How to add rules for P2P apps to the Phant0m's Ruleset?

Hi there!

I just started using LnS 2.06, and I am planning on using the Phant0m's Ruleset.

Based on my reading, the majority (only?) rules I need to create myself in addition to the Phant0m's Ruleset are those for the below P2P and Usenet apps.

Question 1:
I need your kind help here....
Where should I, in the Phant0m's, position rules for these apps?
I'd appreciate greatly your advice that comes with relevant screenshots.

Since a few days ago I started using LnS, I have at last set working rules for the above apps using LnS Enhanced Ruleset. Thanks to Climenole's great helpful replies on this forum. I attached a screenshot of my Internet Filtering rules.

Question 2:
My Internet connection type is ADSL PPPoE. I use cFos 7.xx to dial up and connect. Using the Phant0m's, do I need to create specific rule under Internet Filtering for this program?

Question 3:
In addition to the above program-specific rules, are there any other rules I have to make myself and add them to the Phant0m's? I am concerned I may not be skilled in making rules....

Complete list of Internet-Active apps I use:

Thanks for your kind advice and patience.
I hope this will be a good start of learning...

 

1. I add p2p rules just above "+TCP: Block incoming connection" (your screenshot shows teh enhanced ruleset btw).

2. I use cFosSpeed and iirc I needed to allow ICMP type 3.

 

Hi again WSFuser

Is there anything else you needed to do yourself after implemented the Phat0m's Ruleset?

Guess I need to find out how to make the rule for it...Searching the forum now...

 

This time I loaded Phat0m's Ruleset 7.71e, and tentatively made rules for eMule and uTorrent. They both connected wonderfully.

Here are more questions from me:

1. To achive the most optimal download/upload speeds, I want to know where exactly I should position P2P rules in the Phant0m's Ruleset.
Is it the best that I just place P2P rules anywhere above "+TCP: Block Incoming Connections"? Or otherwise?

2. Is there an order in which I should position P2P rules among themselves?
For example, eMule above BitTorrent or vice versa...

Thanks for advising!!!

 

I just put the p2p rules in alphabetical order so for me bittorrent first then emule.

 

Hi concerned807

Server rules before the rule blocking TCP + SYN inbound...
Client rules after ...
Check the picture:

 

Hi Climenole,

Could you confirm this is the order you are suggesting?

The order you suggested:
BitTorrent - Server rule
{P. 4661.50}; [AA]; [TCP] {eDonkey + alt.} [SERVEUR] {eDonkey + alt.} eMule, Shareaza
+ TCP: Block incomding connections
BitTorrent - Client rule
{S. 4672.11}; [AA]; [TCP/UDP] {eDonkey - KAD} [eDonkey] KAD
{T. 4672.10}; [AA]; [UDP] {eDonkey - liste srvr} [eDonkey] Liste serveurs

Please also advise if server rules and client rules have to be immediately before after or just plain before and after?

Can you explain the logic in the above suggested ordering? I have read only part of your LnS tutorial at the below link. I will keep and finish reading however.
http://climenole.wordpress.com/

 

Hi concerned807

That's it ! Now you have the right place for the rules...
You'll be an LNS expert very soon concerned807

The logic here is quite simple. It's about the client / server relations in a connection...

In any network, a server is any computer with a service listening on at least one port for incoming connections requests. A client is any computer in a network able to initiate or begin a connection to a server.

When you're using your PC for browsing, emailing, chatting and so on, your PC is a client. You begin the connection to a server by sending it a TCP packet with the flag SYN like this: (an example for web site connection)

Client (your PC) =============== Server listening on port 80

-------------------- SYN ----------->>>

<<<--------------- ACK -SYN --------

------------------- ACK ------------->>>

The connection is now in "established state".

Normaly you firewall must block all incoming TCP packets with the flag SYN.
This block attemps to connect to your PC as a server.
This protect also your PC against connections attemps to the port 135 (blaster worm), port 445 (sasser worm) etc.

In the LNS enhanced rules set this rule is:
TCP: Block incoming connections

In Phant0m rules set:
+TCP : Block incoming connections

In Climenoles rules set:
{Q. 999}; [TCP] << SYN ! >

This is the same rule. (Just double click on the rule and check what's "inside"...)

When you run a server application like p2p you have to place the server functions rule before this incoming TCP + syn rule.

All incoming TCP + syn (and the correct data and format) are managed by the server rule and the application, All the other incoming TCP + syn with the wrong data or format or port are rejected by the server rules and application and blocked by the following incoming TCP + syn blocking rule...

For the client application like a web browser, an emailer or the client part of a p2p application, the rules must be after that "central" rule.

Hope it's more clear for you.

 

It can't be clearer.
I am blushing...I feel like pupil walked through it by the teacher.
But it is a good feel

 

Hello Climenole, I just got Phant0m's ruleset and I wonder why do I have to place the BitTorrent rule below +TCP : Block incoming connections ?

If the BT rule is on the top the ruleset list and I perform the Nat/Firewall test (via Azureus>tools) the test is successful.

On the other hand if its placed below +TCP : Block incoming connections rule, the Azureus' Nat/FW test fails.

Can you enlighten me, thanks.

 

Hi mike21

BELOW!

The Az NAT test should check only the outgoing not the incoming packets...

Look the LnS log...

BiTTorrent is a p2p program: so the rule corresponding to the server part of Azureus
must be placed BEFORE the rule +TCP : Block incoming connections.

This server rule for Az looks like this:

Protocol: TCP
Packets: in and out
Address: equal MY@
Local port : the same you choose in the Az parameters
Address: all (no entry)
Remote ports: all (no entry)
application: Azureus <<== mandatory to add Azureus in that rule!

...

here the "+TCP : Block incoming connections."

...

The DHT rule for Az:

Protocol: UDP
Packets: in and out
Address: equal MY@
Local port: the same you choose in AZ for DHT
Address: all
Remote ports: all
Application: Azureaus (mandatory to put the Az executable in this rule)


So the incoming TCP packets with the flag SYN will be checked if the are sent to the AZ server port else they are rejected by the rule "+TCP : Block incoming connections."

wrong port = blocked by LnS!

If these packets are sent to the AZ server port with the wrong data or format they are rejected by AZ and the subsequent packets like this one will from the same source will be rejected by the rule "+TCP : Block incoming connections."

wrong data or format: rejected by Az = no connection with this source
all subsequents: blocked by LnS and the Statefull packet inspection because it's not an established connection ...

If the TCP packets + syn are sent to your AZ server port AND they have the correct data and format then they are accepted by AZ, that's create a new connection and all the other packets created by THIS connection are watched by AZ AND LnS with the Stareful Packet Inspection...

Is this okay now ?



Like the pictures below...

1 = server port for AZ (the same than TCP listening port in AZ parameters)
2= the rule to block incoming TCP + SYN (same than +TCP : Block incoming connections.")
3 = DHT rule: the same port choosed in AZ parameters...

 

Thanks for your thorough explanation. It is like this and my setup now, the tcp rule of the AZ just above the +TCP : Block incoming connectionsrule (I hope I do not have to put it on the top of all other rules, just above this rule) and then the udp rule below the +TCP : Block incoming connections