Experimental rule set for -NiCeGuY-

Hi -NiCeGuY-

You ask me a copy of my experimental rules set. I'm glad to see you so deeply interested in learning LNS in general and my "experimental rules".

Here some preliminary explanations about the rules set and some codes used in rules names and rules descriptions.

One of the most frequent question about rules set firewall is: "Where I put that rule in the list?" I'll try to find a solution by adding to each rule name a code giving the relative position of the rule in the list.

The general syntax for the rule name will be easy to understand with this example of a rule for basic web browsing :

Name of the rule:

{R. 80,01}; [TCP] { HTTP }

Description of the rule:

[S/optional: else {S..0000000} or G]
[Hyper Text Transfer Protocol]
Firefox, Opera, IE

The "{R. 80,01}" means: a rule in the rules subset R , remote port 80, one remote port only.

The "; [TCP] { HTTP } " means : a rule using TCP protocol (The "Transport layer of the TCP-IP protocols) and using the port related to the HTTP ( the "Application level layer" of the tcp-IP protocols).

The description: "[S/optional: else {S..0000000} or G]" means : this is a specific rule (one program must be included at least in this rule othewise the more general rule {S..0000000} will be used instead.

The "or G" means: you may leave it as a general rule anyway...
[This will be more clear later...]

There is an other coded indication in the rule name:

{{ rule name }} means: packets authorised in and out for general rule
{ rule name } means : packets authorised in and out for specific rule
{{ rule name } means : packets authorised incoming only
{ rule name }} means: packets authorised outgoing only

<< rule name ! >> means: packets blocked in and out
<< rule name ! > means packets blocked incoming only
< rule name ! >>`means : packets blocked outgoing only

In the rule description there is also some codes:

G = general rule or for any program

S = specific rule: at least one program must be listed in that rule
(this is mandatory for server rules and Udp rules ...)[Exception: the DNS rule...]

S/C means Specific rule and must be configured: most of the time the port used in the rule must be configured also in the program like utorrent for example. Etc. [corrected may 10 20:00 h !!!]

u+e = if needed, this rule must be unblocked (remove the red dot) and enable ( check the first column...)

experimental = self obvious. This rule was not fully tested and may require some fixes...

recommended: not a mandatory rule but it's better to have it.

mandatory: you must have this rule!

optionnal: mostly for TCP applications. Normally TCP application used the general rule "{S..0000000}; [TCP] {{ Common Internet Applications }}" and you don't need more. Used these rules if you want it.

testing: some rules are created for testing or learning. This is for "Geek" fun !!! Mostly about the TCP flags used in connections. See rules
{S. 0}; [TCP] {{ ACK }} to {S. 7}; [TCP] {{ RST }}.

Needed: rule for a server or for Udp protocol. The rule must be specific!!!

 

Hi -NiCeGuY-

Here an overview of the rules and rules "subsets" :

The rules subsets A concerned all rules used in local not between your PC and internet. Most of them are simply the same rules founded in the official LNS FAQ.

One rule for ARP, some rules for PC authorisation with a Raw rule (one rule per PC), rules for IGMP and routers, connection sharing rules, NetBios rules Udp and Tcp, Dhcp, file sharing and Virtual Private Network...

None of these rules was fully tested here and may required some works from you if you needs it.

 

Hi -NiCeGuY-

Here the subset B: IP addresses non-routables over internet.
They are illegal (IP ending with 0 or 255) or reserved for local used only, etc.

All incoming packets for any type, protocol and so on are blocked!

 

Hi -NiCeGuY-

Here the C subset: Icmp rules...

 

Hi -NiCeGuY-

Here the E subset ( no D or F ): TCP and UDP abnormal packets.

 

Hi -NiCeGuY-

Here the G and H subsets:
G for the DNS rule and H for abnornal / illegal TCP packets.
The last one for ACK RST may be removed... (This was for testing only: some side effects ...)

 

Hi -NiCeGuY-

Here the P subset: some server rules for FTP server, FTPS server (two not fully tested) and other server rules for Ident, P2P and Skype fully tested.

 

Hi -NiCeGuY-

Here the mandatory rule to block all incoming TCP packets with the flag SYN: The Q subset.

All server rules must be placed before this rule, all client rules must be placed after this rule.

This mandatory rule block all attempts of connection to your PC by worms like sasser, blaster and so on...

 

Hi -NiCeGuY-

The R subset:
Here a set of specific and optionnal rules.
At least one program is added to each rules.
So check each of these rules on your system to add or remove programs...
Ex. in HTTP , HTTPS and HTTP alt. rules, I put Firefox, Opera and IE.

If you're using only Firefox you may remove the other from the list of these rules... Sometimes you have to removed all programs included in the list, save and add it again...

 

Hi -NiCeGuY-

Here the S subset:

The first general rules (S.0 to S.7) are only for fun.
The only needed is the {S..0000000}; [TCP] {{ Common Internet Applications }}.

For TCP programs, this is the only required rule.

I put as local port the range 1 to 65535 to fit to Windows XP, Windows XP sp2 file sharing and Vista.

 

Hi -NiCeGuY-

Here the T subset: rules for applications using UDP.
This is mandatory to have specific rules if it's in UDP.

Some rules used a local specific local port like the rule {T.21047,10}; [UDP] { Skype }

port 21047 , 1 local port, all remote ...

Etc.

 

Hi -NiCeGuY-


And finally, last but not least, the subsets X, Y, Z ,
and the rule set
plus the list of "lns_known_tcp_ports.txt".
(make a backup copy of the original list and replace it with this one.
The changes appears after rebooting...).

{X. 9998}; [UDP] < Outgoing UDP Forbidden ! >>
is a Warning of a "T" rule to be created or modified.

and

{X. 9999}; [TCP] < Outgoing TCP Forbidden ! >>
is Warning of a Too Much Restrictive "P" or "S" or "R" rule
[ port(s), addresse(s)... ]

For the rules set, rename it by removing the .TXT

Have fun !!!


EDIT: May 11, 2007, 21:30 EST
The rule name:
{A. 72}. [Local] [UDP] { DHCP Offer/Pack }

must be corrected to
{A. 72}. [Local] [UDP] { DHCP Offer/Ack }

Sorry for this mistake.

EDIT: May 11, 2007, 21:56 EST
Orthograph error in {A. 72} rule is fixed!



EDIT: May 13, 2007, 22:33 EST
In order to have an access to your router configuration and avoid blocking from one of the B subset rules
I create a new rule based on the tests done by the user -NiCeGuY-.

{A. 90}; [Local] [TCP] {{Router configuration }}

[G/Recommended] -NiCeGuY- Tested !
Router configuration access
192.168.2.1 <-- enter the IP addr. of your router

This rule must be modified to fit to your router config.
Here, in this example, the addr. is 192.168.2.1

 

Great work!
Both ruleset and discription are nice.
Thank you very much,Climenole.
Best regards.

 

WOHOOOOOOOOOOOO , great !

TYVM , Climenole , appreciate it

I have a very high regard for your abilities.

 

Hi lookcity

Thank you.

Questions are wellcome too...

Best regard

 

Hi -NiCeGuY-

Thank you.

If you have any question about the rules set don't hesitate to ask question.

Have a nice day.

 

Hi , climenole

Alright , first question is coming lol

I have 4 DHCP rules , My router Gateway = 192.168.2.1

create as this :

[DHCP rule 1]
Direction: inbound & outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
IP Address: Equal my @
port: 68
remote ip:192.168.2.1
remote port: 67


[DHCP rule 2]
Direction: inbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
IP Address: 192.168.2.1
port: 67
remote ip:255.255.255.255
remote port: 68


[DHCP rule 3]
Direction: outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
Frag. Flags: !DF+!MF
IP Address: 0.0.0.0
port: 68
remote ip:255.255.255.255
remote port: 67


[DHCP rule 4]
Direction: outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: Equal 0
Frag. Flags: !DF+!MF
IP Address: Equal my @
port: 68
remote ip:255.255.255.255
remote port: 67

These 4 DHCP rules , is it same as yrs DHCP rules ?Can i replace them ?
see picture ~

http://i128.photobucket.com/albums/p182/niceguy_hk/b8a247fd.jpg


yr DHCP rule {A. 70} [Local] [UDP] { DHCP }
Direction: inbound & outbound
Ethernet Type: IP
Protocol: UDP
Frag. Offset: all
Frag. Flags: all
IP Address: all
port: 67-68
remote ip: all
remote port: 67-68


yr DHCP rule {A. 71}[Local] [UDP] { DHCP Discover/Request }
Direction: inbound & outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: all
Frag. Flags: all
IP Address: 0.0.0.0
port: 68
remote ip: 255.255.255.255
remote port: 67


yr DHCP rule {A. 71}[Local] [UDP] { DHCP Offer/Pack }
Direction: inbound & outbound
Ethernet Type: IP V4
Protocol: UDP
Frag. Offset: all
Frag. Flags: all
IP Address: Equal 192.168.1.1 or 0.0.0.0
port: 67
remote ip: 255.255.255.255
remote port: 68



The second question , its my gateway's ip connect to port@137 , why got blocked ?

blocked from this rule --> {B. 07}; [ALL] << Non-routable IP ! >

http://i128.photobucket.com/albums/p182/niceguy_hk/365b05b8.jpg

The third question , haven't Anti-Mac Spoofing & Anti-IP Spoofing rules in yr rules set ? If so , which one ?
If no , ami need add them , and place where ?

http://i128.photobucket.com/albums/p182/niceguy_hk/95cecb86.jpg

Sorry for so many question

ty for reply

 

Hi -NiCeGuY-

The "DHCP rule {A. 70} [Local] [UDP] { DHCP }" is a "generic" rule for DHCP.
Actualy the most simple possible.

I Suggest you to use that one in a first step (disable the others) and check what are the entries in your log.
Base on these entries you will be able to modify the other DHCP rules accordingly.

Presently you have 4 rules. Why not?

Actualy the DHCP process have 4 steps:

--------------------------------------------------------------------------

1- Discover: Src=0.0.0.0 Port=68 Dest=255.255.255.255 Port=67
Here the client (the PC) sent a broadcast on the network to find the DHCP server. Then:

2- Offers: Src=192.168.1.1 Port=67 Dest=255.255.255.255 Port=68
Here it's the server (with the IP add. 192.168.1.1 in this example).
The DHCP server sent to the client PC an IP add. like "192.168.1.2" for example

3-Request: Src=0.0.0.0 Port=68 Dest=255.255.255.255 Port=67
Here the client (The PC) accept the IP proposed by the DHCP server.
In this example: "192.168.1.2".

0.0.0.0 means any address...

4- acknowledgement: Src=192.168.1.1 Port=67 Dest=255.255.255.255 Port=68

Here the client(PC) with is accepted IP addr. (Here "192.168.1.2") accept and transmit the acknowledgement to the DHCP server...

[Please note that the rules was written {A. 72}. [Local] [UDP] { DHCP Offer/Pack }
instead of {A. 72}. [Local] [UDP] { DHCP Offer/Ack }


These are the 4 theorical DHCP steps. So I create 3 rules :
The generic one to study the entries in the log and two experimental rules to be modified accordingly to the entries founded.
I Guess it's possible to reduce the 4 steps into 2 rules.

The Discover and Request have similar parameters:

- Src=0.0.0.0 Port=68
- Dest=255.255.255.255 Port=67

So we have to put packets in and out for this combined rule...

The Offers and acknowledgement have also similar parameters:

- Src=192.168.1.1 Port=67
- Dest=255.255.255.255 Port=68

Here also we have to put packets in and out

--------------------------------------------------------------------------

An other experience is to used these 4 rules (and disable the other ones) and check again in the log to see if it's possible to simplify to a less number of rules.

I hope my answer give you some lights (not confusion) about the DHCP.

1 generic rule or 2 combined rules or your four rules ?
Choose the best for you. (And tell me which one(s)...)

Feed back , questions and comments are always appreciated.

Take care.

 

Hi -NiCeGuY-

MAC addresses (such as your Ethernet adapter MAC Add.) are not transmitted over internet ...

To prevent MAC or IP spoofing in a local network is a complex job.
I'm not sure it's really required or possible with this rule...

I have an hypothesis about this:

ARP protocl is used to convert MAC addr. to IP, since in a local network it's possible to have a configuration of fixed IP local addr. (in the 192.168,*.*), it's also possible to create a rule rejecting all packets with a local IP and the wrong MAC address. This must be done on the LAN server.

1- We can create some rules to associates each local (fixed!) IP to the MAC addr. of the Ethernet adapter of the corresponding PC and authorised these packets. (With a raw rule editing ?)

2- Then create some rules to block any packet different than the previously authorised MAC+IP combination rules...

and (?) on each PC a rule to block any incoming packets equal to the PC's MAC addr.
(Assuming all incoming packets must be different than the PC MAC addr. ...)
This is my last idea for tonight...

The only problem I see is with a configuration with dynamic local IP addr. ...
How to recheck each time the correct MAC+IP combination and put this in rules ?

Is this make sens?

Tell me. Your opinion is important! (Don't be sorry for "so many questions" )

 

Hi , Climenole

{anti - mac spoofing rule}
Direction: Inbounds
Etherent Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
[ source ]
Ethernet Address: Equal pc's mac address
ip: all
port: all
[ Destination ]
Ethernet Address: all
remote ip: all
remote port: all


{anti - ip spoofing rule}
Direction: Inbounds
Etherent Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
[ source ]
Ethernet Address: all
ip: Equal my @
port: all
[ Destination ]
Ethernet Address: all
remote ip: all
remote port: all

As yr question , isnt need anti-mac spoofing & anti-ip spoofing 's rule , i was no cue right now

1) As yr rule set , u allow all ARP , is it a big problem ? So i create 2 anti-ARP rule before it

2) As i think yr DHCP rules was enough , so i will take it simple/easy , use yr original one

 

Hi -NiCeGuY-

May be, may be... For sure incoming packets must have a different MAC addr. than the destination PC.

This rule is ok for a PC as client but not for the PC used as server...

Same comment.

The only problem I see here is how to test this?
You have to spoof IP and MAC addr. by editing packets and resend these modified packets to see what's happen.

May be with this:
http://www.networkchemistry.com/products/packetyzer.php

ARP is used locally to translate MAC addresses to IP addresses...
It's needed with a router for example.

ARP is not the problem, only the incomming packets which differ from the combination "MAC addr. + Fixed IP local Addr."

About the DHCP. So my 2 combined rules works well for yous system. Good news!

 

Hi , Climenole questions questions questions are coming coming more & more

Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >

Direction: inbounds
Ethernet Type: all
Protocol: all
Frag. Offset: all
Frag. Frags: all
{Source}
Ethernet Address: all
IP Address: 192.168.0.0 - 192.168.255.255
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

[e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

[e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

Change & create another rule for this case ?

Question 2) Wht's different around those protect rules ? from Phant0m rule set VS yr rule set

[ICMP][+MBONE broadcasts]
Direction: outbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Adress: Equals 244.0.0.2
Port: all


[ICMP][+MBONE broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[ICMP][+ICMP broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: all 0
ICMP Type: all 0
{Source}
Ethernet Address: all
IP Address: Mask 0.0.0.255/0.0.0.255
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN:Stealth Scan]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+XMAS:Stealth Scan]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-PSH-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+NULL:Stealth Scan]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST-PSH-ACK-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-ACK-PSH-RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST-PSH-ACK]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +ACK-PSH-RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST-PSH]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-RST]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN-PSH]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-FIN]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +SYN-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+SYN-RST]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-RST-PSH-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-PSH-RST-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-RST-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-RST-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-PSH]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+FIN-RST]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +FIN-RST
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[+ACK-URG]
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +URG-ACK
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all



{H. 04}; [TCP] << FIN & 13 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-FIN
TCP Frags: Set/Cleared +FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 05}; [TCP] << SYN RST & 4 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 06}; [TCP] << SYN PSH & 2 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 07}; [TCP] << SYN URG ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-SYN-FIN
TCP Frags: Set/Cleared +URG-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

Colour red = Phant0m , colour blue = you

Wht's different between those rules ? Am i need combine these 2 rule set( Phant0m & your) to form one big rules set ?

[+NULL:Stealth Scan] = {H. 02}; [TCP] << NULL ! >

[+SYN-FIN-RST-PSH-ACK-URG] = {H. 03}; [TCP] << FULL ! >

These 2 rules same , can u compare another(colour red & blue)wht's different between you & Phant0m 's Rules ?



TYVM for reply , have a nice day

 

Hi -NiCeGuY-

Strange. That's why I put all local connections in the subset rules "A".
Just uncheck that rule for the moment and I'll try to find a solution...

For the other question about the TCP abnormal / illegal packets:
I'm using combination of "masks" and "active" (enable in Eng. version?)

For example the rule {H. 04}; [TCP] << FIN & 13 Variants ! >
block all these combinations:

FIN, FIN-SYN, FIN-RST, FIN-PSH, FIN-URG, FIN-SYN-RST, FIN-SYN-PSH, FIN-SYN-URG, FIN-RST-PSH, FIN-RST-URG, FIN-PSH-URG, FIN-SYN-RST-PSH, FIN-SYN-RST-URG, FIN-SYN-RST-PSH-URG.


and so on...

 

ty , understood this way

How about these 3 rules ?

[ICMP][+MBONE broadcasts]
Direction: outbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Adress: Equals 244.0.0.2
Port: all


[ICMP][+MBONE broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: Equals 10
ICMP Type: Equals 10
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all


[ICMP][+ICMP broadcasts]
Direction: inbounds
Ethernet Type: IP V4
Protocol: ICMP
Frag. Offset: all
Frag. Frags: all
ICMP Code: all 0
ICMP Type: all 0
{Source}
Ethernet Address: all
IP Address: Mask 0.0.0.255/0.0.0.255
Port: all
{Destination}
Ethernet Address: all
IP Address: all
Port: all

Seems yr rules set haven't these 3 rules , am i need add or not ?

tyvm

 

Hi -NiCeGuY-

[ICMP][+MBONE broadcasts]
IP Adress: Equals 244.0.0.2

This one: {B. 09}; [ALL] << Reserved IP ! > >
Reserved by I.A.N.A . 240.0.0.0 - 255.255.255.255

[ICMP][+MBONE broadcasts]
ICMP Code: Equals 10
ICMP Type: Equals 10

This one: {C. 999}; [ICMP] << Icmp Lock ! >>


[ICMP][+ICMP broadcasts]
IP Address: Mask 0.0.0.255/0.0.0.255

This one: {B. 02}; [ALL] << Invalid IP ! >



P.S.:

About the rule: {B. 07}; [ALL] << Non-routable IP ! >
I'm working on this issue...

What is your LAN configuration?

One router + PC(s) ?
or
One PC used as server for Internet Connection Sharing?
or