Program Firewall plus router/firewall

Discussion in 'other firewalls' started by kanenas, Sep 7, 2002.

Thread Status:
Not open for further replies.
  1. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    Hello.
    Is anybody using a firewall (like AtGuard) along with a router/firewall (like Netgear FR314)? (There's an Ethernet DSL modem connected to Netgear too).
    Do you know who's intercepting traffic data first?
    Cases in point (under Win2K SP3).
    1) Only AtGuard, a hub, and a computer:
    AtGuard traps all outgoing/incoming traffic I have a rule for.
    2) AtGuard, router/firewall, and a computer (the hardware firewall, by default, traps all incoming and permits all outgoing):
    AtGuard doesn't trap any outgoing traffic and just a bit of incoming.
    The incoming part is fine but the outgoing is a problem since all programs/services can call home or whatever, if they like.
    It looks like AtGuard's "outgoing" rules have to be transferred to the hardware firewall which is cumbersome at the very least (no support of rules by application).
    Is it the same with other combinations like the above? Is there another setup that will simplify things?
    Thanks in advance.
     
  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    No, I think something's wrong here. Let's see, in scenario 1, you were seeing AG log entries for outbound, but not in scenario 2?

    And you're sure you didn't mess up any rules in between? Well, you should definitely be seeing the same sort of events being logged (outbound) in both scenarios.

    Assume you have Albert Janssen's AtGuard NIS Rules Viewer (freeware) from www.capimonitor.nl .

    Have you looked for any rules that may have somehow gotten corrupted? (Yes, sometimes, it does happen) For example, you might look for a rule near the beginning of the ruleset that says "Any Application", when it should mention a specific application. Or, for the rules that really SHOULD be "Any Application", a rule that SHOULD specify just one or a small number of local/remote Ports, but now says "Any"

    In the Statistics Window, under Firewall Rules, what rule is being displayed as processing your outgoing TCP/UDP communications, e.g., like for your browser? Take a look at the details for that rule. Is logging enabled on that rule (check and see).

    Do you have any explicit BLOCK OUTBOUND rules in your ruleset (with logging enabled of course) that you can easily test?

    If none of the above exercises find a problem, how about we try the old IGNORE rule? You know
    Action: IGNORE
    Direction: Outbound
    Protocol: TCP or UDP
    Application: Any
    Local Service: Any
    Local IP Address: Any
    Remote Service: Any
    Remote IP Address: Any
    Logging: Enabled
    (And don't forget to move that rule up to the very beginning of your ruleset.) Now, do something, like run your browser or an e-mail client or a news reader. At this point, you most assuredly should see log entries in your firewall event logs for this rule. And, by rights, you should see an event for another rule with an Action Type of PERMIT or BLOCK (again assuming you've got logging enabled on the other rule).

    Come back and let me know what you find, okay?
     
  3. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    Thank you for the detailed response.
    It looks like you're right. AtGuard traps most of the calls.
    I didn't make any changes or have mistakes in the rules though.
    Instead, it seems that AtGuard is getting older.
    Rules that I expected them to trigger, don't.
    Other rules update the statistics page but not the log even though logging is checked.
    Maybe the Win2K SP3 mixed it up. I don't remember it being that messed up until SP2.
    I might refresh the rules database or try another firewall (but I'll sure miss AtGuard's dashboard and friendliness).
    Thank you again.
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Okay, that rings a bell. As you may know, people encountered the same problem trying to use AG with Win XP. What you say above suggests that MS has now retrofitted some of the driver changes into Win 2000 that were present in Win XP (in SP 3, that is).
    I note that Dave Stockbridge, "Crash" Dummy has been lamenting being forced off AG in the near future, also. Maybe this is related. If you don't get any more useful advice here, you might want to post in either the USENET comp.security.firewalls newsgroup or GRC's grc.security newsgroup. Label the thread something like "Using AG with Win 2000 SP3" and Dave should pick it up fairly quickly (unless there's a football or baseball game on TV). Dave won't come into a UBB forum, for some reason. At the very least, he might be able to provide considerable more insight as to whether there's a problem with SP3 or whether it might be something else. You see, I haven't run AG since Jan 2000, so I'm not necessarily your best source on this.
    Well, you can get the Dashboard and the Rules Editor with which you're comfortable in NIS/NPF up through version 2.5x (but I'm uncertain at the moment as to whether NIS/NPF 1.0 supported Win 2000 -- I think it didn't; they didn't get the drivers right to their satisfaction until NIS/NPF 2.0). It's a simple registry patch to restore the Dashboard. Of course, ahem :rolleyes: , there are some people for whom it's against their religion to use the Symantec upgrade. I'm pretty sure you won't like NIS/NPF 3.0x/4.0x/4.5, or the upcoming version at all; they interface would be totally alien to you.
    I got the impression that quite a few of the old AG hands moved to Tiny (TPF), and then many subsequently moved on to Kerio (KPF). (the latest released versions, not the Betas out at the moment). You might want to check those out first. I know that when I first saw TPF, I thought it must be a rip-off of AG. Unfortunately, I believe you're going to lose the Dashboard if you go this route.
    Now (and before anyone jumps all over me), if you know how to run AG, then you can also look at Outpost, Look n Stop, and Sygate. You'll certainly have no problem using any of these. However, last time I looked through this set, they didn't have quite the powerful combination and permutation capability that you may expect after having using AG. But then, admittedly, some of them go places that AG never did.
    Incidentally, if you use Albert's Rules Viewer to print out your AG ruleset, you'll find it almost trivial to then transliterate these rules to NIS/NPF, TPF, KPF, OP, LnS, or SPF (at least to the extent that each of these apps support some of the more unusual combinations of parameter settings). So, don't forget to do that before you start experimenting. (And NIS/NPF and at least one of these other apps is not going to install and function correctly if you try to run them in tandem with AG -- so it'll be a good idea to back up your AG rules in any circumstances. And for God's sake, don't trash your AG executable until you've found something you're happy with as a replacement; at least archive the old files.)
     
  5. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    Thanks for the info.
    I had looked at some of these firewalls about a year ago but I wasn't too happy with them.
    I've just set up a new PC with XP on it and running Outpost. Hopefully it has improved since my last try. If it works out, I'll transfer it to Win2K and retire AG.
    Take care.
     
Loading...
Thread Status:
Not open for further replies.