Thanks. Now have to do some more rules for other apps and hopefully get everything in the right order.
Other than when you first start the browser, is there another activity that triggers the alerts? If the browser is working right, I'd shut the alert function off. On mine, when I disable the loopback blocking rule for PaleMoon, it generally tries twice to establish a loopback connection, then stops. Newer versions might be different.
HMPALERT.EXE | protocol UDP | Local Address 127.0.0.1 | Remote Address 0.0.0.0:0 | State Listening Firewall log window: Rule TCP ack packet attack Blocked: In TCP... localhost:1025 (several entries) Had to make a HMPA UDP out rule with 127.0.0.1 remote endpoint.
Is that HitMan Pro, the alert component? I wouldn't block that until you determine exactly what that connection is used for. I'm not familiar with it or how it functions but the info you posted leads me to believe that at least part of it functions as a proxy. What is that loopback connection connecting back to, itself, another of its components or something else?
That is one of the long term goals of this thread. Most everything in this thread exists elsewhere on the web. That's the problem with a subject like this. The information is all over, badly fragmented, hard to find, and even harder to organize. I'd like to see this thread used as a collecting point for this information with the eventual goal of organizing and compiling it into a comprehensive guide that covers as many aspects of privacy and security as possible. The form this guide would take, e-book, website, whatever, hasn't been discussed. We're nowhere near that point. The amount of knowledge and skill on this forum is huge. There's several very good guides here on specific subjects that are getting buried. I'd like to see a group effort that brings the best of it together into an organized, searchable format, freely available to all, compiled by the membership of Wilders. The manuals that mirimir has been putting together are one example. There's another on group policy and permissions that's very good. Everything one would need to know is available, here and elsewhere. It just needs to be brought together.
Yes. HitmanPro.Alert which includes HitmanPro. It apparently uses UDP out on several local endpoint ports and remote address 127.0.0.1 . Looks like same local and remote ports being used. The UDP 127.0.0.1 contains hmpalert.exe (app executable path) Firewall rules for apps that need to connect out: Protocol: UDP Direction: Out Local endpoint: Any port Application: <app path> Remote endpoint: Single address > Host address: 127.0.0.1 (Any port) Action: Permit Should I be more specific for the local endpoint and remote endpoint instead of using Any port? Maybe possibly use on local endpoint the Port/Range and use 1024- ? rather than using one specific entry. (e.g. 1034) ? = whatever range number is needed. Use specific DNS server addresses for apps on UDP protocol over port 53. Protocol:TCP Direction: Out Local endpoint: Any port, Single port or Port/Range (which one?) Application: <app path> Remote endpoint: <single host address> Single Port (80) (443) Action: Permit Note: There will obviously be more (popups) when using specific customize rules. Loopback Rule for browser: Protocol: TCP and UDP Direction: Both directions Local endpoint: Any port Application: <browser path> Remote endpoint: Single address > 127.0.0.1 (Any port) Action: Deny & display alert Would be placed below other localhost (127.0.0.1) rules.
There's been some great input into this thread, especially from noone_particular. I'm very grateful that he's shared his amazing knowledge and given us his time. He also has a good way of explaining things where newbies or the less knowledgeable are more likely to grasp things. I think that's one of the key things to consider when there's something as complex as internet security/privacy to deal with. I'm also grateful to others' input. It all adds up. I too would like to see it eventually come together in such a way that is beneficial to all. It will be a huge undertaking because it not only covers many topics but there's differing threat models as well as how much a person wants to, or is able to, utilize the necessary tools at their disposal. It means, to be properly effective, it has to lay concepts for people like me who have had, and still have much to learn. That's easier said than done, when each particular path one takes has it's own unique learning curve. @noone_particular .... "with the eventual goal of organizing and compiling it into a comprehensive guide that covers as many aspects of privacy and security as possible." I'm all for including hardware in this thread but especially with security and privacy in mind. In light of the fact that this thread covers such a broad area anyway, it's worthy of discussion. There's a hardware section at Wilders but it doesn't necessarily have security / privacy in mind.
Saw this alert after bootup. UDP datagram from (null) (0.0.0.0:68 ) localhost 67 Local area connection status - limited or no connectivity.
Could you post the actual settings you have in the zero octet rule? Where is this rule in relation to your DHCP rules?
The zero octet rule is placed near the top of ruleset. It is above the DHCP rule. Zero octet rule: Protocol: Any Direction: Incoming Network/Range: 0.0.0.0-0.255.255.255 Action: Deny & display alert Looks like it needs to be placed below DHCP. Looking at screenshot in post #4 (Kerio learning thread)
@Compu KTed I'm not clear on the format you're using in post 359. Except for the last rule, none of them mention an application. Does "Application: <app path>" mean any application? This can be a bit difficult to put into user friendly terms and still remain reasonably accurate. I apologize in advance if I don't succeed. Just to make sure that we're using terms in the same way: Rules that apply to any or all applications are global rules. I'm assuming that this rule applies to any application since you didn't specify one. The host address (the IP of the traffics destination) identifies this as a loopback rule. This rule allows any application or system component to establish loopback connections using the UDP protocol. Was this your intention? If this rule is placed below the previous rule, it will only block TCP loopback traffic. It will not be applied to UDP loopback traffic because the rule above it has already permitted that traffic. Local port refers to the port on your PC. There's no real need to specify local ports for outbound traffic. Windows will use the first one available above port 1024 (not positive on the exact port number). When a browser makes a standard HTTP connection, it's connecting to port 80 on the server, in the firewall rules, that's the remote port. It will depend on the application whether or not you specify a remote port. With browsers for example, most of the connections will be to ports 80 and 443 but are not limited to these. If you connect to an FTP server, you'll see connections to port 21. A web site or service can use any port that they choose. Except for proxies, Tor, etc, I would not restrict the browsers outbound traffic. For inbound traffic it is necessary to specify the local port. Tor for example, when running on Windows as a relay, needs to receive incoming TCP traffic on ports 443 and 9030 from most any remote IP address. The matching firewall rule would permit inbound only to Tor, limit the traffic to TCP, and only to those 2 ports. Regarding DNS, the rules should include the IPs of your DNS servers. If you're using conventional, unencrypted DNS, it will be UDP to remote port 53. The rule needs to allow traffic in both directions. If you're using Tor, VPNs, and/or filtering proxies, the DNS rules will get more complicated. Also refer to the earlier posts regarding the Windows DNS client.
Lots to digest here. Basically I use 2 DNS servers set in Windows properties and then set each application to those DNS servers. Then I set a block rule below that over port 53. I currently only have a few apps that need firewall rules and was able to get Pale Moon (sandboxed), HitmanPro.Alert, and Proxomitron with some changes in Sandboxie settings to work. I don't think Sandboxie on it's own connects (In/out) but uses child processes. The only time I'm aware of is when updating and activating the license. Have no firewall rules for Sandboxie. If I run Pale Moon unsandboxed then I receive more Kerio popups IIRC relating to localhost (127.0.0.1) I'll see if I can be more specific later when I have more time.
@noone_particular If this would be okay with you I would like to tackle one issue at a time and once solved then move on to the next one. I have set Kerio to 'Stop All Traffic' on bootup. I moved the zero octet block rule below the DHCP rule, but same result as before. (alert screenshot posted already in this thread) DHCP Rule: Protocol: UDP Direction: Both directions Local endpoint: Single Port 68 Application: Path of svchost.exe Remote endpoint: single address <DHCP server> single port 67 Action: Permit The Generic Host Process rule is however set below the zero octet rule. Do I need to move this rule above the zero octet rule? Note: When I get a Kerio popup on zero octet rule after bootup (doesn't happen at every reboot) I see limited or no connectivity in local area connection status window. If I then reboot there is no zero octet popup alert and status shows connected. Generic Host Process rule: Protocol: UDP Direction: Outgoing Local endpoint: Single port 68 Application: Path of svchost.exe Remote endpoint: Single address 255.255.255.255 single port 67 Action: Permit Note: Application: <app path> means ( e.g. C:\Program Files\Pale Moon\palemoon.exe) Appreciate all the help.
http://www.sandboxie.com/index.php?ServicePrograms SandboxieBITS.exe will be used by some apps to download in the background. I know Chrome based browsers will eventually engage this file. I didn't encounter this file being called by a Firefox derivative. My firewall threw up a request, eventually had to hardcode a rule because the notification never ceases.
Interesting. I think IE browser uses SandboxieCrypto.exe. The only processes I have running are SandboxieRpcSs.exe, SandboxieDcomLaunch.exe, SbieCtrl.exe and SbieSvc.exe. Just to test I just put firewall rules for crypto, BITS and WUAU executables. I suspect I may not see any alerts from firewall.
Have you seen this four-part writeup with rules spelled out https://www.wilderssecurity.com/threads/customizing-firewall-rules-system-wide-rules.4413/ it's worth looking at, IMO. Three sections follow this link. Your DHCP is about broadcast. You need more than that. Try these rules, assuming your router's IP is in the custom group, else hardcode DHCP server address of your ISP if that's what you use actually the first rule should be only outbound, and the second only needs UDP inbound when the router issues you IP. Oh, well, old Kerio rules, and I don't think it hurt me on my trusted LAN, and I count on noone_particular to correct.
My Custom Address Group contains IP address blocklist which is different from the Trusted Address Group which I don't use. DHCP rules I'm using 2 that both use svchost.exe as the application and DHCP server single address for remote endpoint. It may be the order that needs changing. Update: noone_particular mentioned using static IP addresses and no DHCP. I set the IP address, subnet mask and default gateway in Windows network connections. DHCP Client service is set not to run and disabled DHCP rules in firewall . Connection status > Address type: Manually Configured Able to connect to Internet.
@Compu KTed All of my physical PCs use static IPs as do my current virtual systems. None of them need or use DHCP. As soon as I get time, I'll set up a virtual XP that uses it and detail the rules required. It'll be a few days before I can. Right now, I have some sad real life duties that I need to attend to.
That's okay. Take all the time you need and understand that real life duties are far more important to attend to.
In Kerio filter rule under Application heading I noticed when you click on the arrow to expand the drop down menu there are other entries added to the specific app path I originally selected. e.g. C:\Program Files\Kerio\personal firewall\persfw.exe C:\Program Files\pale moon\palemoon.exe C:\Program Files\system32\svchost.exe
Those entries aren't part of the rule. It's a list of the internet capable applications and components that Kerio has seen so far. It's a quick way to select one of those applications without having to browse to it. The rule will only apply to the application displayed in the unexpanded drop box.
