IP Address Block rule not blocking

[Q Section]

Greetings! We are new here as far as LnS. We read the FAQ and found the rule to import for Blocking a particular IP range and imported it and changed the 55.55.55.55's to the IP range to block. We then made a test and found the address did not seem to be blocked.

What we want to do is to block all Napster connections when Windows Media Player starts. The particular IP addresses are all listed as http://sms.napster.com/client/plugin/etc. Upon running a Whois check we find that sms.napster.com has a range of 63.241.48.0 - 63.241.55.255 so those are the numbers entered into the Block range rule. The import went fine, the rule is in place, pressed the Save button and re-Loaded the Rule set. The rule appears in the Rule set lineup at the top but upon running WMP again we still get a sms.napster.com/etc. connection. What have we missed?

[Frederic]

Hi Q Section,

Could you show us the rule you created with a screenshot ?
And also the Internet Filtering page with this rule.

Thanks,

Frederic

[Q Section]

http://img464.imageshack.us/img464/6...ruletv6.th.jpg
http://img464.imageshack.us/img464/4...pageun0.th.jpg
Are these what you would like to see?

[Climenole]

Hi Q Section

Do it like this (don't forget the red dot for blocking...):

[Q Section]

Thank you for the suggestion but sorry it did not work. We still are getting traffic with http://sms.napster.com/client/pluginwmp10/configure.xml?locale= etc.

[Climenole]

Hi Q Section

My screen capture was an example...

You have to put the addresses range you want to block
and change the packets directions to fit to your purpose...

This range I guess:
63.241.48.0 - 63.241.55.255

[Q Section]

Thank you for your help so far.
LooknStop has never been very intuitive here. Exactly where do we put what? We want to stop all Inbound and Outbound from/to Napster.

[Climenole]

Hi Q Section

Use the same rule (the same of your screen capture) and put the addresses range 63.241.48.0 - 63.241.55.255 in the left part of the rule.

Select packets direction in and out.

Put the rule at the top of the list.

Don't forget to put a red dot in this rule's line (for blocking...)

Like this

[Q Section]

Hate to sound like a party pooper but.........no-go. Here is what we are doing: The test is by clicking on a link on a web page that has a video feed to watch and that is supposed to open with Windows Media Player. It opens fine with WMP. Next we are using two apps to monitor traffic both in and outbound. Those apps are URL Sniffer and What Is Transferring. We only use one at a time. Just before we click the link to open the video stream we Start either URL Snooper or What Is Transferring. They log all traffic both in and outbound through the network adaptor. The log starts and we see (among other URLs) http://sms.napster.com/ etc.. The rule somehow is not working.

A question is this: If WMP has a (default) rule in the Application Filtering section already does this take precedence over the Internet Filtering rule section? It seems that this might be the case but LnS is still new to us so please bear with us and help us to understand what needs to happen to be able to create custom rules like this.

[Q Section]

Portions of the two logs: URL Snooper first and What Is Transferring? last.

EDIT: Late News Flash......We cannot ping the IP (but they may not accept pings) and a tracert comes up with a Request Times out upon reaching their servers. So...this seems to indicate that the address is attempted to be reached from WMP but does not make it past the firewall. Do you know another app to use to test outbound connections? It seems that the two we are using monitor the Network adaptor but not the final outbound situation. Not sure.

[Frederic]

Hi Q Section,

For me the very first rule you have created should have worked.
The remote IP address should really be in the "Destination (PC>>Net) / Source (Net>>PC)" part of the rule.

How did you validate this rule was not working, did you try to enable the ! on it to see it some blocked packet were put in the log ?

Are you sure the network interface is properly selected in the options ? and did you verify your IP is displayed in the welcome page ?

thanks,

Frederic

[Q Section]

Quote:

Originally Posted by Frederic

Hi Q Section,

For me the very first rule you have created should have worked.
The remote IP address should really be in the "Destination (PC>>Net) / Source (Net>>PC)" part of the rule.

Changed it and now the left side is set to Equals my @.

Quote:

Originally Posted by Frederic

How did you validate this rule was not working...

Quote:

Originally Posted by Q Section

Next we are using two apps to monitor traffic both in and outbound. Those apps are URL Sniffer and What Is Transferring. We only use one at a time. Just before we click the link to open the video stream we Start either URL Snooper or What Is Transferring. They log all traffic both in and outbound through the network adaptor. The log starts and we see (among other URLs) http://sms.napster.com/ etc..

Quote:

Originally Posted by Frederic

...did you try to enable the ! on it to see it some blocked packet were put in the log ?

Yes and only after we changed the remote address to the left side are we getting two log entries. The log entries say: U/D # U-10 [Date] Rule Block Napster range Type TCP Address/Application sms.napster.com Additional Ports Dest:www-http Src:3765. The other rule is the same with a different time of 3 seconds earlier.

Quote:

Originally Posted by Frederic

...Are you sure the network interface is properly selected in the options ?...

Yes.

Quote:

Originally Posted by Frederic

...and did you verify your IP is displayed in the welcome page ?...

Yes it is the LAN address of this computer behind a router.

[Q Section]

The latest -

[Frederic]

So, everything seems Ok.

How do you observe the rule doesn't work ?

Frederic

[Q Section]

Quote:

Originally Posted by Frederic

How do you observe the rule doesn't work ?

Using URL Snooper the log entries say there is an outgoing connection to sms.napster.com.

Using What Is Transferring? the log entries say there is an outgoing connection to sms.napster.com.

See screenshots in post number 10 above.

[Frederic]

I'm not sure at which level these tools are getting the packets.

Even if it is at NDIS level (like Look 'n' Stop packet filter) the question is to know if they are really getting the packets after Look 'n' Stop, before the packets are going outside.

The fact the length is set at 0, in the screenshot above, seems to indicate the first SYN packet was seen but blocked by Look 'n' Stop just after, and there was no further packet sent (otherwise the length won't be at 0).

This is actually what you were also saying in post #10

The only way to check the outbound would be to look between the PC on the router with a sniffer.
Having a hub between the PC and the router and another PC on the hub with ethereal you can do that. But it is a bit complicated

What you can do also is to block the IP range at the application level in the application filtering.
In the application filtering double click on Windows Media Player (or select it and press the Edit button).
In the TCP @IP field enter !63.241.48.0-63.241.55.255.

This will block at the TDI level, so the packets are not sent at all to NDIS.

Frederic

[Q Section]

This is actually an experiment to learn how to create custom rules. LnS is new for us. We did read the stickies and the FAQ but needed more information.

It would be good to learn what tools are useful for actually testing one's firewall to see if it is performing as expected and it is a very good point to learn in which part of the stream the tools are sampling the outbound packets.

Sorry but we had forgotten that the router has a logging feature to see what is going outbound. Now that we have implemented the Application filtering rule as well as having left the Internet rules in place we now find NO outbound packets using WMP with either URL Snooper, What Is Transferring or the router's log. There were actually several additional outbound attempts by other services of WMP such as audible.com and FYE. These are all blocked now and hopefully we can now create our custom filters/rules at will.

Thank you for all the assistance.