Observations from a New User

[fryr]

As a new user of LooknStop I thought I would post some observations for other user's comments.

Application Filtering can pick up the same application twice - one with C:\PROGRA~1\... and one with C:\PROGRAM FILES\...

Internet Filtering MASK option in a rule did not work as I expected - I provide a mask 192.168.1.1/255.255.255.0 and expected it to apply to IP's 192.168.1.1 to 192.168.1.255 but it did not - it appears as if the mask works by partial matching i.e. MASK 0.0.0.255 would find all x.x.x.255 packets

Internet Filtering - use of the !! pop up messaging does not appear to work even when Log Message Box is selected in the Options Tab. I selected an Internet Filtering Rule that I know is being used and enable the advanced options to provide the advanced columns. I then enable the !! option for that rule and expected a pop up each time a packet matched the rule - so far no pop ups.

Application Filtering - No Option to sort list by clicking on the relevent title.

Confusion over traffic filtering direction - Previous Firewalls I have used dealt with the whole communication whereas LooknStop deals with each packet. For Instance I setup a Rule to allow outbound HTTP PC>>Internet - Stating that I wanted to allow packets to port 80 where they originate from my PC - this rule by itself does not work as LooknStop will block the returning data even though it came back on the already established outbound connection to remote port 80. LooknStop either requires 2 rules or enabling the Internet >> PC & PC >> Internet option.

After a steep learning curve I quite like looknstop and continue to learn as I go on.

[CrazyM]

Quote:

quoting: fryr link=board=13;threadid=11816;start=0#msg76303 date=1059393300]
Internet Filtering MASK option in a rule did not work as I expected - I provide a mask 192.168.1.1/255.255.255.0 and expected it to apply to IP's 192.168.1.1 to 192.168.1.255 but it did not - it appears as if the mask works by partial matching i.e. MASK 0.0.0.255 would find all x.x.x.255 packets

Try 192.168.1.0/255.255.255.0

Regards,

CrazyM

[Frederic]

Quote:

quoting: fryr link=board=13;threadid=11816;start=0#msg76303 date=1059393300]
As a new user of LooknStop I thought I would post some observations for other user's comments.

Application Filtering can pick up the same application twice - one with C:\PROGRA~1\... and one with C:\PROGRAM FILES\...

Yes, for some applications, depending on the way it is launched, this happens. This should happen only with very few applications.
In some circumstances (for instance the WB leaktest) it may be useful to allow one kind of start and to stop another one.

Quote:

Internet Filtering MASK option in a rule did not work as I expected - I provide a mask 192.168.1.1/255.255.255.0 and expected it to apply to IP's 192.168.1.1 to 192.168.1.255 but it did not - it appears as if the mask works by partial matching i.e. MASK 0.0.0.255 would find all x.x.x.255 packets

This is strange, normally the mask is supposed to work, and to work as you expected. The ICS server rule use this kind of mask (192.168.0.0 / 255.255.0.0) and nobody reported an issue with it, so far.
Are you sure you entered it on the "good side" of the rule edition dialog box ?

Quote:

Internet Filtering - use of the !! pop up messaging does not appear to work even when Log Message Box is selected in the Options Tab. I selected an Internet Filtering Rule that I know is being used and enable the advanced options to provide the advanced columns. I then enable the !! option for that rule and expected a pop up each time a packet matched the rule - so far no pop ups.

You also have to select the ! to obtain the popup. Could you confirm you did so ?
Don't forget to press the apply button if you need to change the global option in the Options page.

Quote:

Application Filtering - No Option to sort list by clicking on the relevent title.

Yes, this is not possible with the 2.04 version. It has just been implemented in the 2.05 release (not available yet).

Quote:

Confusion over traffic filtering direction - Previous Firewalls I have used dealt with the whole communication whereas LooknStop deals with each packet. For Instance I setup a Rule to allow outbound HTTP PC>>Internet - Stating that I wanted to allow packets to port 80 where they originate from my PC - this rule by itself does not work as LooknStop will block the returning data even though it came back on the already established outbound connection to remote port 80. LooknStop either requires 2 rules or enabling the Internet >> PC & PC >> Internet option.

Yes, you have to create rules using the default "Internet >> PC & PC >> Internet" when you want to authorize a bidirectional connection (which should be the case most of the time).
If your problem is to differentiate incoming and outgoing connections, there is a special rule in the enhanced ruleset that used the TCP SYN flag to block the incoming connections.

Frederic

[fryr]

Thank You for your response

With regards to the multiple entries for the same app I can confirm that this occurred for netscape - one entry for a straight forward launch of netscape and one when clicking on a link in an e-mail.

I have tested masking and it works find if I use 192.168.1.0/255.255.255.0 but not if I use 192.168.1.1/255.255.255.0 - seems mighty odd as the last digit should not have a bearing on the mask

POP up alert does work if both the ! and the !! are selected - I only wanted an alert and not the log file being filled up with the details.

I noticed the TCP SYN block in the enhanced rules - it was just an observation about the way looknstop differs from other firewalls - I still can't work out whether this might introduce a security problem by using the new combined rule at the top of the rule list (it's default position). I only want to allow the connection to be established from my PC to the internet and at the same time receive the response to my outbound request over the outbound connection I established. I don't want connections to be established from the internet into my PC

[CrazyM]

Quote:

quoting: fryr link=board=13;threadid=11816;start=0#msg76321 date=1059401849]
I have tested masking and it works find if I use 192.168.1.0/255.255.255.0 but not if I use 192.168.1.1/255.255.255.0 - seems mighty odd as the last digit should not have a bearing on the mask

Network address: 192.168.1.0
subnet mask: 255.255.255.0
Broadcast address: 192.168.1.255
Start host address: 192.168.1.1
End host address: 192.168.1.254
Max no. of hosts: 254

Regards,

CrazyM

[Frederic]

Quote:

quoting: fryr link=board=13;threadid=11816;start=0#msg76321 date=1059401849]
I have tested masking and it works find if I use 192.168.1.0/255.255.255.0 but not if I use 192.168.1.1/255.255.255.0 - seems mighty odd as the last digit should not have a bearing on the mask

Yes, this is right, for all 0 in the mask there should be a 0 in the IP to be compared to, otherwise the comparison will always fail.
Here is how Look 'n' Stop proceed: the mask is applied on the IP to be tested (from a packet) and then the result is compared to the IP mentionned in the rule edition (without applying the mask to this IP).

Quote:

I noticed the TCP SYN block in the enhanced rules - it was just an observation about the way looknstop differs from other firewalls - I still can't work out whether this might introduce a security problem by using the new combined rule at the top of the rule list (it's default position). I only want to allow the connection to be established from my PC to the internet and at the same time receive the response to my outbound request over the outbound connection I established. I don't want connections to be established from the internet into my PC

Yes, the TCP SYN block rule should work like that (block all connections coming from internet).
Note that it will also block identd connections (if you are using an Irc client). So, to allow these connections, the ident rule should be placed before the TCP SYN block rule.

Frederic.