, at the expense of ease of use for some programs.

I have also posted this one Phant0ms forum.....

Hi,

I've just load on Phant0ms V6 rule set.

http://www.wilderssecurity.com/showthread.php?p=516876#post516876

I can't connect any of my progs to the internet yet is this because I need to complete the 4 rules which say 'Rule needs modification before activating'?

Where can I find out what I need to write for each....


Or is there something else I should be doing?

Thanks

Neggy :(

Hi Neggy :)

Phat0m's Rules eh ?

Keep things simple please.

You put yourself in trouble by using this complex rules set...
They are interresting but not the last word about the best rules set...
(A last word do not exist.)

To be very clear about this issue, this rules set included many useless rules
for the vast majority of users and it's,in my humble opinion, a little bit
botched job...

When you asked some informations about thoses rules Mr. Phant0m keep
silence and disappear ... as a phantom ;-)
May be he's a Firewall Guru ... (I don't care of this!).

Why apply a rules set if your only justification is because
some Phant0m's groopies say it's the "best in the west" ???
Don't be victim of the "False Authority Syndrom" please.

The enhanced rules are provided by the developpers of Look'n'Stop:
I guess they know what they are doing...Right ?
Did you agree ?

Used the Enhanced rules provide by Look'n'Stop which are
enough for a new user and add the rules I gave you to
allow Windows and Office updates .

That's work with WU v. 5 and WU v.6 in manual or automatic updates modes
in W xp sp2.

Put thoses rules after the rule "Autorize Standard Internet Services".

They works well in my PC and there is no reason to be different in yours.

If they won't works may be it's a problem :
1- with the W xp services parameters
2- with the Internet Explorer parameters
3- with some malwares hijacking your PC

Hope this help.
Let us know.
:)

Hi Climenole,

Thank you for your response again.

(I have XP SP2)

ok ..... I will use the Enhanced Rules....

I'm not sure what you mean by -{ Quote: "But, first thing first. In my previous post I stated that those 4 rules was ok for WU : this was uncorrect ! those addresses ranges must also to be added : 66.71.*.* and 208.72.*.* ... remote port 80. and the protocols are TCP and UDP not only TCP like I said... :-( Sorry for this mistake. Please note that those rules must included as authorized applications Internet explorer (iexplore.exe) and Generic Host Process (svchost.exe) Now about the ICMP Protocol. In the beginning of the rules list you must block the incomming ICMP code 0 type 10 In the section of ICMP protocol such as the one in standard rule set provided by L'n'S you must have those 4 rules: (They comes with rules sets provided by L'n'S...) 1- allow outgoing icmp code 0 type 8 "echo" This allow your system and application to send a "ping" when needed. 2- Allow incoming Icmp code 0 type 0 "answer to echo". This allow your system and application to received the answer to their "ping". 3- Allow outgoing and incomming Icmo code 0 type 11. This is "Tracert". This allow you to trace all computers between your PC and the target. 4- Last but not least : Block all other Icmp signals." }-

Is there not somekind of rules file that I can just import like you sent me before?

This all seems quite advanced for me? ???

Neggy

Hi Neggy :)

Hum.. I try to be as simple as possible.

1- Try to makes Windows Updates with only the Enhanced rules set.
Normally WU works with those rules.

2- If you would like to have a more "sophisticated" rule set
you can add those "updated" rules ...

(In my first post I stated that my 4 rules was ok. That's not correct.
Two more are needed AND all of thoses rules must be set for TCP and UDP protocol. Not only TCP...)

I joint the rules set.

You must import those rules,
placed them after the "Allow standard Internet Services" rule
Check if the rules are set for Internet Explorer and Generic Host Process
-> svchost.exe
Save and apply.

Sometimes it's necessary to reboot to be sure the new rules are
accepted...

Try a manual Windows Update from the applet in Control Panel.
and check in the firewall log to see if it's working and if it's blocked somewhere.

Please note that the service Windows Updates must be started and in automatic mode even you make a manual update...

Let me know if it's now working.

:)

Hey Neggy

In regards to the WU problem, what do you ‘switch off ‘ for WU to work? Application Filtering? Or Internet Filtering? Properly configured rule-set (or look ‘n’ Stop pre-bundled EnhancedRulesSet) WU should not be a problem unless you made modifications to its Internet Filtering rules, and if you know you hadn’t, I would consider the Application Filtering layer at fault for WU problems.


Climenole,

You say rule-set is complex, yet you belittle and make incorrect statements, the rule-set is only complex for those who don’t have understanding of security or firewalls in general, and obviously you fail to have an understanding.

No, the vast majority are the ones to benefit from the rule-set, but you are entitled to your ~snip....Bubba~ opinions. And as for “botched job” I like to see you do better, until then these sorts of remarks are meaningless.

Climenole I suppose you wanting an apology from me? I apologize for discontinuing my dedicated assistance which I had been giving for many years to Look ‘n’ Stop product and its customers, and I apology for my informational websites that had all went down (which I had no control of) which supported Look ‘n’ Stop software and its customers, informational area where Phant0m``s Rule-set Guide could have been located to aid with the necessary setup (which made it far less complex for users). It was beautiful and I don’t regret the time I spent, volunteering, however I’m 23 and it were about time I started doing things that benefited my future. And so therefore I do apologize also for not sitting around the board waiting for questions to be asked, or coming around and going through many of posts and respond.

Whether my Rule-set is the best or not, I’m yet to see you poster link to something else better offered to the Look ‘n’ Stop community.

You can continue to degrade the rule-set because it being of complexity, requiring some configuration on the user part, but if you are smart you would know, if you want something good, it doesn’t always come easy.

With the Enhanced Rule set I get [Error number: 0x80072EE2] and can not get WU.

My Log shows about 20 logs of....
ICMP : All ICMP types (nukes, ...)
Internet >> PC
00:0F:B5:B0:4D:AC
00:0E:35:FC:E5:C6
IP
[XX2.16X.0.X]
LocalPC
ICMP
576
38926
0 0
0
255
3 : Destination Unreachable
4 : fragmentation needed and DF set
00 00 05 B2 45 00 05 DC 0F 3A 40 00


WU works if I quite LnS.

WU also works if I create a rule for the above log.

I have imported the 4 rules in the above post but these don't seem to help (unless In am doing something wrong?)

Neggy
:-\

-{ Quote: "

You say rule-set is complex, yet you belittle and make incorrect statements, the rule-set is only complex for those who don’t have understanding of security or firewalls in general, and obviously you fail to have an understanding.

No, the vast majority are the ones to benefit from the rule-set, but you are entitled to your ~snip....Buba~ opinions. And as for “botched job” I like to see you do better, until then these sorts of remarks are meaningless.

" }-

Hi Phant0m,

The vast majority using your rules set do not understand thoses rules...
and , yes, the Enhanced rules set provided by Look'n'Stop give a reasonable
protection for their PCs.

A too much complex rules set is useless for a newbie.

"Entities should not be multiplied beyond necessity".

The interest in your rules set is in the similarity to the ones
in the Unix IPTables (TCP packet with various flags...).
The others are the equivalent of other rules set for
rules based firewall under Windows...

But my opinion is not important since :

I'm an ignorant, I don't understand security,I don't understand firewalls
and you are the 23 year's old Guru of the Look'n'Stop Community...
How you "know" this about me ??? ;-)
Let me laugh :-D

I understand that young poeple are sometimes a bit arrogant.
I don't care of this.

My principal design is to help poeple, not to feed my self-esteem
and inflate my head.

Drink a fresh glass of water, keep calm and go to play outside boy.

:-D

I agree it is complex rule-set for most to comprehend, take NOD32; you don’t need to know the technical inner workings to know it’ll protect. As for complex, I bet if you were to ask majority of the Look ‘n’ Stop users about the EnhancedRulesSet rule-set, I bet you also see vast majority whom are confused to the purpose for its rules in this rule-set.

EnhancedRulesSet does offer reasonable protection, no debating there. But it sounds like you type of person who always goes the easy root, who doesn’t like to work to achieve something good. And that being said, I see why you are ignorant to many things, things you discuss about.

I don’t agree that complexity is a downfall for newbies, and it has been proving long before your butt ever got here that people can apply and operate the rule-set. I also have always been the one to say, when time permits, try to understand the rules in your rule-set better.

You can say whatever you like in attempt to degrade the rule-set, like it or not you are far from the truth. My rule-set with information I had on my previous webpages informs people about the necessity of rules in the rule-set, what is offered to the rule ordering is vital bit of knowledge which you obviously cannot comprehend. –

If you think I multiplied and created bunch of useless rules, which not serve a purpose, let’s see them, poster these here or in PM.

In addition; I’m still waiting to see you create something better, or merely link to someone else’s better creation for the Look ‘n’ Stop community.

Anyways, if this was anytime before, I would love to sit here and debate with you, but I do have a life and I don’t feel like wasting it on you, and your silly games.

Regards,
Phant0m``

???

.....anyway I still can't connect to WU with LnS Enhanced or Phant0m rules....but I can without LnS.

I am sure LnS is the best firewall and I want to keep it but if I don't get this sorted by the time the trial ends I won't.

:'(
Neggy

Hi Neggy

Launch the Look 'n' Stop main window, access "Application Filtering" and (temporarily) uncheck 'Application filtering enabled', try WU.

If the problem still persists, re-enable Application filtering, simply check that box again and go over to 'Internet Filtering' screen and (temporarily) uncheck 'Internet filtering enabled', try WU again.

Let me know the results, thanks

What type of connection you have? And are you running behind a Router?

The reason I ask, this problem is known to happen while with some Routers using MTU size (default setting) ‘1500’, the MTU size should be changed on the Router to ‘1492’.

Sorry for hijacking this thread, but since Phant0m is present, may I ask him if he plans on releasing the update to his ruleset, as mentioned in a previous thread/post ?

Hi Neggy and Phant0m :)

Phant0m : I don't want to argue with you about the rules sets...
I believed that things must be kept simple to help Neggy to
make a WU with L'n'S firewall. My aim is to find a solution for Neggy.
That's all. :)

Neggy :
Is it possible to send us the rules set your are using ?
Export the rules set, change the extension to .txt and
upload it here.

I'm looking at it and I hope somebody else also.
More than one advice is better ? Right ?

Don't worry : WU works with L'n'S and it will work for you soon.

:)

-{ Quote: "Launch the Look 'n' Stop main window, access "Application Filtering" and (temporarily) uncheck 'Application filtering enabled', try WU." }-

WU doesn't work :'(

-{ Quote: "If the problem still persists, re-enable Application filtering, simply check that box again and go over to 'Internet Filtering' screen and (temporarily) uncheck 'Internet filtering enabled', try WU again." }-

It works! :)

-{ Quote: "What type of connection you have? And are you running behind a Router?" }-

At the moment I am behind a Netgear Router. But I get the same results with my Vodafone 3G datacard on GPRS.

Thanks

Neggy

Hey Defenestration

As I had promised, I will release the newer version, just waiting for time to permit.
I had managed to get % of my Rule-set guide up on my forum this morning, so I’m getting ready for the big moment.

OK, ensure you re-Activate the 'Internet filtering' (to be protected), so basically from what I'm seeing here is, the ICMP blockings due to large MTU size usage... Try making the adjustments on the Router as I have mentioned

-{ Quote: "WU doesn't work :'(



It works! :)



At the moment I am behind a Netgear Router. But I get the same results with my Vodafone 3G datacard on GPRS.

Thanks

Neggy" }-

I agree Climenole, things should be kept simple, but the WU issues originated with use of EnhancedRulesSet and not my rule-set, however the problems regarding connecting issues with the usage of my rule-set due to not being configured for DNS info, and things were complex because my Rule-set guide had went down with my last site (which were giving freely for me to use at the time) which meant no guidance from me = problems. However, nothing is entirely simple in this world, and more simple things are the more disadvantages we have.



-{ Quote: "Hi Neggy and Phant0m :)

Phant0m : I don't want to argue with you about the rules sets...
I believed that things must be kept simple to help Neggy to
make a WU with L'n'S firewall. My aim is to find a solution for Neggy.
That's all. :)

Neggy :
Is it possible to send us the rules set your are using ?
Export the rules set, change the extension to .txt and
upload it here.

I'm looking at it and I hope somebody else also.
More than one advice is better ? Right ?

Don't worry : WU works with L'n'S and it will work for you soon.

:)" }-

-{ Quote: "Neggy : Is it possible to send us the rules set your are using ? Export the rules set, change the extension to .txt and upload it here." }-

Here are my Enhanced Rules....

...and here are my Phant0m rules...

Hey Neggy

Let work with the pre-bundled rule-set 'EnhancedRulesSet'.

http://www.snakeyez.us/images/BBR/MTU.jpg

Locate this setting on the Router and make the modification I mentioned.

I can't see anything on my router about MTU.

It does say Ecapsulation is PPPoA (PPP over ATM)

My menu options in Netgear are:
Basic Settings
ADSL Settings
Wireless Settings
Logs
Block Sites
Firewall Rules
Services
Schedule
E-Mail
Router Status
Attached Devices
Backup Settings
Set Password
Diagnostics
Router Upgrade
WAN Setup
Dynamic DNS
LAN IP Setup
Remote Management
Static Routes
UPnP

I don't see how changing anything with my router setting will help as I still get the same results with WU when I connecct via a GPRS datacard?

Neggy

Alright, if you connect directly with Ethernet adapter (without a use of a Router) and the problem still persists on that system you using, the windows MTU needs to be tweaked.

This is how you can determine if MTU setting needs to be adjusted, normally;

ping www.yahoo.com -f -l 1500

If there is packet loss greater than 0, MTU should be adjusted.

And this can be done using DrTCP http://www.dslreports.com/front/drtcp.html

Please keep the personal attacks to oneself. The member is asking for assistance with WU issues as it relates to LNS rules or non LNS rules.

Take your personal differences to PM or another venue.

Thanks

I don't see how the MTU will affect it as I get the same results when I connect without a router via a GPRS datacard?

Neggy

Well you’ll have to trust me on this,

You posted http://www.wilderssecurity.com/showpost.php?p=517666&postcount=16

This information indicates the MTU size is bad, now you have two options, create a ICMP rule to permit this (but I wouldn’t recommend, since MTU adjustment can go a long way to help you and without the need for additional rule), and the one I highly recommend, MTU size adjustment.

-{ Quote: "I don't see how the MTU will affect it as I get the same results when I connect without a router via a GPRS datacard?

Neggy" }-

To find the correct MTU size use PING, and accessing MS-DOS,
Type; ping www.yahoo.com -f -l 1500

Does it show ‘Packet needs to be fragmented but DF set.’? Try
Type: ping www.yahoo.com -f -l 1460

Does ‘Packet needs to be fragmented but DF set.’ appear, no? and continue to slightly increase the number until you see ‘Packet needs to be fragmented but DF set.’, the previous number is what you’d want to use, set in MTU field shown using DrTCP.

I am now connected via GPRS (no router involved).

WU isn't working with LnS Enhanced Rules.

I don't understand what this Ping stuff is or how to use MS-DOS.

In Windows 2000/XP, click on the Start menu, choose Programs | Accessories | Command Prompt.

In Windows 98, click on the Start menu, choose Programs | MS-DOS Prompt.


-{ Quote: "I am now connected via GPS (no router involved).

WU isn't working with LnS Enhanced Rules.

I don't understand what this Ping stuff is or how to use MS-DOS." }-

..... :)

-{ Quote: "Hey Defenestration

As I had promised, I will release the newer version, just waiting for time to permit.
I had managed to get % of my Rule-set guide up on my forum this morning, so I’m getting ready for the big moment." }-Much appreciated. I look forward to them.

Thanks Phant0m,

Re: MS-Dos

ping www.yahoo.com -f -l 1500

Done it and I got the same results as your image above.

Sent 4, Received 0, Lost 4 (100% Loss)

ping www.yahoo.com -f -l 1460

Result is....

Sent 4, Received 1, Lost 3, (75% Loss).

What do I do now?

Neggy

Sorry above results were for my desktop (doesn't have LnS).

Results for my Laptop with LnS are the same except...

ping www.yahoo.com -f -l 1460

I get 'Resquest Timed Out' a 4 times then the result....

Sent 4, Received 0, Lost 4 (100% Loss)

No problem Defenestration.

Hey Neggy

If you using unaltered EnhancedRulesSet, ICMP Pinging should be permitted, so we try pinging another area, use; ping www.dslreports.com -f -l 1460

Hi Phant0m,

ICMP Pinging is ticked green in Enhancd Rules.

I am still geting the same results on ping www.dslreports.com -f -l 1460

3 x Time Out and 100% loss.

Neggy

You have only one third-party software firewall installed on that machine, which is Look 'n' Stop? Possibly your Router is what is blocking ICMPs....



-{ Quote: "Hi Phant0m,

ICMP Pinging is ticked green in Enhancd Rules.

I am still geting the same results on ping www.dslreports.com -f -l 1460

3 x Time Out and 100% loss.

Neggy" }-

-{ Quote: "You have only one third-party software firewall installed on that machine, which is Look 'n' Stop?" }-

Yes

-{ Quote: "Possibly your Router is what is blocking ICMPs...." }-

I will check....but I still do not see how this makes a difference as I get the same results when I connect via GPRS??

Neggy :-\

This is my router log:

Sun, 2002-09-08 12:00:29 - Initialize LCP.
Sun, 2002-09-08 12:00:29 - LCP is allowed to come up.
Sun, 2002-09-08 12:00:32 - CHAP authentication success
Sun, 2002-09-08 12:04:55 - Send out NTP request to time-g.netgear.com
Sun, 2002-09-08 12:05:57 - Send out NTP request to time-h.netgear.com
Wed, 2005-07-27 11:13:42 - Receive NTP Reply from time-h.netgear.com
Wed, 2005-07-27 11:07:46 - Router start up

I've looked at the menu's for the router and it doesn't indicate anything aboiut blocking ICMps

I think it is this rule stopping Windows Update working.

''ICMP : All ICMP types (nukes, ...)''

''Stops all ICMP types not allowed by other rules.
For example, ICMP nuke makes your computer
disconnect from IRC (Internet Relay Chat).''

Can anyone help?

Thx

Neggy

Do you mean that allowing the packets for this rule solves the issue ?

Thanks,

Frederic

Hi Frederic,

If I click create rule for what shows in my log....

''ICMP : All ICMP types (nukes, ...)''

''Stops all ICMP types not allowed by other rules.
For example, ICMP nuke makes your computer
disconnect from IRC (Internet Relay Chat).''


WU works OK?



Neggy

Hi,

Is it a question or a statement ?

Thanks,

Frederic

Sorry its a statement. :-[

Neggy

Ok, in this case the problem is only in refining an additional ICMP rule allowing only the required type.
To do so:
- set back the global ICMP rule to block the packets
- you will get some alerts in the logs
- use a right click on one of these alerts to create a specific ICMP rule that will allow the packets.

Regards,

Frederic

I wouldn’t resort to opening myself up a bit more by making a rule which isn’t necessary under normal circumstances, it is simply the MTU size that is the problem here and should be adjusted…

Hi,

WU works with that rule.

I don't know what else to do?

I don't see how it is a router problem when I get the same results on my GPRS datacard?

Neggy

MTU problem can be Router, or Windows MTU setting.
Using DrTCP, the utility I giving link for, set MTU setting to 1460 and reboot the system and try WU again.

Hi Phant0m,

This is probably a silly question.....

My Laptop has LnS on and it is my Laptop with the problem.

My desktop is also connected to the router.

-{ Quote: "Does it show ‘Packet needs to be fragmented but DF set.’? Try Type: ping www.yahoo.com -f -l 1460 Does ‘Packet needs to be fragmented but DF set.’ appear, no? and continue to slightly increase the number until you see ‘Packet needs to be fragmented but DF set.’, the previous number is what you’d want to use, set in MTU field shown using DrTCP." }-

Both my laptop and desktop both starting getting 100% at 1430.

Do I change my laptop (LnS) or desktop MTU to 1430 or both?

Thanks

Neggy

Any news on this one?

thx

Neggy