New 2.06p2 version

Probably it was the Visual C++ Runtime which requires to be installed.
So I presume the 2.06p2 finally installed properly.

The new rules use the new Stateful Packet Filter engine to handle simple protocols like DNS, DHCP,...
These rules are offering better protection because an incoming packet from network is accepted only if the PC has sent first an initial packet. This is not the case with the usual rulesets.

Frederic

 

How do the new rules affect my BitTorrent downloads? I need people to send me packets first to start the file transfer...

On another topic, I have Phant0m's V8 ruleset . How do I combine it with the Enchanced ruleset?

 

The new SPF rules are only for simple protocol like DNS, DHCP, ARP, NetTime...
BitTorrent protocol is not concerned by these new rules and should not nbe impacted.

You just have to import the new rules and let them at the top of the ruleset.

Frederic

 

Hi Frederic,

First of all, I do like the new version with the SPF rules, all appears to be working correctly.

I do have some questions if I may:

The TCP SPI is disabled by default, which does mean a rule in place to allow out/in TCP. When the TCP SPI is enabled, where does this filtering come into force? On a current connection before any other filter rules are checked? As the TCP rule cannot be changed to outbound only.

The raw rules show an option for IPV6, but the fields can only be checked for 6 bytes, how is IPV6 address checked within such a rule (IPV6 address as up to 8X2 bytes)

On the rule to block inbound SYN(connections) in the enhanced ruleset, I see that in raw format that the flags are checked with decimal 2 (syn) but checked against a mask, what is the reason for the mask?

TIA

Regards,
Stem

 

Hi Thomas,

As mentioned by Frederic, a new field within the raw rule can be added to apply restrictions to the outbound IP.

I have added restrictions within the Raw DNS rule on my own setup, so will post this to show you, with simple explanation:-



The Field(0-15) is at 8, this is because this is the first field I found available (other Fields before this are checking other content).

The Field filtering(field offset) is set as IP, inbound 12(I dont think this is actually needed for the outbound rule, but I added it anyway) Outbound 16(this is the position of the IP`s within the packet you are to add)

IP type the field applies to: I have placed IPV4, as there are actually no SPF options currently within the rule, and I have no need for them yet.

Field Criteria: I have placed "Equal_value1or2ormask", because I have 3 DNS servers. If you only had 1 DNS server, then you would have this as "Equal_Value1", if you had 2 DNS servers, then you would have "Equal_Value1or2

The Field size for the IP is 4 bytes (you are entering/checking 4 numbers which the address is made of)

The Value Display mode is set to "Decimal-byte split" as this is how the address is normally seen, and easier to enter

I then add my DNS IP`s as seen above.

I have also left the origin DNS rule in place, but set this to block with logging/alert, this is to check on any attempt to make DNS to other IP`s, but also to check the raw rule in place is correct, and to check for any late replies.

______________________________________

I have gone through checking of the above rule on my setup, and this works correctly (I have changed IP`s etc within the rule to test, and got blocked (as expected))

 

Hi Stem,

Thanks for your report, I'm pleased you like it

When the TCP SPI is enabled, each TCP packet is checked against the TCP SPI engine after the ruleset has allowed the packet.
It is easier to do so (rather than having the ruleset after the TCP SPI) in case some ports have to be blocked by the ruleset.
And typically if you are not expecting incoming TCP connections, the rule "Block incoming connection" blocks the packet without having the TCP SPI adding a new connection for nothing.
Some people (in some other posts) think that it would be better to have the TCP SPI first, for performance reasons.

Yes, this is currently a plugin limitation, the 16 bytes case is not handled. The limitation is only in the GUI of the plugin. I will extend it in a future version.
In the meantime, if you absolutely want to verify an specific IPV6 address, you can do it with 3 consecutive fields checking different offsets (but I agree it's not so convenient).
Note that the "equal my IP @" criteria works anyway properly from the plugin, Look 'n' Stop application takes care of the size for that case. When using this criteria ("equal my IP @") it is important to select the IP version, and 2 fields are required if the rule is supposed to handle both IPV4 and IPV6.

It is to check 6 bits only, as the 2 first bits are reserved.
If these 2 bits are supposed to be 0, then "equal to 2" could be used instead of the mask.

Regards,

Frederic

 

Hi Frederic,

Thank you for reply,

If I may reply, (not necessarily in order of preference),

Not actually a want/need by myself at this point/time, but your explanation does show the ability, and also answers a question I did not ask(ability to overlap fields)

For:-

Please, if I can, try to explain such concerns. The current ruleset will allow outbound /inbound (default rule), how will the enable of SPI effect this, if inbound is allowed due to that rule (cannot be changed to outbound only) as that rule will allow the inbound?

Regards,
Stem

 

Hi Stem,

For reference, visit https://www.wilderssecurity.com/showthread.php?t=192723, it might answer a question or two you have.

 

Just installed this new version, and appears OK. The only thing is that the connected box is not ticked, although the address shows my router address, and all is working. I can connect to net, and everything works!!

 

Hi Delgado,

Please visit http://www.looknstop.com/En/faq_problems.htm#connected

 

Hi Phant0m,

No it does not answer any question, but, as I dont want to take this thread further off topic, I will take time (when available) to check myself, then take any questions to new thread.

 

http://www.mntolympus.org/fwglossary.html#Stateful_Inspection

I'm sorry it wasn't understood.., here's an direct approach.

- If I have understood Frederic correctly, his SPF implementation acts as an independent layer after the regular list of filters / rules. A packet that is permitted in or out by a filter has some information collected to be used in the state table, any other packets part of this session that isn't denied some-where's by the set of filters is then matched and permitted or denied by the SPF mechanism.

... of course with CHX-I you only need to allow it the one direction, and CHX-I will permit packets part of that session automatically for the either direction. ... Ohh I'm understanding where you coming from!

So here's the deal, regardless of a rules direction (In, Out, In-Out), it depends on where the rule is located in the ruleset, like above '+TCP: Block Incoming connections' to allow remotely initiating connections or below this rule to allow just the locally initiating connections.

 

Hi Phantom

Ive only got one Network Adapter NVIDEA nForce Networking Control-this is selected in Look n Stop.

Ive got a Zoom Router Address 10.0.0.4 which is shown in LnS.

Got an entry in log says Block all other UDP relating to Gateway.

 

Hi Delgado,

In that case, remove 10; from Network interface autodetect, IP to exclude: list found on Look 'n' Stop - 'Options' screen and in 'Advanced options'.

 

Hi

Thanks Phantom-that worked. Ive had to allow Port 7001 and Port 2869 to open to allow my Router and Utorrent to work. Is this safe?

Thanks Delgado

 

Hi Delgado,

Did you associate uTorrent application to uTorrent rule? so the rule becomes activated only when running uTorrent..

You should also keep a p2p program updated regularly.

 

I updated to 2.06p2 when I purchased a newComputer with factory installed Vista Ultimate 32 bit RTM SP1 and in the process of chasing down a problem with NOD32 found that Look n Stop was not being recognized by the security center and that it had activated the Windows Firewall. I had to shut down the Windows firewall and tell it that I would monitor my own firewall to solve the problem.

I have a vaguely similar problem With NOD32 and their tech people suspect LnS as the cause so I am really interested if anyone else running SP1 RTM, not a Beta, release Candidate or virtual machine, etc. has reported a problem and if there is a cure?

LnS will not accept my registration information and I have submitted that to tech support, but I believe that has nothing to do with my problem.

Thanks,
Chick

 

Could you check that a Look 'n' Stop service is running, in the service list ? (the name of the exe is "LnSSvcVista.exe").
Also I would like to have the content of the console window, as there is an indication there if Look 'n' Stop has properly registered or not to the security center.

I don't know why they are saying that. Look 'n' Stop just registers to the security center, but there is no feature to hook or to unregister another application, so I don't understand how Look 'n' Stop could prevent another application to register to the security center.

You should receive a new serial soon.

Regards,

Frederic

 

Thanks Federic,

I have temporarily uninstalled LnS until I have a new registration number, but I can tell you that it definitely was running. The only problem was that The console was not recognizing it. I told windows that I had another firewall and that I would monitor it to stop the error message that said I was at risk for not having a firewall. Aside from that aggravation everything in LnS was doing it's job fine.

The message that ESET and the NOD32 forum on Wilders https://www.wilderssecurity.com/showthread.php?p=1188749#post1188749 keep telling me I cannot be getting says that it recognizes NOD32 but that it is reporting in an about of date format that is no longer supported! Their tech had me run and create their Inspection Log and his response was, "Hello,I'd like to know whether Look'n'Stop firewall is reporting to WSC correctly. If you're willing to temporarily uninstall it I'd be curious whether that makes a change.
It did not and the only reason I am telling you about this is so you have background information.

Thanks Again for your prompt response and help

 

Did you really check this special service was running (this is something internal which is not obvious to know) ? I'm not talking about Look 'n' Stop exe, I'm talking about something else, and you can see if it is running only when opening the list of services window.
What do you mean by "not recognizing" ? normally there is an error code there, ans I would like to get it to understand where the issue is. For instance code 00002 is the service I'm talking about is not there.

Since you uninstalled Look 'n' Stop, does it make a change ?
This error is very strange, and maybe there is another more general issue preventing both applications to register properly to the security center.

Thanks,

Frederic

 

I will specifically check for the file "LnSSvcVista.exe" as soon as my license catches up with me and I reinstall LnS.

I said that I was having a problem getting people to believe me! There is an actual screen shot at this link https://www.wilderssecurity.com/showt...49#post1188749
In case you do not want to look there is no error code and I will quote exactly what it says, "VIRUS PROTECTION ESET NOD32 antivirus 3.0 is on but is reporting its status to Windows Security Center in a format that is no longer supported. Use the programs automatic updating feature or contact the program manufacturer for an updated version." The version is 3.0.642.0 which is the latest release.

Since uninstalling LnS and also again turning off Windows firewall there is no difference to the message. Nod32 continues to update properly and appears to be functioning well.

I cannot stress enough that this machine was shipped from Velocity with Vista Ultimate SP1 RTM factory installed. The first program installed out of the shipping box was NOD32 and the second program was LnS. The problem has been there since than, so if there is a more general issue, which I am sure is possible, then it was there before the machine left the factory.

Thanks so much for taking the time to try and solve this and not just blowing me off as others have done because they have NOT SEEN IT YET.

Thanks Again

 

No problem I believe you, and I had looked already to the screenshot you made. That's why I have said "This error is very strange...".

I was talking about the console window in Look 'n' Stop application, and you answered "The console was not recognizing it". That's why I said "What do you mean by "not recognizing" ? normally there is an error code there..." I guess there is a misunderstanding, and we are not talking about the same console window...
So, in Look 'n' Stop in the option tab, there is console checkbox, just select it and the Console window will open. There, when Look'n' Stop is not able to register to the security center, an error message is displayed, with the error code I'm talking about.

Frederic

 

does this version slow down the p2p too like the old version?

 

No, it doesn't. Nor did the older version. You have some other problems.

 

Frederick, I reinstalled LnS and registered it with new license. I followed your instructions for the console abd found no error code. It says:
Look 'n' Stop Version 2.06p2

Driver versions: 5.04 & 4.03
API Driver versions: 6.01 & 5.01
[0:33:17] Internet Firewall Enabled
[0:33:18] Appli Firewall Enabled
[0:33:18] Security Center registration Ok.

If you wish I will give everything in the box.

I started the Task Manager and under services there is a LnSSvcVista.exe which is running.

I hope I gave you all the information you need and again thak you for your time and patience.