OutPost learning thread

I checked the sticky by CrazyM and was looking for the OP learning thread and it isn't listed, just wondering why. I done multiple searches and can't find it.

Also, under FW for beginners Paranoid mentions disabling https for your email. I thought this was for secure connections.

 

Hi Rilla927,

You just cannot get the staff these days

Try:- https://www.wilderssecurity.com/showthread.php?p=1460172#post1460172

Https is secure connections for Http traffic, for mail, you would be seeing(as example) outbound SMTP remote port 465(ssl) or Inbound pop3 remote port 995(ssl).


- Stem

 

Hi Stem,

Thanks for explaining. I tried that link but it's for Online Armor unless OP is embedded somewhere.

 

Hi Rilla927,

Sorry, I pasted the wrong link . I have changed the link in my last post.


- Stem

 

Thank you very much. Stem since you are here I have one more question.

In regards to ports and protocols. Is there a guide any where? Just as a example (I'm using Vista) the various OS services; how do you know what port and protocol they would use in order to set up rules as well as various programs that we all use. Thanks for your help.

 

You are welcome Rilla927.

You will find some info in the sticky post https://www.wilderssecurity.com/showthread.php?t=142036 (check post 2) for some service/port usage. Ignore the local ports used for the outbound(those are for XP), they have changed in Vista/Win7.


- Stem

 

Stem I was going through the OA learning thread and I thought I read you mention that a Global DNS rule can be bypassed (in other words not safe). Am I correct on that?

If so, as long as I give every program application (beside their normal port) a UDP out port 53 they have their own phone book which cancels out the Global DNS rule.

 

Hi Rilla927,

It depends on your setup and your own needs as to what restrictions are put in place.

If using the windows DNS service, then at least some endpoint(IP/port) restrictions should be put in place to restrict that(svchost) outbound to the DNS servers.
Some firewalls do have interception of the DNS API call, so the DNS client can be used and any access to that will cause an alert (although some thought is needed for possible DNS cache problems/poisoning).
If using a firewall with no interception of the DNS API, then it can be better security to disable the DNS client and set up rules on a per application basis for DNS lookups.


- Stem

 

Hi Stem,

That's exactly what I thought but wasn't sure. How do you avoid DNS cahe poisoning? I'm going to be switching back to Outpost, does it intercept DNS API? I haven't used it for a while (I have a lifetime license) that's why I have been reading any and all info that I find on it. I understand much better than I did before.

From what I have read Intercept loopback should be avoided, hope I understood that correctly.

In regards to you last sentence; that's how I wanted to set it up.

I have been using Clear Cloud DNS servers with windows DNS client disbled.

Any information you have to offer is always stellar

 

Hi Rilla927,

If I remember correctly, OP pro uses its own DNS cache. I cannot remember if OP intercepts the DNS API(but I think it does).
Loopback interception: That depends on your setup and if you are using any local proxy, such as a web scanner.

I should have a PC spare later today, so I will setup OP to check the DNS interception. We can also go through any of the basics needed for your setup.


- Stem

 

Do you mean programs like Avast? I'm using Emsisoft AntiMalware for a AV so I don't know if that's considered a local proxy.

Gosh, that's great!!! I'm going to image my system and when I see you have posted back I will install OP and go from there. I'll put it in learning mode and we can re-create tighter rules. I'm using Vista 32bit.

 

Hi Rilla927,

I am just waiting for some computer parts to be delivered, then I can put back together one of my spare PCs to use for this setup.

- Stem

 

Okay, cool Stem thanks. It's 4:00am here so I will get some rest and be ready tomorrow night. I'm on 3rd shift hours.

 

Hi Rilla927,

I have setup on XP pro(I can always install/setup on Vista if needed).

From the point of the DNS API interception, the option is in the firewall, but does not currently work on my setup. So disabling the DNS client(service) is probably the best option.

I have changed some of the base settings in OP, such as disabling the auto creation of rules, and have disabled the auto allow signed applications. These are settings I do not personally like, although they can be helpful to new users of OP/firewalls, they do tend to allow applications that dont actually need internet and/or give far to open rulesets for my liking. But we can go through that as time/your setup progresses.

- Stem

 

Thanks for testing out this latest version of Outpost Firewall Pro, Stem

I'm also using Windows XP (home edition)

When you say it doesn't work on "your" setup....would this otherwise work on a Windows XP machine that is behind an SPI/NAT hardware firewall/router?

I currently have the "auto-creation of rules" enabled...because I figure that Agnitum will do a much better job of creating rules for their software product than I could. I'd likely just screw things up....so I'm trusting them on this one

Otherwise, Stem...is there anything that you see which could be helpful in configuring this firewall? I notice that the UI says "All components are configured for optimal protection". I have also entered Outpost into "Learning Mode" for the next week, in order to open and run as many of my already installed software programs as possible.....is that a good choice?

 

Hi JR,

Due to the fact I have OP setup only on one hardware spec, I am currently giving OP a "benefit of doubt", in that it may be a problem/conflict with hardware drivers. I would need to confirm on setups with other hardware/drivers.
You can check yourself if you have the windows DNS service enabled(it is enabled by default, so it is running unless you have specifically disabled it). Just check in any network enabled application (such as your browser) to see what setting for the DNS API rule is. To find that:- open OP, at the top right of that main window you will see "Settings", click on that. In the settings window, select:- "Application rules",in the right hand side window, you will see various applications that have been given various rules, select your browser, then click on edit(or you can double click on the browser entry) to open the rules for that application. Click on the "Anti-leak Control" tab, and look down the list, check the setting for "DNS API request". On my setup, that is set to "Use global" (the global setting is by default set as "Prompt") I am not currently prompted(given popup) for this setting which it should.

I am just going through and testing various setting. There have been various changes/additions since I last looked at this firewall, so it will take some time for me to check/confirm changes

On a known clean system yes. You can always review the applications that have been allowed internet/system access and change the rules later (if wanted).


- Stem

 

Yes, that would be great if you could put OP on Vista.

Yes, I have the windows DNS disabled.

 

Hi Rilla927,

I have just found Vista installation disk. Which version of Vista are you using ?(home Premium ?), I will then install the same version (although it will take it a while to install on that testbox)


- Stem

 

Vista Ultimate. That's okay I'm in no hurry.

 

Thanks for the detailed instructions, Stem. Both Firefox and IE are set to "Allow".

And this is very much appreciated!

Yes, it's a clean system. So what is the best way to review the apps that have been allowed internet/system access? Through the instructions you provided above, and checking the entries listed?

 

OK, I will install that version

- Stem

 

You could change them to "Use Global" to check, but due to your setup they may just revert to "Allow", but you can check anyway if you will?

Yes, you would need to go through the rules, however, changing the rules now with your current settings, they may just revert to auto allow rules. I will need to check how OP behaves when changes are made with default settings. (actually, I will do that now before I start the vista installation)


EDIT:-
On changing back the settings to allow signed applications, IE is allowed access, however, the DNS API setting stays as "Use Global" so should cause popup for DNS access. I will need to check further.


- Stem

 

Hi JRCATES,

Welcome!!

 

Hi Rilla927,

Just currently imaging Vista setup. Which area of OP do you want to go through first?


- Stem

 

I have 15 minutes left on a scan then I will OP on. More than likely the rules.