Configuring Look'n'Stop with Routers

Hello everyone!

I'm writing this thread for those of you, who are using Look'n'Stop with a router. It's not that easy to configure Look'n'Stop correctly if you are behind a router and that's why I would like to share the knowledge I gained during the configuration tests I made.

I'm having a Linksys BEFSR41 router, on my systems Windows XP Pro Service Pack 1 is installed.

If you run Look'n'Stop for the first time after having put a router in front of you, you will realize very soon, that the firewall is blocking some packets (I'm using EnhancedRules Set). There are two/three different types of packets being intercepted. I would like to talk about one in depth and the others I will only briefly outline:

First of all, you will see in the Log section, that a so called IGMP packet is intercepted at around every two minutes. An IGMP packet is used by IP hosts to register their dynamic multicast group membership. It is also used by connected routers to discover these group members. As you certainly understand now, the router is sending a query to ask who is inside his network. For those among you who are interested more into the technical details, those packets are called IGMP version 1. Here you find additional information about these packets (just for those who really are interested!):

http://www.networksorcery.com/enp/protocol/igmp.htm

Now it's time to write a rule for those packets. These packets aren't bad and therefore you should allow them to come through. I suggest that you use the information which is provided by the log of Look'n'Stop. In my example I have the following information:

Packet: IGMP
Source: 00:04:5a:f2:0f:74 (which is the MAC address of my router)
Destination: 01:00:5e:00:00:01 (which is the "all-hosts" group)

For those of you who are interested more into the technical details, 01:00:5e:XX:XX:XX is the Multicast address:

Multicast IP address are Class D IP address, from 224.0.0.0 to 239.255.255.255. They are also referred to as Group Destination Address (GDA). For each GDA, there is an associated MAC address. This GDA MAC address is formed by 01:00:5E:XX:XX:XX, followed by the latest 23 bits of the GDA multicast IP address in hex.

For Example :

GDA 224.10.10.10 corresponds to MAC address 01:00:5E:0A:0A:0A
GDA 239.255.255.255 corresponds to MAC address 01:00:5E:FF:FF:FF

O.K., let's go back to the rule we wanna write. Now go to the internet filtering page and create a new rule. There you do it like this:

Name: IGMP packets
Direction: Internet >> PC
Ethernet type: IP
Protocol: IGMP
Frag. Offset: Is equal to 0
Source: Is equal to 00:04:5a:f2:0f:74 (enter the MAC address of your router!)
Destination: Is equal to 01:00:5e:00:00:01 (enter the address which is provided in your log!)
(IP address: Is equal to 224.0.0.1 ->not absolutely necessary, you need to understand how Multicast IP addresses are built to have the right address!)

Have a look at the attachment I made, there you see all the above mentioned. Don't forget to uncheck the stop sign, so that the rule is allowed!

Well, this was the first issue. Now let's go further. You will realize, that when you restart your computer, that Look'n'Stop is still intercepting some strange packets. Both have the destination address FF:FF:FF:FF:FF:FF What the hack is that? The answer is quite simple, your computer tries to get an answer from the network (router) and is looking for it (him). The above mentioned address is a so called Broadcasting signal. Normally you will have two different packets: ETH and UDP packets. The UDP packets are sent from your port 138 (NetBIOS) to another port 138. All these packets are just sent from your computer, so if you write a rule, use the destination PC >> Internet. You can either write one rule, covering the two different packets or you write two different rules, one for ETH packets and the other for the UDP packets. It's up to you! This time the source is your computer (use your MAC address), the destination address is FF:FF:FF:FF:FF:FF

I won't go into details here, because I think my thread is already to long and only a few have made it until here... But if you are interested how to write these two different rules and would like to have a printscreen of my rules, let me know.

If you have further questions or suggestions, let me know. I'm here to help you!
Hope that helps some of you!

Best regards!

Patrice

 

I would like to see these rules you have talked about

Ruben

 

Patrice,

Well written article. Can you post the screen shots of the additional two rules. Also whare should these rules be in the enhancedruleset? I assume that they should be after "TCP Block WinNuke Rule" or should they be at the top of the ruleset?

Thanks

Looney

Insanity and genius are relative.

 

Assuming you have a Network, you place the rule any spot in the rule-set except at the last for thee position in the rule-set after the Master rule, which would interrupt. And unless you didn't manually created rules to specify IGMP Protocols at some point you should be Troubles-Free.

 

Hi guys!

O.K., your wish is my command. First let's talk about the UDP-rule, we have to write. It is a signal which starts from your computer, that means that you have to write a rule PC >> Internet. In the IP section you choose the UDP packet. The Fragmentation Offset is equal to 0. The source is as I already mentioned your computer, so put in your MAC address. You can also specify your IP-address (in my case it's 192.168.1.11). Now specify also the TCP/UDP port: in this special case it's port 138 netbios-dgm, which you allow. In the destination window you choose the address FF:FF:FF:FF:FF:FF, the so called broadcasting address. Also here you can enter the IP-address, normally it's 192.168.1.255, but look closer at your Look'n'Stop log file to be sure about this address. Again choose the port 138 and allow it.

Here's the screenshot of the rule:

 

The ETH-rule is a little bit different. Unfortunately you cannot specify this special packet more closely, so you have to write a more "general" rule. The direction is again PC >> Internet. I just entered the source and the destination fields. I know, that you can make some other settings for the ethernet and the IP fields to tighten this rule (security), but I didn't test it yet. It's quite time-consuming to test all different modes, because you always have to restart your computer to test the different settings... If I make further testings, I'll let you know. But for the moment this is a good rule which works!

The source is again your MAC address, the destination the address FF:FF:FF:FF:FF:FF

It looks like this:

 

O.K., I hope this helps you out so far. I'll do some other tests to tighten these rules even more, but they already work fine on my system until now. Actually it would be great if Frédéric would implement the packets ETH as well, because I would like to specify those packets more closely as well.

But don't forget, perhaps your configuration has to be a little bit different, because you use another router and/or another system. Just check the log section in your Look'n'Stop software. There you will see these different packets with all the needed addresses for your configuration.

If you still have questions, don't hesitate to ask!

Best regards!

Patrice

P.S. Ahh.. I forgot to say, the answer of Ph33 is correct. Just place the rules somewhere you like except of the last three postitions. The last rule has to be All other packets! Personally I always put my own rules I created at the top of all the other rules so that I can see them at first sight.

 

Rule ordering is necessary for Top Level Security; you wouldn’t place Rules specifically to Authorize TCP Outgoings on-top of the “TCP – Block Incoming Connection” rule, like you wouldn’t want Rules specifically to Authorize Service Connections below “TCP – Block Incoming Connections” rule, Tiny Example of how necessary rule ordering is…

 

100% correct, Ph33 -but I don't have such rules. The only rules I have are Allowing another computer (has to be on top), and Allowing the router-traffic (has to be on top as well).

Regards,

Patrice

 

Hi everyone!

here are Frédéric's thoughts about implementing ETH-packets:

"In fact Phant0m already asked me to have more control about the non-IP, non-ARP packets. I'm not sure yet it is useful. Over Internet, only IP is relayed, so if it's useful, it's only for LAN using ethernet. The question is: what are the protocols that would be interesting to control ? What are the ETH Types that would need to be added to the list. And what specific fields for these protocols would be interesting to control.

The "ETH Type" is actually a length when it is below 0x600 (this is the case for NetBeui for instance). So for these protocols, I'm even not sure there is simple way to filter them separately.

Anyway, the future 2.05 version should contain a way to create raw rules (by specifying directly the offset positions of the bytes to check) so it will be technically possible to filter everything."

So it's up to us guys (especially Phant0m) to find out what the advantages are. Your input is heartily appreciated!

Best regards,

Patrice

 

To be specific Other IP Protocols such like NetBEUI and IPX/SPX would be a start, along with raw rules creation like Frederic mentioned.

 

In Addition;

All which one could use to Control with don’t leave anything out

 

Hi Patrice, I have a d-link router. Are the settings still similar. I'm not sure where to get all of the data to fill in the blanks..k

 

Hi krazykidjoe,

well, I guess it's similar. Are you using Look'n'Stop as well? If so, have a look at the log section of it. There should be some packets which are blocked. If there aren't any at all, you don't have to write these rules, but personally I doubt it. If you have blocked packets, which look quite similar to the ones I have written about on top, there you'll find the information you need (router's MAC address,...). Just have a closer look at them and compare them to the ones I'm describing above. Then it should be easy to write the rules for your network.

Best regards,

Patrice

P.S. If you still don't understand how to write it, let me know what's written in your log, so that I'm able to help you.

 

Hi, Patrice.

Your rules seem to work for me. But I have a question: Why do I need to allow the ETH traffic? It doesn't seem to make any difference to my system whether I turn the rule on or off. Is it related to some programs or functions I don't use?

 

Hi Finn McCool,

don't forget that I was writing these rules for my network. I can't tell you if your network behaves in the same way. These ETH packets were blocked in my case all the time, that's why I wrote a rule for them. But if they don't occur in your Log and there's no packet blocked at all, you don't need this rule. After all it has to be said, that this rule isn't that necessary. ETH traffic is traffic within the network -I don't believe, that your network at home will be attacked from someone inside it.

Best regards,

Patrice

 

Let's go in English instead:

Patrice,

if I'm the only one who uses this PC and it isn't open 24 h /7 days a week but just two hours max a day. I don't have any important info to hide from people and so on...So do you still think I need a router...
To tell you the thruth I don't like the idea of having lots of programs and wares. Bye!

 

Hi Uguel707,

a router isn't a software, it's a piece of hardware, you put in between your modem and your computer. If you don't have a network (several computers) a software firewall will do. I hope that you use a software firewall, don't you?

A router acts like a firewall, so called NAT. You can compare it with a telephone operator in a hotel. No one can call a guest except through the operator. If he denies the call, there won't be a connection between the guest and the caller.

So this means, that the security of your network is greatly improved. All your computers are stealth. You find further information about stealth and portscans here:

https://www.wilderssecurity.com/showthread.php?t=8696

I'm using a router and Look'n'Stop as my software firewall. That means that I have two firewalls which protect my system. If I look at the log of Look'n'Stop I realize, that not everything is blocked by the router (even though I have filled every hole...). That's why I'm using a software firewall as well.

Actually here's a poll about routers going on, just have a look once:

https://www.wilderssecurity.com/showthread.php?t=8696

Hope that helps you out so far!

Best regards,

Patrice

 

Hi Patrice, sorry for the late response. I forgot that I posted in this forum. I would like to paste an image here for you of what log I'm getting on my router. Could you tell me how to paste an image here. Thanks k

 

Hi krazykidjoe,

if you write a post, you have a field which is called "Attach" further down. The file should be jpg, gif, mpg, png, lng, tif or jpeg. Maximum size is 100 KB.

Best regards,

Patrice

 

Sorry krazykidjoe,

wrong information from my side. You have to register to be able to attach pictures. But it's worth it -do it and you're able to attach pictures, send instant messages or even an email to me!

Regards,

Patrice

 

Thank you very much Patrice!

The info I had about a router was very poor. Yours goes much deeper. I'll check about that. Bye ! Uguel

 

Hi Patrice, attached is a log from looknstop. I get this log constantly non stop. Thanks for your help. I really appreciate it. Maybe one day, I'll understand these rules better..LOL..Thanks crazykidjoe

 

Hi crazykidjoe,

very interesting indeed! It seems to me as if your D-Link router sends a signal out to check the network. Therefore the signal is Internet >> PC. But before I tell you how to write the rule, you have to give me some additional information about your network. Correct me when necessary:

Your router has the IP address 192.168.0.1 and has the following MAC address: 00:80:C8:0A:48:A0

... ... Port 1900 ... ... Is your Windows Messenger Service activated? Could you please check that once?

Start -> Run -> services.msc

Now deactivate the Windows Messenger service. Reboot the computer and check out if this packet is still blocked.

Your networks address range seems to go from somewhere 239.255.255.1 to 239.255.255.255. Is that correct or completely wrong? How did you set your IP range for the network?

The destination address FF:FF:FF:FF:FF:FF is the broadcasting address. That's correct as well.

O.K., update me with the latest news from you, so that I am able to write you this rule!

Best regards,

Patrice

 

Ah... found some information about this issue:

In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 - a potential security risk many organizations will want to block. OK, you decide to block SSDP services but to your surprise, your firewall and network sniffers continue to see the UDP port 1900 packets. You have disabled XP's SSDP and even Universal Plug and Play Device Host. Whats going on? This is Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Messenger. If you run a sniffer trace, the following information is displayed in the data section of the packet:

SSDP: Method = M-SEARCH
SSDP: Uniform Resource Identifier = *
SSDP: HTTP Protocol Version = HTTP/1.1
SSDP: Host = 239.255.255.250:1900
SSDP: Search Target = urn:schemas-upnp-org:device:InternetGatewayDevice:1
SSDP: Mandatory Extension = "ssdp:discover"
SSDP: Maximum Wait = 3
XP's Windows Messenger is attempting to communicate to an Internet host. To block Windows Messenger's broadcasts:

Now it's getting clearer where it comes from!

Regards,

Patrice