Phant0m: Lots of logs.

Hi Phantom, hoping you can help. I keep getting lots of entries in my log for the following rules.

Rule: Block all other packets, Type ICMP, Additional Type:8 Code:0.

and

Rule: +Loopback, Type TCP,

Is this normal to have so many? Is it stopping or slowing down my internet access? Can I just change the rule so the *hits* aren't logged and forget about them?

Sorry for so many questions btw. Using your latest ruleset with WinXP on dial-up.

Thank-you.

 

Hey Ronn

You should never make modifications to the “Block : All other packets” rule, but In a case such like yours I would recommend making a rule specifically for those annoying ICMP packets and configured to block_without-warning. Are those ICMP packets Inbounds or Outbound?

As for the ”+Loopback” rule, I suggest making a specific rule with the specifications of IP-Protocol (TCP) and configure it up to block-without-warning if necessary.

 

Wow, so quick . Thanks.

All the ICMP hits are inbound Phant0m. Am I still ok to block these without warning?

Also, If I leave the +Loopback rule as it is and just lchange it so that this rule is not logged, will that be OK? I was worried that doing either of the above may have an effect on my surfing...

Have you any idea why I should have so many hits on those rules from just surfing?

Thanks Phant0m.

 

Hey Ronn


E-mail me the raw-log file and I’ll make you two importable rules with specifications required & recommended…

 

Hey, wow, thanks. I'll do it now. Gimme 5...

Thank-you.

This is so fast I thought I was chatting on my IM client

 

LOL; Not-a-prob!

 

Sorry I haven't got that mail straight to you. I was called for my dinner . I have just come back, ready to send the mail, when I noticed I didn't have the raw log option enabled . Gimme 10 minutes to get some *hits* in the log, and I'll send it over.

Thanks for all this Phant0m.

 

Hey Ronn

No problem! Take as long as you need…

 

OK, mail awaay

 

Hey Ronn

http://www.wilderssecurity.info/images/rl6.PNG
http://www.wilderssecurity.info/pg22.shtml

Make this rule with additional modifications to the packet “Direction” from “PC >> Internet” to “Internet >> PC” and make modifications to the Source-“IP : address” Drop-list, in drop-list change from “Equal my @” to “ALL” and for the Destination-“IP : address” Drop-list change from “ALL” to “Equal my @”. And click OK, and configure a warning Flag for that rule and keep it in the current position in the rule-set where it been created at by default and do some surfing.

You may be required to Authorize those ICMP Packets which are ICMP Echo Requests in-order to surf flawlessly, you must also need to make additional rule to authorize ICMP Echo Reply. Let’s see if you still encounter surfing slow-downs when Authorizing this particular packet.

 

Many thanks Phant0m. I DO have a confession to make though . I've just noticed at the bottom of my rulesets (your ruleset) rules which I haven't enabled which I think I SHOULD have enabled. Namely being:

//http://www.wilderssecurity.info/rl45.shtml
and
//http://www.wilderssecurity.info/rl46.shtml

If I just enable the rl46 rule, will this have the same effect as what you are telling me to do, or should I enable rl45 too?

Thanks agin, and sorry for putting you to all this trouble...

 

Hey Ronn

Don’t Enable anything unless you know what its purposes and that you know be required.

I’m sort-of interested in knowing if that problem with your surfing-slowdowns still exists?

 

Ok, thanks Phant0m. I have just enabled the rule I ahve modified as per your instructions. The rule I modified was //http://www.wilderssecurity.info/rl45.shtml. I have just rebooted and will surf for 15 minutes or so and report back toyou.

Thanks Phant0m.

 

All you do is create a New rule and change the packet “Direction” to “Internet >> PC” and select “IP” for “Ethernet : type” in the Drop-list and then make the specifications shown for the below image;

http://www.wilderssecurity.info/images/Alternative/ICMPEcho.PNG

Then click OK button and remove the Block Flag and configure Warning Flag for that rule, keep it as the default rule-set position (Top) and do a bit of surfing and see if that fixes your surfing issue.

 

As for Enabling that rule labelled “TCP : Allow” it should be already Enabled by Default, what rule-set version you using?

 

well, where to start.

Firstly, I'm using Phant0m`s-September-7.rls rulset. The rule I changed was the "ICMP : Ping other (Req)" with the rule description "//http://www.wilderssecurity.info/rl45.shtml". I have changed this rule to how you have said, and it has stopped all of my ICMP logs .

The only log I am getting quite a lot of now is the +Loopback rule.

This any good to you? It seems to have sorted a few problems my end...

 

Hey Ronn

This explains it; you aren’t using the newest version dated Sept-9 [Phant0m``s Rule-set v5.0] which is available at http://www.wilderssecurity.info/Phant0m.shtml.

As for that rule you modified, you shouldn’t have. That rule may be needed whenever you desire it and making modifications will cause that rule to malfunction for the required tasks.

I recommend downloading the newest version of that rule-set and make the rule as I mentioned previously…

 

As for the “+Loopback” rule, don’t make modifications to that rule. If you want export/import that rule and re-label rule-name and configure specifications such as IP-Protocol: TCP, and direction of the Packet (Inbounds? Outbounds?). However don’t use “Internet >> PC && PC >> Internet” directions. And if that’s to much than just de-activate that +Loopback rule altogether…

 

Well, downloading the latest ruleset and putting that ICMP rule at the top of my rules as instructed seems to have done the job. Many thanks for spending the time to sort this out and making this thread a lot longer than needed .

Am I ok to leave this rule sitting on top of all my other rules?

I know...another question...hehe.

 

Hey Ronn

For ICMP; yea it’s good currently where it’s at…

If you have further Questions don’t hesitate to poster em!

 

Ok.

Again, many thanks for all your help Phant0m. This is indeed a great rulset you have given us; but you said it would be the last? :|

I for one hope not. Let's hope that Frederic isn't too far away with a beta version of his latest/greatest firewall at least

Thank-you.

 

Hey Ronn