some question about LnS rule setting & function !

Hi ! i m new user of lns & firewall , my version is 2.05p3 , i have some question about firewall rules setting ,

(1) i want set a rule just allow browser( maxthon , IE7 ) with port 80 & 443 & 11999
(2) set a rule allow browser ( firefox ) with port 80 & 443
(3) set a rule with Y!Messenger & Windows Live Messenger
(4) am i need set a rule to protect my pc about "ARP attack" ?
(5) Spooler SubSystem App , whts that , can i allow it to connect to internet?
(6) whts meaning of "Raw mode" ?
http://i128.photobucket.com/albums/p182/niceguy_hk/b39d5123.jpg
http://i128.photobucket.com/albums/p182/niceguy_hk/6babefc1.jpg

in this picture , this box appear in rules setting , i m newbie of firewall , whts meaning of those words ( URG , ACK , PSH , RST , SYN , FIN ) can sum1 explain about it & whts function of them ? sorry for my stupid question & pls forgive my bad english , coz i m chinese

 

anyone help me ? no1 ?

 

Hi -NiCeGuY-

Create rules like this: (in the LNS enhanced rule set)

R1
Protocol: TCP
packets: in and out
addresse: from my @IP
local ports: 1024 to 5000
remote ports: Equal or 80, 443
Applications: IE7 , Maxthon

R2
Protocol: TCP
packets: in and out
addresse: from my @IP
local ports: 1024 to 5000
remote ports: Equal 11999
Applications: IE7 , Maxthon

3 remarks:

1- It's important to add the executables of ie7 and Maxthon in these specific rules.
they are create for ie7 and Maxthon only, not all other packets...
In the rule editin windows, click on "applications..." button,
add the ie7 and maxthon executable from the list on the right to the list on the left.

2- Place these specific rules immediatly before the general rule "allow most common internet applications".

3- Since these internet applications (ie7 and maxthon) are managed by
the general rule "allow most common internet applications" they are not really needed...

Protocol: TCP
packets: in and out
addresse: from my @IP
local ports: 1024 to 5000
remote ports: Equal or 80, 443
Applications: Firefox

Place this rule immediatly before the general rule "allow most common internet applications"

For Yahoo:
the TCP packets are managed by the general rule "allow most common internet applications" (on ports 80, 443 and 5050)
For the UDP packets you have to create a specific rule for the STUN [Simple Traversal of UDP through NATs]
used by Yahoo and some other Instant messaging and VoIP...

Protocol: UDP
Packets: in and out
Address: from my @IP
local ports 1024 to 5000
remote ports: 3478
application: Yahoo messenger

Place this specific (Udp) rule just after the general rule "allow most common internet applications"

ARP packets are not routables over internet.
There no such "attacks"...

This is the Windows service "spooler": it must be allowed by the application filtering
and there is no rule needed in the internet filtering.

This is a windows service for printers and fax...

It's a very low level of rule editing (for ethernet packets for example).
There is also a raw mode log : it can be imported in application like MS Excel or Open Office Calc.

This is the TCP protocol flags.

To understand this let me give you an example of a browser connection to a web server.

When you type an Uniform Ressource Locator (site name) in the browser, the system:

1- check yout HOSTS file
2- make a Domain name server request in UDP on the DNS server port 53 to have the IP address corresponding to this URL
3- initiate the connection with the TCP protocol from the first avalaible local port (1024 to 5000)
to the remote port 80 (HTTP)

Your PC ----------------- The web server (in "listening state on port 80)

SYN --------------------->>>

<<<---------------------- SYN ACK

ACK --------------------->>>

Here the connection enter in a state call "established"

There are many data exchanged between the local port (say 1247 for example) and the remote port 80:

Your PC ------------------ The web server

ACK --------------------->>>

<<<----------------------- ACK PSH

ACK ---------------------->>>

etc.

Then the connection is closed:

Your PC ------------------- The web server

FIN ---------------------- >>

<<<------------------------ ACK FIN

ACK ----------------------->>

Here the connection enter in different stages of ending the connection:
"Fin WAIT" then "CLOSED"

The flag SYN is used to initiate a connection from a "client" to a "server"
the flag FIN is used to close a connection from a "client" to a "server".

They can't be sent to a "client".
If so this is "illegal" and "abnornal" and the packets with such flags must be blocked...

All packets must have the flag ACK except the first SYN flag sent to a server by a client
and the FIN flag sent by a client to a server to closed the connection...

URG : URGent
ACK : ACKnowledge
PSH : PuSH
RST : ReSeT
SYN : SYNchronised
FIN : FINished

The TCP packets with only a flag SYN or FIN are normal only from a client to a server but not the opposite.

The TCP packets exchanged during the connection have one ACK flag at least..

The possible combinations of flags are SYN (to the server), FIN (to the server), ACK-SYN, ACK-PSH, ACK-URG, ACK-RST ACK-FIN and ACK.

All other combinations are abnormal / illegal and supposed to be from a malicious source such as TCP packets without any flag, with all flags or with absurd combinations like SYN-FIN, PSH-URG-FIN, etc.

Last remarks:
any of your question are stupid
and your english is excellent as far as I know (since french is my native language, not english)

 

Climenole , Thanks you 4 yr answered my question very exhaustively TYVM