Jetico-Avast proxy localhost affair

I run
an Ethernet BB router
Jetico firewall
Avast antivirus
Firefox
IE.

I tried a few different Jetico configurations ,some harder on security than others,and finally adopted Ladidal method (http://www.geocities.com/ladidel_jetico/jeticoindex)
of placing beforehand every relevant application working full time in the first and main Application Table, following the golden rule
of giving each Application:

1-Access
2-generally detailed Outgoing permission/or what needed
3-Rejecting anything else.

My uncertainty regards the Avast WebShield proxy problem as -according to lukor,Avast rep at Avast Forum- this antivirus needs:

1-browser to connect to localhost:12080
2-webshield (ashWebSV.exe) to listen on localhost:12080
3-webshield to accept the connections from localhost:anyport
4-webshield to connect to webservers port 80

what i did:
1-is taken care of by FF,IE settings about local proxy for HTTP port 12080,
2-3 by AshWebSV.exe inbound rule from Remote 127.0.0.1,port 12080;
4-by establishing Remote port for outbound connections as 80)

This is part of my App.Table (edit-due to problems uploading i'll continue with following posts):

 

The Browser section is the following- i used the standard rules,but detailed the Application
working as Browser,in my case Avast local proxy ,Firefox and IE:

accept disable 0 access to net

accept disable tcp/ip outbound any any any 80

accept ashWeb.exe dis tcp/ip outbound any any any any
accept HTTP FF dis tcp/ip outbound any any any 80
accept allow HTTPS dis tcp/ip outbound any any any 443
accept HTTP IE dis tcp/ip outbound any any any 80
accept Allow HTTPS dis tcp/ip outbound any any any 443
continue default action

(sorry, my .jpg was not accepted,continues next post)

 

These settings make Jetico prompt for any new connection,which is what i wish.
Jetico,when my Router is in DMZ,is perfectly stealthed anywhere.

I hope i 'translated' these rules into good practice...........if anyone can spot a mistake please let me know.


Now what i am asking here is: i gave Avast proxy the 'inbound' permission
which they think is necessary, but i previously never gave Avast such a permission before with other firewalls and i found the system works fine in Jetico even without it (it seems to me),
so is it REALLY necessary?

Considering the 4 previously mentioned 'rules' for Avast,
were i right in:
leaving port 80 in Avast WebShield redirected HTTP port? (works fine with 12080 in the box as well,though).

I tried to delete from the Configuration Wizard Trusted Zone the 127.0.0.0/8 ,which i take as authorizing loopback for any Application, in order to remove the implicit 'allow all' default traffic and to start giving permission to selected
ones only, but when i remove it from the Wizard T.zone it comes back on reboot.
Am i doing anything wrong or is it simply impossible?

This is Jetico 'Applications' when Wilders Forum and Google are connected-

 

Not if you have localhost (127.0.0.1) within the trusted zone

This is user config, this can be any within Avast.

To remove the localhost from the "auto config (trusted zone)" you must block the "wizard"(fwsetup.exe) from "access to network" (then remove the localhost entry). The wizard then, on boot or execution, will only see the PC config (local Lan / DNS servers / local IP), and will not automatically add localhost. (This is how I have this set)

 

The Avast proxy should be restricted to the remote ports required, the browsers will be accessing these ports via that proxy. Rules needed for the browsers should only be the need to access the network and the proxy (localhost). I will re-check.

 

First of all, remove the localhost (127.0.0.1) from the trusted zone (as mentioned in post 4). There will then be a need to allow "ashwebsv.exe" outbound / inbound connections from remote host 127.0.0.1. Then allow "ashwebsv.exe" the browser rules (access to network, outbound connections to remote ports 80:443 (other ports can be added, as per your need))
Then set up your browser to use the proxy. The browser will then require "access to network" and allow outbound connections to remote host 127.0.0.1, you can then block all other comms for the browser.

(Note: I have not been able to find the Application you mention "ashWeb.exe", is this from an older version of Avast, or a miss-type)

 

thanks a lot Stem!
the more i read about localhost,sygate,Kerio and loopback and the more i became confused about what to really do with Jetico.
I'll begin with your last comment: its really my fault as for brevity sake i wrote the name without an SV in Jetico description- it is really
ashWebSV.exe
and it is of course the WebShield engine of Avast. I couldnt upload the screen about
WebBrowsers because i had used that one for a test the day before and now it wont be accepted anymore- i didnt know about such a thing at Wilders.
I saw what you suggest and i will put myself down to remodelling according to your pertinent observations (another day needed).
I'll begin with the localhost Trusted zone...

Question: when proceeding with the TZ 127.0.0.0./8 removal can i leave my

WebBrows ashWebSV inbound dis TCP/IP inbound any 127.0.0.1 12080 any

rule in place (if the TZ removal is successfull i'll need this rule) or shall i delete all ashWebSV.exe,firefox and IE rules and start
anew?Is such an inbound rule correct with
'any 127.0.0.1 12080 any' for local adress,remoteadress,local port,remote port?

edit- I blocked the fwsetup.exe and in this pc the 127.0.0.0./8 vanished even before i attempted a removal.
Shall i keep fwsetup blocked? Or can i allow it again afterwards?

 

Once you allow "access to network" for the "wizard(fwsetup)" the localhost (127.0.0.1) will be automatically put back into the trusted zone.

You need to allow Avast "ashWeb.exe" access to outbound and inbound connections to the localhost for the proxy to work correctly (Leaving the localhost out of the trusted zone, can make your setup safer, but does mean some extra rules to place for programs that need loopback).
You should be able to leave the proxy connection remote port specific, but did not test this while setup (I am going to re-install, to re-check again)
I will post my rules for my seup with Avast web shield, and we can compare and decide on the best ruleset to create for this application.

 

Hi poirot,
I currently (to confirm) have localhost removed from the trusted zone.

The rules I have in place for Avast(ashWebsv.exe) are:- (these are based on local proxy default: 12080)

Allow "access to network"
accept disabled TCP/IP inbound connection (local address)any (remote address)127.0.0.1 (local port)12080 (Remote ports)1024-4999
accept disabled TCP/IP outbound connection (local address)any (remote address)any (local ports) 1024-4999 (remote port)80
accept disabled TCP/IP outbound connection (local address)any (remote address)any (local ports) 1024-4999 (remote port)443
Reject notice any~

For my browser (firefox)
Allow "access to network"
Allow disabled TCP/IP outbound connection (local address)any (remote address)127.0.0.1 (local ports)1024-4999 (remote port)12080
Reject notice any~

This is working correctly (well after the setup program stopped bugging me for updating)

Stem

EDIT:
Have been running with these rules with no problem. I dont think the rules can be made any tighter.

Of course, if a need for alternative remote connections, then these would need to be added to the "ashWebsv.exe" rules (example remote 81:8080)

 

Following your previous guidelines i had modified my settings almost the way you suggest- the only difference was i had not included the 1024-4999 ports limitation for ashWebSV.exe Remote ports.....it seems your efforts are paying out,albeit your pupil is still a bit clumsy.

I have now modified along your guidelines in Application Table ,but experimentally leaving part of it as i modified yesterday,for instance,you begin all ashWebSV.exe rules with an 'accept' whereas i had chosen 'WebBrowser'... thinking that the latter would both 'accept' and send to the
'WebBrowser' Table - i wait for a comment of yours here before changing.

I guess you mean these rules are for the WebBrowser Table,as you're using
'allow' and not 'accept'?

So,now i'm running Jetico with all the rules you suggest in Application Table,but you need to have a look at my WebBrowsers Table,which i did yesterday (works fine with the App.Table modified with your rules),please
let me know:

 

Hi poirot,
Just wondering, what is the "Allow http" rule? Allow outbound connect to remote:80 (no application bound to rule)

I was just placing a rule, was not sure as to how/where you where going to place these yourself, just wanted you to understand the rule(s).

 

hey stem,

how are you was reading the above quote that initate me to ask u a questions.

Question 1
by removing 127.0.0.1 what's the motive or setting behind this for ?

Question 1.1
By disabling fwsetup.exe from access networking means what??

1. to prevent fwsetup for auto updating the latest trusted network
2. to prevent fwsetup for requesting every time user boots up his computer ??
3. to only allow to use whatever settings set in the System Application Table where the svchost.exe makes everything

Question 2
Where is this being used , routers , broadband,DSL , ADSL ?

Question 2.1
If its router how does this helps ?

Question 3.
About this website
(http://www.geocities.com/ladidel_jetico/jeticoindex)

Is the "System IPTable" rules like on ICMP the one below.....

reject Deny ICMP information request(5) disabled ICMP incoming packet any any ICMP type: Redirect (5), code: any

reject Deny ICMP information request(15) disabled ICMP incoming packet any any ICMP type: Information Request (15), code: any
reject Deny ICMP information request(16) disabled ICMP outgoing packet any any ICMP type: Information Reply (16), code: any

reject Deny other incoming ICMP disabled ICMP outgoing packet any any ICMP type: any, code: any

reject Deny other incoming ICMP disabled ICMP incoming packet any any ICMP type: any, code: any

.... counted as a good block rules ??

Just need to clarify some information even better and understand jetico much more better. If its possible to answer my questions would be a great blessing for me.

 

Stem,the first and second rules are Jetico's original rules which were there at install.
I just left it thinking they were needed for a general functioning of the connection, which was more defined with following rules and ,in my case, especially with the Application Table rules, which obey to the rules outlined by you.
Should i get rid of it?

 

The 2 top rules are open (can be used by any application). The first one "access to network" is o.k. if these rules are within a ruleset that is being called (and not open to all applications). The 2nd rule, allow http should be removed.

 

In this setup, the localhost (127.0.0.1) is being used as proxy. If the localhost was left in the trusted zone in this setup, there is the possiblity that other application with "access to network" could gain access to the proxy

This is to stop the localhost from being automatically placed back into the trusted zone

With the proxy install, I would use this on any setup

Did you not place a block all ICMP rule at the end of the table? That would cover these.

 

Hmm this is weird I tried testing it by removing

there's several things which I need to ask for more information.

1. Previously I had 127.0.0.1/24 in the trusted Zone now it is removed is there any effects takes placing by removing that I mean what will prompt access to 127.0.0.1

2. 127.0.0.0/8 what is this, when I add this to trusted zone in fwsetup wizard, all 127.0.0.1 request for send datagrams and receive datagrams is gone. ( I removed 127.0.0.1/24 and this stills works why )

3. When both 127.0.0.0/8 & 127.0.0.1/24 removed, executing Internet Explorer will continueously prompt for sending and receiving datagrams

4. Is this possible to remove both 127.0.0.0/8 and 127.0.0.1/24 from the trusted zone at fwsetup ( which is now in reject from access network ) without a prompts I am using broadband whether or not is a proxy I feel that its a proxy. But this proxy doesn't me to set since its a plug and play and connect.

5. What you mean by proxy install ?? On which part of view does your proxy install concern the users side or ISP side ?? If my ISP using s shared proxy server, and I do not need to set any proxy. Can I still do this method of removing localhost

6. If I am on shared proxy server, by leaving 127.0.0.0/8 inside of (fwsetup) wizard as trusted zone and remove 127.0.0.1/24 from the trusted zone am I still safe from application gaining access to my shared proxy server

 

127.0.0.1/24 cover the IPs of 127.0.0.1 to 127.0.0.255
127.0.0.0/8 covers the IPs of 127.0.0.0 to 127.255.255.255

They both cover the localhost IP.

Removing this from the trusted zone, will mean popups from applications that need to use the localhost.

 

So basically if I want to be safer, I will remove both 127.0.0.0/8 and 127.0.0.1/24 in the trusted zone and then set web browser with a rule that allows

If I set a rule like this in web browser table

accept disabled TCP/IP send datagrams any 127.0.0.1 any any
accept disabled TCP/IP receive datagrams any 127.0.0.1 any any

Will this prevent the popups from internet explorer

 

Yes, you would need to:
Allow send datagrams to remote host 127.0.0.1
Allow Receive datagrams from remote host 127.0.0.1

 

but in web browser

this already exist
accept disabled TCP/IP send datagrams any 127.0.0.1 any any
accept disabled TCP/IP receive datagrams any 127.0.0.1 any any


Where else should I put the quoted rules to also

 

Not in the default Jetico browser ruleset, have you added these?
What is the popup for the localhost access from IE?

 

stem, i'd like to show you how i arranged both Application Table and WebBrowser Table to deal with the proxy-localhost intricacies-hopefully after this post i think i'll give you some well deserved rest about this matter,
as i think all Jetico 1.0 users will be very very eager to find out about the new 2.0 version....:

Application Table-

 

And this is the Web Browser Table:

 

I can surf IE now after putting this

accept disabled TCP/IP send datagrams any 127.0.0.1 any any
accept disabled TCP/IP receive datagrams any 127.0.0.1 any any

in jetico browser ruleset.

So I was wondering which other ruleset requires this

Btw Firefox now have a serious problem it request for this rule below

accept disabled TCP/IP inbound connection C:\Program Files\Mozilla Firefox\firefox.exe any 127.0.0.1 2171 any Hash 3FCDADC0 10FDA069 7D0C1BBB E64F5868 C7311FDC

 

Hi poirot,
In the application table, there should only be 1 rule for ashwebsv:
=>Browser any event
Then any event for that application will cause the jump to the browser ruleset.
The same for firefox / IE