Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks Mr Brian. Reckon folks like me could do with an acronym list here on Wilders somewhere. :)

    OK so a very long time ago I knew about admin accounts being more risky but you're right KeyPer, at the time at least, there were problems running some programs. Finding a way around that at the time was beyond me so I never adopted any good habits. Haven't had an AV for years. Something must have been standing in the gap for me over the years and I reckon Kerios done a good part of that.

    In Sandboxie I have altered a few settings like dropped rights and Im getting into the habit of deleting the sandbox after each session. I do have a bit of a wait though while the browser loads up. I love prefbar which makes it very easy to deal with javascript and flash on a case by case basis. I actually got around to getting html5 going in youtube but I'm afraid my system gags too much compared to flash. I would love to try a VM but I don't have enough RAM. Still 512MB.

    With a Linux live CD I presume you download it and burn it to a CD?. I've never made a bootable CD before. I've heard its quite tricky.
     
  2. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @Reality

    One way to run a program in a LUA is to use "Run as" which uses the Secondary Logon Service.
    The Secondary Logon service accepts only password authentication and needs to be running.

    Basically you password protect a Windows admin account and logon to your LUA and then go to the
    app you want to run. Right-click on the app and select Run as... from context menu.
    Choose the following user (name of admin account) and enter password then press OK.

    You basically gave that app admin rights while in a LUA. Problem is I don't know how secure
    this would be.

    As far as burning a cd/dvd it is fairly easy to do. You need a cd/dvd burner. I usually prefer a
    re-writeable cd/dvd so if you want to ever erase the disc, make a mistake or doesn't work
    you could start over. I do recommend using Quality disc manufactures to.

    You would download the Linux distro .iso file you want to try and burn it to disc.
    I like using imgburn software program because it's easy to use and
    have had good success in using it. There is a couple of things I would do though if you plan on
    using imgburn. (portable version available)
    Once you have your Linux live cd done then just make sure your computer is set to boot
    from your cd/dvd rom. (BIOS settings)
     
  3. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    @Compu KTed
    Well your explanation is so clear... why didn't I know about that years ago! I never got around to finding out what "run as" was for.. :oops:

    My CD burner died, so installed one from a 2nd computer lying around. No problems delving in the BIOS. Years ago I tried knoppix which was bundled on CD that came with a magazine just to see what I could make of it. I was clueless about getting it online though. My ASUS board was right on the cusp of when they started making USBs bootable and I would so love that capability.

    I agree that its good to get quality CDs. I used to hear taio-yudens (sp?) were the best but I'm not up with that these days. I still have plenty of CD-R blanks but its so long since I burned anything I 'll have to see if I can find a CDRW. Good tip.

    WOW isn't anywhere safe to download from now? DL'd the portable into Sandboxie of course, and since portable, went ahead to open, well softpedia has a eula, and that was enough to turn me off thanks. Did some digging around and look at the comments here for imgburn hxxp://fileforum.betanews.com/detail/ImgBurn/1128426215/1 full off excess baggage. Bottom line...from the dwindling list of reputable sites I cant find a portable version without garbage added. :(
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    There is a nice way to use a Live USB on a pendrive these days, and it's faster and more updatable than the Live CD. Basically, choose a suitable distro from pendrive or use Puppy Linux and write to a USB stick.

    The nice thing about these is that the distro runs in RAM (I would recommend getting more RAM, staying with 512M is painful) - and you can add persistent packages and data to it f you wish. But you can also take the USB out once you've got the session up and running, so that nothing can be written back to the USB stick. But you can also update the distro and save it back to the USB if you wish (in a different session).
     
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Thanks for your input. Aside from adversaries busting down your door and getting to a system that's on, (or not long been off) my understanding is that anything running in RAM has got to be one of the best ideas there is.

    I have some questions. I'm taking it a "live usb" would need to be made accessible by activating it from the bios or am I missing something? I know very little about linux. What is puppy linux? By persistent packages do you mean programs/utilities added to the OS?
     
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    If you can find a older version of imgburn without the ASK TOOLBAR install that would
    be better and also be aware of OPENCANDY in newer versions of imgburn. There is
    options to uncheck these, but don't like programs that bundle this stuff .

    Try getting a older version of the program (tested imgburn version 2.5.0.0 installed in Sandboxie)
    Before installing scan the file (virustotal multi av scanner) // should come up clean, but please check
    Do not install imgburn on real system, but instead install the program INSIDE Sandboxie to check it out.
    You can see the files and folders it creates and also registry entries.

    If you want to install imgburn on real system and make it portable (can install to USB/flash drive)
    there is that possibility to. Requires creating a text file called ImgBurn.ini and pasting some
    lines into it and saving it to where you installed imgburn.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I've had excellent results with BurnAtOnce. To my knowledge, it's not actively developed any more. It's freeware, using and based on several Open Source components. I've had excellent results with it burning ISOs, music, and data CDs. The GUI is old style, very plain, but it does everything I need.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Regarding the choice of using a bootable USB or a CD/DVD.
    Because an OS on USB can be altered, an OS on CD is more hardened against change. You might consider using a USB version to start. Get it equipped and configured just the way you want it. Then make an image of that OS and burn it to CD. You'll end up with an unalterable, read only OS that's tailored to your needs. It's a bit more work but well worth the effort.
     
  9. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    What's your view on software programs that are not actively developed anymore? I've used programs that are
    not updated because of certain features they added especially if it compromises privacy. Browsers
    are a good example. I just wonder about security-related apps such as old firewalls like Sygate and Kerio.
    If I run a PDF Viewer that may not be updated to latest version I sandbox it along with any PDF file.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With programs that aren't directly tied to security and that are not part of the attack surface, I see no reason to update unless the new version does something more or better than its predecessor. With a CD burning program for instance, if it has the abilities you need and consistently burns good CDs, why change?

    Regarding old firewalls like Kerio, I still use it exclusively. If it's compatible with your OS and you don't need IPv6 capabilities, it's still a very effective firewall. Most of the newer security suites emphasize the HIPS and other features and components, some at the expense of the firewall components. So-called firewall tests focus on the presence of these features while neglecting the firewalls ability to perform its original function, controlling traffic. A fair number of security suites aren't able to control loopback/localhost traffic, something that's essential if you want to prevent bypasses and leaks. Regarding the HIPS components, I rely on classic HIPS. IMO, if you know how to configure them, very little can match the protection they can offer. That said, they don't need to be part of the firewall. I prefer them separate so they can support and protect each other. When combined into a package, they share components and any vulnerabilities in those components. A successful attack against one component will often take down the entire suite. IMO, the internet firewall should be a single purpose application, not a combined package and definitely not combined with a HIPS. The firewall is part of the attack surface by design. HIPS by design are tied into the OS at a kernel level. It should not be integrated with applications that are part of the attack surface. You'd think those who design these suites would have learned that from IE6. It demonstrated very clearly what can happen when the same program has both internet and kernel access.

    Excluding IPv6 and operating system compatibility, very little has changed in regard to an internet firewall. The basic protocols haven't changed. IP addresses and ports still use the same format. The firewalls and the rules they enforce work the same now as they did then. When security suites are updated, it's usually the features and add-ons that are updated, not the firewall components themselves.
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    You boot live usb by pressing the appropriate function key on boot (e.g. F12) to get the boot device selection menu. A modern bios will then list the pendrive.

    Puppy linux is a fairly lightweight Linux distribution which can create its own Live USB (many Linux distributions can do this). Recent releases include an Ubuntu based one and a Slackware one, both fairly functional. With the various pendrive type Linux USB, they have a form of overlay filesystem that loads up the kernel into RAM, and the programs that are required. This is also kinder to the USB SSD which also tends to be slower. But it's also quite possible to run a full Linux distribution off a pendrive, but then you don't have the choice of saving or not saving, it writes to the pendrive all the time.

    Of course, which distribution you choose depends on what you're trying to do, for instance, if you're after maximum protection using something like Tails, then a LiveCD is what you'd be doing.

    Persistence happens in 2 ways (and can include encrypted user directories). First of all, you can load additional software packages from the repositories, or add them in other ways. For example, this can be used to add browsers of your choice, Truecrypt and so on. You are also able to apply patches and updates. Second, you can choose to save user data through sessions.

    The advantage of the scheme I've outlined over using LiveCD is that you can update the distribution and the software without exposing the system to risk (because you don't browse anywhere for example, when you save the session from RAM). The OS cannot be altered because you've taken the pendrive out when browsing!

    Whichever way you choose, I'd encourage having a play because it's straightforward these days.
     
  12. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @noone_particular

    I take it that part of attack surface would include Internet facing apps and the main OS itself.
    Things like browsers, media players, MS Office, Windows services, explorer, firewall, etc.

    When using Kerio I wasn't impressed by the default install rule set and thought BlitzenZeus replacement
    rules were not tight enough, although better than default. Both IMO needed changing.

    I've gone the route of HIPS/firewall combo before and do agree that devs lost touch with
    the original core function of a firewall. The ability to control traffic through the different
    protocols and ports used. Packet filtering, DNS connections, IP addresses all included.

    What about Firewalls being bypassed or disabled?
    What about using a hardware firewall with configurable settings with a software firewall like Kerio?

    I hopefully remain relatively secure, but not sure if I would need to add classic HIPS and I assume your
    talking about SSM or some similar app.

    I remember years ago using CyberHawk which then became ThreatFire (abandoned) that
    IIRC used real-time Behavior analysis and had ability to create rules. (advanced rules settings)

    I do have other security measures in place starting with the OS itself and hardware/software
    that helps with both security and privacy. Always looking for improvements though.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The OS itself (through XP) doesn't have to be exposed to the internet. In its default configuration, it is exposed and is part of the attack surface. The early part of this thread addressed a lot of the specific services that are exposed, DNS service, DHCP, Windows Update (moot on XP). XP can be configured so that its services don't need any internet access. Windows explorer doesn't need internet access to function, unless you value the thumbnail views of web pages. If you view streaming media, the media player would be part of the attack surface as would the PDF reader if you open them in the browser. In its simplest terms, the attack surface is:
    1, Any program or system component that can connect to the internet.
    2, Any program that opens files from outside sources.
    A firewalls default ruleset, (and the BlitzenZeus replacement) are written so that the firewall will work out of the box. It's not possible for the default rules to be tight. The BZ ruleset has some good examples in it but the network/mask rules it contains are a problem. Kerio 2 doesn't process network/mask properly. Refer to the 2nd half of the Kerio learning thread for details. The solution is simple. Use network/range for the rules.
    I assume that bypass refers to connecting out through programs with internet access using global hooks, DLL injection, or the installing of another IP stack. Classic HIPS are among the best tools for defending against these activities. For myself, that would be SSM. There are several other options reputed to be quite good, Defense+, Malware Defender, etc. I've never used them so I can't comment on their specific abilities. SSM (and most likely the other available HIPS) also have the ability to protect individual processes against termination, suspension, code injection, etc. SSM for instance also has a "keep process in memory" option that will restart the protected application if something does manage to terminate it.
    While there is some overlap in function, the 2 serve a different purpose. A separate hardware firewall protects your entire network while the software firewall protects individual PCs. The hardware firewall keeps your local network separate from the internet and allows you to specify what inbound traffic if any should be allowed. On my setup the hardware firewall (Smoothwall) allows the inbound Tor traffic, but only to the PC that runs the exit node. The software firewall on that PC allows Tor only to listen on those ports for inbound traffic. No other application can use them. Both hardware and software firewalls can control inbound traffic to a PC. The hardware firewall is generally regarded as the stronger of the 2, not because the firewall is more secure, but because they're dedicated single purpose units. They can't be defeated by exploiting something else on the OS because there's little if anything else on it to exploit.

    Regarding whether or not to install/use a classic HIPS, that depends entirely on you. You have to be comfortable with making rules that govern what can and can't run and what the allowed applications and system components are permitted to do. This requires that you understand what the individual applications and system components do and what they need to function. A classic HIPS doesn't differentiate between what is good and what is malicious or undesirable. You have to make those decisions and be comfortable with doing it. The learning curve is pretty steep. The more current the OS, the steeper the curve, primarily because there's more running in the newer operating system. The hardest part is rules for services.

    I can't comment regarding using the 4.X versions of SandBoxie with a classic HIPS. On XP, I did try the last 3.X version with SSM. Once the requirements of SandBoxie are met, they got along quite well. The combination opens up some interesting possibilities, especially when the sandbox is on a ramdrive. Normally the 2 use completely different security policies, default-deny vs containment. A hybrid of the 2 is possible where most any activity would be allowed in the sandbox while the classic HIPS enforces default-deny on the rest of the system.
     
  14. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    It seems every firewall I've used I don't recall leaving it on default settings so that it will work
    out of the box.

    e.g. Kerio default: Generic Host Process for Win32 Services
    protocol: TCP and UDP
    Direction: Outgoing
    Local Endpoint port type: any port
    Application: c:\windows\system32\svchost.exe
    Remote Endpoint Address type: Any address
    Port type: Any port
    Rule valid: Always
    Action: Permit

    Not exactly a secure default rule for svchost.exe.

    Windows services have already been disabled that don't need to be running. DNS servers are restricted
    and the PDF reader is not used through the browser. Explorer has no Internet access.
    Use SRP rules, but SRP can supposedly be bypassed.
    You can disable USB ports by editing the Windows registry and also close/disable ports 135 & 445

    Do you have a tight rule set for Kerio firewall I could take a look at?
    Order of rules is important as you have stated before.
    (services, DNS, apps and placed in correct order including blocks)

    I've used Sandboxie 4 with Firewall/HIPS before which can sometimes lead to conflicts.
    Sandboxie 4 will only work on Windows XPSP3 and later OSs. I keep using it for sandboxing
    apps and testing apps before installing.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Out of the box rules are generally written so that the PC will work. The svchost rule you gave is an example., no restrictions, which is the same as it was before a firewall was installed. Its the same with DNS and DHCP, any address is allowed. I converted the XP partition to data a while ago. I might be able to dig an XP ruleset out of the system backups.
    I don't have a ruleset for XP available at this moment. I reformatted the XP partition a while ago. Haven't decided if I'm going to put another OS there or use it for data. I might still have a copy in the system backups. My virtual XP systems are experiments in progress. Their rulesets are not complete. I'll see if I can dig out a copy. The ruleset from my primary unit would be quite confusing, thanks to the rules for the local proxy chain I use, plus those for the Tor exit. Since they're for Win 98, they wouldn't include some of what you asked about, specifically services rules. I'll try to dig out a copy from the last system backup for XP, but it will take a while. Have other plans for the holidays. There's quite a bit of info regarding rule order, services, and rules for those services in the first half of this thread, especially post 65.
     
  16. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Thanks. No hurry on the backup. If you have a copy that would be great and much appreciated. Went through previous posts on this thread and some of this I've done before like closing ports and setting IP Address and DNS servers. DHCP and dynamic IPs change has already been taken care of.
    Do have UPnP/SSDP block rule in place. SSDP Discovery Service is disabled in Windows
    along with many other services. An OS install left on default settings has way to many services running IMO.
    On Kerio interface 'Microsoft Networking' tab - everything is unchecked. Nothing under Trusted
    Address Group. Have disabled most of default filter rules . (MS)

    Kerio DNS block rule:

    Protocol: TCP and UDP
    Direction: Both directions
    Local endpoint > Port type: Any port
    Application > Any
    Remote endpoint > Address type: Any address
    Port type: Single port [53]
    Rule valid > Always
    Action > Deny [√] Display alert box when this rule matches

    Need correct order placement because apps like HMPA wanting connections that trigger this DNS block rule.
    Firewall rules for apps place towards bottom of ruleset and above that for services that need blocking/control.
    DNS servers are placed towards top of ruleset.
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On the XP unit, I did have a specific UPnP-SSDP blocking rule for ports 1900 and 5000 that was set to block and alert. On this unit, Win98, the rule isn't necessary. On 98, UPnP is an optional install. Even with UPnP disabled, I'd keep the blocking rule. Rules for blocking services belong at or near the top of the ruleset. Windows Update, some applications, and occasionally malware will attempt to enable services that they use. While Windows Update is no longer an issue on XP, it may apply to unofficial updates and service packs. The unofficial updates are ported from updates for newer operating systems. If the update changed a service setting on the targeted OS, the unofficial version probably will on XP as well.

    Regarding the trusted address group and the Microsoft networking options, I don't use either. Except for a PC that's totally under my control, I don't consider any address or PC as trusted, especially if the users of that PC don't have security as a priority. Example, teenage kids and the friends they might let use that PC. I wouldn't particularly want my PC on the same network, and I sure wouldn't set my firewall to trust it.

    Regarding DNS, that DNS blocking rule would be placed directly under the DNS permit rules. Assuming that you're not running separate DNS settings for certain applications, all of the DNS rules should stay together. Keep in mind that if the DNS Client service is enabled (it is by default) most of the DNS traffic will come from svchost.exe. If you use Tor, proxies, or VPNs, the DNS client service is a big potential leak. I disabled it on all of the physical and virtual XP units and restricted DNS access to specific applications.

    Regarding where to put the DNS rules in the ruleset, this depends on a few variables. If you're allowing all applications to use the same DNS and are not routing DNS requests through a VPN or Tor, the rules can be near the top of the ruleset, beneath any global and service blocking rules. If you're controlling DNS for specific applications, the DNS rules for those applications would be above the global DNS rules.

    The screenshot below is from the ruleset of my 98 unit. The only real differences between this ruleset and those I ran on XP are the lack of rules for services and the addition of rules for the Tor exit.
    rules1 for 98.png
    The first 3 rules are for VPC. The 2nd rule in this group is a "block all" option that I use when building virtual operating systems that require activation. The next 3 rules are for administrator utilities. The next 2 are for the Tor exit. When run as an exit node, Tor needs to receive inbound traffic to its DIR and OR ports and needs to be able to connect out to anywhere. If it was run as a client only, the inbound rule would be eliminated. The first Vidalia rule permits it to connect only to the Tor control port. The next rule blocks and alerts me to any other attempted traffic.

    The junk block rule uses the custom address group and includes the IP ranges that I don't want my browsers or other internet applications making any direct connections to. It includes IP ranges used by Google, Facebook, Twitter, and others. It's in this location in the ruleset so that Tor can connect to those IPs (its outbound permit rule is above this rule) but connections from my internet applications which are below it are blocked. This rule only blocks direct connections to those IP ranges. If I want to connect to one of them, I can do so through Tor.

    The group from the first Proxomitron rule through the last DNS rule are a unit. All of my browsers traffic goes through Proxomitron. You'll see both Proxomitron.exe and Proxomitron2.exe called Tor Proxomitron in the ruleset. Proxomitron is used for direct traffic. Proxomitron2 (Tor Proxomitron) connects through Tor only. They're separate applications, each in their own folder with their own rulesets. Only one of them can run at a time. The 2 direct use Proxomitron rules allow it to connect anywhere that's not restricted by the junk blocking rule. Note that the rules do not allow port 53 traffic but aren't blocking it. Proxomitron is permitted DNS traffic by the rules at the bottom of the screenshot, but only to those 3 IP addresses. The disabled Proxomitron blocking rule below it is for test purposes. The Seamonkey IRC rule only gets enabled when I want to use IRC over Tor. If I left it enabled, Seamonkey could bypass Tor Proxomitron and connect directly to Tor. The Seamonkey-Proxomitron rule allows Seamonkey to connect to Proxomitron, either the direct use or Tor instance. Port 8088 is another experiment I'm trying. The next Seamonkey rule blocks and alerts all other loopback traffic, preventing it from connecting directly to Tor, or anything else. Not all browsers will tolerate this rule. On some, it breaks access to menus, extensions, etc. The next rule, Seamonkey Mail is address and port specific to my ISPs mail server. To avoid the DNS issue with it (e-mail fetch doesn't go through Proxomitron), the IP is resolved in my hosts file. The last Seamonkey rule blocks and alerts for all other traffic. Proxomitron performs the DNS lookups in this setup, not the browser.

    Tor-Proxomitron (proxomitron2.exe) is launched via SocksCap, which converts the traffic to the Socks protocol used by Tor. Proxomitron itself isn't Socks compatible. The first tor-Proxomitron rule allows it localhost connections to the Tor socks port. The next rule blocks and alerts on any other traffic, including any attempts at direct DNS access. This forces all traffic through Tor.

    The Palemoon rules are like those of Seamonkey. It can only connect to Proxomitron or Tor-Proxomitron. Everything else is blocked.

    The loopback block rule prevents all loopback/localhost traffic except for what was permitted by the loopback rules above it. Did you ever try the PCAudit2 firewall test? It attempted to establish loopback connections to every running process, looking for one it could use to send out traffic via DLL injection. This rule defeats that test, and any malware or exploit that relies on loopback connections.

    The last 4 rules are for DNS. The blocking rule also alerts. All applications below this point are allowed normal access to DNS servers. If you want to control what applications have access to the DNS servers or any other service, the rules for those apps need to be above the actual DNS rules and any rules that permit the other services. Hopefully this clarifies how to use rule order to your advantage. In this ruleset, the UPnP rule you mentioned would be at the top unless you didn't want it applied to VPC in which case it would be just below its rules.

    edit, fixing lots of typos
     
    Last edited: Dec 26, 2014
  18. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    untitled.JPG

    DNS Client service is not running. Pretty much went through Windows services
    when service packs were being offered as MS updates and then of course if a service needs
    to run. (Kerio wouldn't install without DCOM running)

    I'll probably try later VPN connections and see what happens. Currently don't use Proxomitron
    but have in the past with Firefox. It hopefully should work with Pale Moon if I decide to go
    that route. Do use Request Policy and NoScript along with custom blocking filter.

    Not all apps and connections listed are in this screenshot. Order needs changing
    so recommendations welcomed. Anything else you see wrong to.

    Thanks for help.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With that arrangement, only Palemoon and Hitman pro will have DNS access. If those are the only applications that you want to have internet access, the rules work. Most internet apps also require DNS access. I'd combine the 2 Palemoon rules into 1 using the list of ports option. While 80 and 443 are the most common ports that browsers connect to, they aren't the only ones. FTP servers for instance use port 21. You may run into other ports. Are you using the "ask me first" or "deny unknown" for Kerio? Proxomitron does work with Palemoon.
     
  20. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Yes, I forgot about combining browser into 1 rule. Using "Ask me first" and have" Enable DNS resolving"
    unchecked. Haven't set up VPN connections yet and other apps that need connections. Left MD5 signatures box checked. Is there any other settings in Kerio interface (firewall configuration) that need to be checked/unchecked?
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Those settings will work. The DNS resolving option is for the Kerio status screen and the alerts. With it disabled, they will show IP addresses. The animated tray icon just gives a visual indication of when there's traffic. No other effect on function. Do you plan on making individual DNS rules for each internet application?
     
  22. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    That was the plan unless there is a better alternative. Also aware of Network/Mask as you mentioned.
    Use Network/Range instead. There is an issue between HMPA and Sandboxie not deleting contents of
    sandbox which should delete automatically when browser session ends that's tied into IP Address blocking.
    The IP block ruleset in Kerio is working (deny and notify) and when used with Sandboxie alone it works correctly.
    IPs list is placed in Custom Address group. The filter rule order was adjusted , but apparently probably not
    correctly. HMPA runs 2 apps (alert & HMP scanner ) so numerous connections are needed. Will check into it
    further , but I have another blocking filter that I can use.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not familiar with the workings of HMPA. Does HMPalert run as a service? I'm guessing here and could easily be off of the mark. If HMPAlert is still running after the browser closes, Sandboxie might not be able to delete the files because they're still in use. I seem to recall Sandboxie having a setting that when a certain type of process is closed, it automatically terminates everything else in that sandbox. I forget what they call it. I don't think that Sandboxie should affect the firewall rules for HMPA. It's internet requirements should remain the same with or without a sandbox.

    The DNS rules really depend on what your needs are. If most of your internet applications are connecting directly (no proxy, VPN, Tor, etc) and are using the default DNS servers, it would be easier to make global DNS rules that work for all of them. Make process specific DNS rules for the applications that aren't using the default settings, such as anything that's resolving DNS through a proxy, Tor, etc. Those rules would need to be above the global DNS rules. For applications that you don't want to have DNS access, the blocking rule for that application also needs to be above any global-permit rules, including the DNS.
     
  24. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @noone_particular untitled.JPG

    Yes, HMPA Runs as a service just as Sandboxie also runs as a service. As far as Sandboxie
    your probably thinking of the leader programs or lingering programs settings.

    The Lingering Programs has a built-in default list which you can add programs to and the
    Leader Programs comes empty, but also can add programs to. Both involve terminating programs.
    I've determined that Sandboxie isn't the problem.
    Screenshot shows Kerio filter block rule denying access to Google & browser is sandboxed.
    When Pale Moon closes the sandbox is automatically deleted of it's contents.

    None of this happens when HMPA is running at same time. I can open up task manager
    and see Pale Moon still running even after closing the browser.(unsandboxed)
    I do have to allow HMPA access (OpenPipePath) in Sandboxie in order for it to function
    properly. Also Svchost.exe wants access to my DNS servers on port 53. (UDP Outgoing)

    I've tested HMPA with other firewalls so I know it works, but don't remember if I
    imported the IPs filter list (may have) into the firewall rules. Firewall didn't depend
    on correct order like Kerio does so that may have made the difference. I have to disable
    the filter in Kerio to get everything working as it should.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If the screenshot above is your present rules, nothing there is blocking Palemoon. I'm not sure how HMPA interacts with browsers. If it functions as a proxy, the loopback blocking rule will mess that up. You might try disabling the loopback rule and trying again.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.