Blocking Incoming Connections

Discussion in 'LnS English Forum' started by nuser, May 31, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, All,
    In the rule editing window, there is an option "blocking Incoming Connections".
    Does it mean that ALL incoming connections will be blocked if I check this option (In this case, I will receive nothing)?
    o_O
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    No.

    This mandatory rule is used to block with no feed-back to the source
    all INCOMING TCP packets with the flag SYN.

    This kind of tcp packet is used to start a new connection from a "client" (like your PC) to a server (like the web server of this forum).

    When you have a server , like an FTP server or the server part of a p2p programs, the rule for this server must be placed before this rule: the packets with the format and the data required by your local server are accepted and managed by the server program and the other are rejected and blocked by the rule "Block incoming connections"

    For all "client" applications, like a web browser, an emailer, etc., the rules must be placed after this "Block incoming connections"...

    To get the idea here a simplified example of a normal connection from your PC with a web browser and a web server:


    Your PC ========================== The web server

    The server is listening state on his port 80

    ========== TCP + Syn ============>>>

    <<<======== TCP + Ack-Syn ============

    =========== TCP + Ack =============>>>

    the connection is now in established state and

    The connection is started between your PC and the server.

    All TCP + syn are sent to a server not a client therefore they must be blocked if they are sent to your PC....

    This rule blocked for example the connections attempts on port 135 and 445 by worms like Blaster and Sasser ... etc.

    Is this answer your question?

    :)
     
    Last edited: May 31, 2007
  3. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks a lot! Climenole.:thumb: :thumb: :thumb:

    There are more 'TCP flags" when I press the 'More" button. I have found the meanings of 'URG, ACK, etc...' in a Tcp book, but don't know the meaning of "mask" and "Set/Cleared" in the option.
    For example, what happens if I check both 'Mask' and "set/Cleared" status of "SYN"?
    o_O

    In the preset of Phant0m, the TCP flags are checked as following:
    for 'Mask", checking ALL
    for 'Set/Cleared", checking ONLY 'SYN'

    Is this the best combination for TCP incoming connections blocking?

    If I uncheck the 'Block incoming connectins' but still select the 'syn' in the 'More' dialog, does this setting still block the incoming connections with a 'syn' flag? (In brief, is there any difference if I uncheck the 'block incoming connection'? )

    Could you plz give me a little more explanation about this combination?
    Thanks in advance.
     
    Last edited: Jun 1, 2007
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)


    The mask and activ are used to block or allow packets with different combinations.
    I my rule set (climenole rule set v.1,2,3) I'm using such combination of mask.

    An example of this si the rule {H. 04}; [TCP] << FIN & 13 Variants ! >

    The mask is checked for ACK and FIN and the set/cleared is set to FIN.

    With this simple setup I block all these combinations:

    FIN, FIN-SYN, FIN-RST, FIN-PSH, FIN-URG, FIN-SYN-RST, FIN-SYN-PSH, FIN-SYN-URG, FIN-RST-PSH, FIN-RST-URG, FIN-PSH-URG, FIN-SYN-RST-PSH, FIN-SYN-RST-URG, FIN-SYN-RST-PSH-URG.

    One hint about this: the combination ACK-FIN is legal and must be allowed, so ... ;)

    This avoid the creation a one list per combination as we see elsewhere ...

    I you want to have fun with this:
    https://www.wilderssecurity.com/showthread.php?t=174202

    The rule set is published under the Commom Creative Licence:
    http://creativecommons.org/licenses/by-nc-sa/2.5/ca/

    ;)

    EDIT: 14:19 EST : Change the word "activ" to the correct eng. word "set/cleared"
     

    Attached Files:

    Last edited: Jun 1, 2007
  5. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks, Climenole,
    I will study the long post you mentioned.
    return to my old question:

    If I uncheck the 'Block incoming connectins' but still select the 'syn' in the 'More' dialog, does this setting still block the incoming connections with a 'syn' flag?
    (In brief, is there any difference if I check or uncheck the 'block incoming connection', while the settings in the "More" are the same? )
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    No difference.

    It's again a typical application of the "Réaumur-Sébastopol's Theorem":

    "Plus un informaticien est fainéant, meilleur il est,
    Car il connait des tas d'astuces!"

    "More one informatician is lazy, better it is,
    Because it know heaps of easy ways!"

    So check the option and let LNS do it for you! ;)

    :)
     
  7. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Climenole, :thumb:
    Could you plz explain a little more on the above figure. Why this 'simple' combination produce so many combinations?
    Actually, I don't understand the meaning of 'mask' here.:oops:
    thanks in advance.:thumb:
     
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    In the example above we have this setup:

    mask ACK FIN

    activ FIN

    1- mask FIN + set FIN = catch all packets with the flag FIN

    2- Mask ACK + cleared = don't catch a packet with the flag ACK

    3- all the other unmasked and not checked as set = flags present or not in the combination are catched...

    The # 1 set the rule to catch the packets with the Flag FIN
    The # 2 set the rule to allow the legal combinations with ACK and FIN (don't catch it!)
    The # 3 set the rule to catch all the other flags if they are present and don't care if they are not

    Therefore this simple rule block all illegal/abnormal FIN flags combinations without blocking the legal ones...

    This block 14 illegal combinations but not the right ones (with the flag ACK):

    ACK-PSH-FIN
    ACK-FIN


    :)

    Edit: 14:22 change the word "activ" to the correct one: "Set / Cleared"
     
    Last edited: Jun 1, 2007
  9. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Thanks, Climenole,
    mmm, a little complicated. I still can't catch your idea.

    what's the meaning of "mask" here?

    Where does 'ACK-PSH-FIN' come from?

    thanks in advance.:thumb:

    btw, I have searched the forum and found these statement, are they right?
    a flag with MASK checked means that I'm interested in that flag;
    a flag with MASK unchecked means that I'm not interested in that flag;
    a flag with SET/CLEARED checked means that that flag must be set;
    a flag with SET/CLEARED unchecked means that that flag must be unset;

    unfortunately, the mentioned link is not avaialble now
    http://www.wilderssecurity.info/TCP-Flag_Controls.shtml
     
    Last edited: Jun 1, 2007
  10. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    Hmmm... not exactly IMHO. The combination must be understood together.

    1- a flag with MASK checked AND SET/CLEARED checked means
    The flag must be present

    2- a flag with MASK checked AND SET/CLEARED unchecked
    The flag must be absent

    3- a flag with MASK unchecked AND SET/CLEARED unchecked
    The flag may be present or not [Edit 14:23 EST]: (set or cleared always accepted)

    4- a flag with MASK unchecked AND SET/CLEARED checked means
    The flag must not be used at all. [Edit 14:23 EST]: (set never accepted)

    I never used the last combination in any of my rules but it's easy to experiment this by creating such rule and see what's happen...

    Mask:

    http://en.wikipedia.org/wiki/Mask_(computing)

    In a more simple way, a mask is a kind of filter... See the idea?

    :)
     
    Last edited: Jun 2, 2007
  11. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    Simple: this is one possible flag combination with FIN.

    With the rules we're talking about this combibation is part of the flag combination subset : the ones allowed because there is also an ACK flag...

    1- All combinations of flag class,
    then reduced to:

    2- All combinations of flag with FIN present sub-class,
    then reduced to:

    2- All combinations of flag with FIN present and ACK present sub-class of the previous sub-class

    Therefore the last remaining element member of this "sub-sub-class" are:

    ACK-FIN and ACK-FIN-PSH ... ( two legal combinations)

    AND these ones:

    ACK-FIN-RST, ACK-FIN-URG, ACK-FIN-SYN ( three "illegal /abnormal/ weird" combinations) o_O

    They are blocked with other following rules... ;)


    :)

    P.S. My brain is now boiling... :rolleyes:
     
    Last edited: Jun 1, 2007
  12. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks Climenole,
    I understand your idea now. A proper combination will reduce the number of rules dramatically.

    So the questions are:
    (1) Theoretically, how many 'legal' combinations among all the 64 (2^6) posibilities?
    SYN, FIN, ACK, SYN+ACK, FIN+ACK, URG+ACK, PSH+ACK, RST+ACK,
    and others?

    (2) The smallest number of required steps to catch all illegal combinations. What's your latest progress in the experimental rules set? :p

    (3) As for your above mentioned example, there seem 16 illegal combinations (not 14). You have missed F-R-P-U and F-S-P-U.
    plz correct me if I am wrong.:thumb:

    (4) a flag with MASK unchecked AND SET/CLEARED checked means The flag must not be used at all.(set never accepted)
    I guess that the effect is the same as "a flag with MASK checked AND SET/CLEARED checked means The flag must be present". could you plz confirm by some testing? I don't know the procedure to test this.
     
    Last edited: Jun 2, 2007
  13. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    HU nuser :)

    That's right! An ideal rule set must have the minimal number of rules for a maximal protection... but this is not alway's possible.

    SYN : outgoing from a client to a server
    ACK
    ACK-FIN
    ACK-PSH
    ACK-PSH-FIN
    ACK-FIN
    ACK-RST
    RST


    EDIT: june 2 11:02 EST : I forgot that one : ACK-SYN ... o_O

    All these combinations are used on regular basis with the connections between a PC and the servers on the web.

    There is some combinations with an uncertain status (for me) like ACK-URG...
    I never encountered this combination in any connections here...

    Last years I was created an experimental rules set with only 2 rules to block illegal combinations: one for the FIN combinations and an other one for the SYN combinations... That was a very "elegants" rules but this supposed that any server rules will be used on the PC.

    Since I created a rule set to fit for the most various configurations possible I renounce to these nice 2 rules and keep the minimal rules for the TCP flags combinations to 7 rules.

    {H. 02}; [TCP] << NULL ! > = Any flag
    {H. 03}; [TCP] << FULL ! > = All flags
    {H. 04}; [TCP] << FIN & 13 Variants ! > = the FIN illegal combinations

    and these ones for the illegal SYN combination:

    {H. 05}; [TCP] << SYN RST & 4 Variants ! >
    {H. 06}; [TCP] << SYN PSH & 2 Variants ! >
    {H. 07}; [TCP] << SYN URG ! >

    and

    {Q. 999}; [TCP] << SYN ! >

    FIN,
    FIN-SYN,
    FIN-RST,
    FIN-PSH,
    FIN-URG,
    FIN-SYN-RST,
    FIN-SYN-PSH,
    FIN-SYN-URG,
    FIN-RST-PSH,
    FIN-RST-URG,
    FIN-PSH-URG,
    FIN-SYN-RST-PSH,
    FIN-SYN-RST-URG,
    FIN-SYN-RST-PSH-URG.

    You're right: I missed these two:
    FIN-RST-PSH-URG
    FIN-SYN-PSH-URG

    Thank you for this valuable remark ! :thumb:

    4- a flag with MASK unchecked AND SET/CLEARED checked means
    The flag must not be used at all. [Edit 14:23 EST]: (set never accepted)

    VS

    1- a flag with MASK checked AND SET/CLEARED checked means
    The flag must be present

    An example of this is the rule {S. 0}; [TCP] {{ ACK }} of the rules set climenole version 3.

    All masks are checked AND ACK is checked (SET)

    This rule allow all TCP packets with the flag ACK in and out...

    If I uncheck the ACK mask, the rule block TCP packets with the flag ACK instead of allowing it...


    In the rule set the packets blocked with the modified
    {S. 0}; [TCP] {{ ACK }} + ACK mask unchecked the packet is authorised by the following rule: {S..0000000}; [TCP] {{ Common Internet Applications }} for all packets with the flag ACK.

    So the effects of a flag with MASK unchecked AND SET/CLEARED checked
    is different than the effect of a flag with MASK checked AND SET/CLEARED checked



    It's 01:09 AM Eastern Day Time... It's time for me to go to sleep... ;-)

    Thank you for your questions, feedback and remarks.

    :)
     
    Last edited: Jun 2, 2007
  14. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Seems it's the same effect with the combination "mask ACK and Clear ACK".
    maybe more experiments are needed.:p
     
  15. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    Here a simple example.

    Picture 1 the ack rule: mask and set checked

    Picture 2 a connection to Gmail with this rule

    Picture 3 the ack rule: mask unchecked and set checked

    Picture 4 a connection to Gmail with this rule

    The packets with ack are not used by the ack rule but the following rule
    {S..0000000}; [TCP] {{ Common Internet Applications }}

    Picture 5 : the previous rule with the ack packet...

    ;-)
     

    Attached Files:

    • ack1.jpg
      ack1.jpg
      File size:
      50.6 KB
      Views:
      437
    Last edited: Jun 2, 2007
  16. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Picture # 2
    a connection to Gmail with ack rule: mask and set checked
     

    Attached Files:

    • ack2.jpg
      ack2.jpg
      File size:
      109.8 KB
      Views:
      444
  17. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Picture # 3
     

    Attached Files:

    • ack3.jpg
      ack3.jpg
      File size:
      51.1 KB
      Views:
      436
  18. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Picture # 4
    a connection to Gmail with ack rule: mask uncheck , set checked
     

    Attached Files:

  19. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Picture # 5 :)
    The following rule Common Internet Appl. now authorised TCP + ack ...
     

    Attached Files:

    • ack5.jpg
      ack5.jpg
      File size:
      43.3 KB
      Views:
      454
  20. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    oops, Climenole, you have waken up.:D
    So, "not mask ACK and set ACK" is equvalent to 'mask ACK and clear ACK". Right?
    Since the connection to gmail finally triggers the 'common internet rule'.
     
  21. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    HI nuser :)

    No it's not. I prove you exactly the opposite.
    The connections with Gmail works because the TCP + ack are authorised by the rule {{ Common Internet Applications }} ....

    Otherwise the connection will failed...


    No ? (Or I have to return to sleep: this is a possibility after all... :rolleyes: ) ;)
     
  22. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Oops, maybe I am wrong.
    So, what will happen if mask ACK and clear ACK?
     
  23. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hu nuser :)

    This:

    2- a flag with MASK checked AND SET/CLEARED unchecked
    The flag must be absent

    Therefore the only packet without the ack flag, the first syn sent from the PC to a server will used this rule (if the rule is placed before the one with syn out...) o_O

    Also, if a rule like this is used for in and out packets and placed before the rule blocking incomings connections this "weird" rule will allow incomming connections (and all packets with no ack like fin...) o_O

    :)
     
  24. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    hi, Climenole,:thumb:
    With the above rule (ACK is absent), the normal packets (with ACK flag) will not match this rule. But they are not blocked. (the rule only say yes to the packet without ACK, but doesn't say no to other packets). They still have chances to match the following 'common internet rules".
    Am I right?
     
  25. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,637
    Hi nuser :)

    Yes. :D

    They are ignored...

    But if you don't have a following rule to accept it the packet will be blocked ...

    :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.