Hints on using Online Armor FW-a Learning Thread 4

@ nmaynan

guys, I don't know what blacklists are.

Blacklists are lists of IP ranges. This lists are basically made to allow the IPs in the list (Whitelist) or to block them (Blacklist).
The most known program to use such lists in general is PeerGuardian 2.

Where do you guys get them, do you create them?
Could you explain a little or maybe link me to info on them and/or where/how you obtain them?

OA supports Blacklists in so called Bluetack format, therefore you can download all kind of Blacklists from bluetack.co.uk (B.I.S.S. Forums > Downloads > Categories > The Blacklists), import them to OA and assign them global or to a single rule, everything in OA Advanced Mode, which is a exclusive feature of OA paid. You can't do this with OA free.

Of course you can create your own lists, the format is:
Name:startIP-endIP
For instance: computerguard.de:82.100.220.0-82.100.220.255

For example, I don't understand your discussion of how a blacklist would help the NOD32v3 situation.

In general you can assign a blacklist to every single rule in OA's firewall, but because of NOD32 v3 proxy, this seems to be limited to the ekrn.exe (Eset Smart Security Service) for all programs which are bound to it.
So it's more about how the NOD32 v3 proxy will limit the situation.

Cheers

 

Blacklists should have the .txt extension. Save "computerguard.de:82.100.220.0-82.100.220.255" as a text file will do.
Or IP or IPrange you can put into the restrictions also.

Gerard

 

why would you want to apply a blacklist to say Firefox, but not Opera? I would think blacklist would be global like 99.9% of time.

What is limiting them to a specific application used for?

 

I agree. My blacklists are 100% to all applications.

Although I can image a user with a different security profile using a list only on a single application he wants to restrain to a small set of addresses. Perhaps a game or genology program has misbehaved in the past and user wants to use a black list only after the program does a "bad".

You have to remember what these ip's are in these lists, hackers, malware sources etc etc. Why would user want any of there application to send or receive packets from them?

 

Dangerous blocking experiment!

Since I have strong recovery available I thought I would do a test to see what happens if I did a full court blocking job as a neebie (not us of course) might do while on a wild lets block M$ SW to the max! I've gone !!

Using OA release 112, I blocked IE 7 and windows explorer from running and from accessing the internet!

Well don't try this at home readers!

My screen went dark, no not a bsod nada visible can't run shut down, task manager nothing, system was secure alright ! Looks like Bill M$ didn't want me to block off these exe's!

So what I did was press/hold the start up buttom to trigger the real shut down restart and as it came up blank screen again hit the button and brought it up in safe mode.

Once there I deleted the whole OA application and then system would come up normally.

I also did a recovery from this "error" using the Paragon disk drive backup SW and their bootable disk. This was a good fire drill using the external backup drive!

I then reinstalled OA and my normal settings and only block IE 7 and explorer from www access, they can run on my PC but can't wander about the net unsupervised.

Using FF and google I can surf happliy away get my email and run less exposed to the M$ security gaps!

Again, don't try the full press like I did just block www access!

See ya.

 

On the next show!

How to block ntoskrnl.exe on boot up.

Cheers

 

Re: Dangerous blocking experiment!

Hi Pete:

Yep! It can happen and does

In this case I deliberatley did a blocking experiment for this learning thread. It had been suggested (elsewhere not here) that blocking off these 2 exe was a cool move, so I tested the theory out for the thread.

I knew I could recover where some readers might not know how.

In your case you were hit with the bad dll through no fault of your own!

If we test we MUST have a recovery system in place!

See ya!

 

Re: Dangerous blocking experiment!

I look at any HIPS on its ability. If that HIPS can block system process on boot, it does infer it can block anything else at that time.

 

Hi Subset:

I know I'm going to regret asking but what does ntoskrnl.exe do and why would users block it?

I googled it and it pointed me to sites saying corrupted MS files in xp?

 

Escalader or anyone tell to me what that Restricted Ports means? I just started my 30 day trial and it looks like that I'm gonna buy this software (no AV).

3x Rules (TCP, DNS, BLOCK ALL) in Firewal Settings and my network is super secured. Allow connections only to Finland and United States. No trusted network. Block all ICMP. So easy to setup. Thanks a lot Tall Emu and MikeNash.

EDIT: Next I'm gonna start to clean Program and Startup items lists. I don't even have those all Windows components

 

Have a look at these study links MikeNAS:

https://www.wilderssecurity.com/showthread.php?t=24415
https://www.wilderssecurity.com/showthread.php?t=142036

Ports are not physical connectors ( like a port on your PC for printer hookup)
They are arbitrary numbers from 0 to 65535 that is included in data packets sent from and too your PC.

They are used to id a communications channel along with the ip address.

Sort of like ip is the addess number on your house and the port is the street number I use to find your house. (If I have it wrong on the analogy Stem will fix it for us I hope)

Some ports we don't use and MAY be exploited by the dark side so they get blocked in the FW.

My policy is to block as many as possible and only open them if there is a legit reason.

To these OA ports I add ( your needs may be different)

135
445
1900
5000
5190

If anybody else has suggested ports to add post away!

 

I understand that Esclader. I just want to know what Restricted means. Closed, Stealhted or what? I have only 80 and 443 open for TCP and 53 for UDP (2xIP specified) and that's the way I like to keep it. IMAP&SMTP rules are movable so I just move BLOCK ALL rule to the down when I want to read my email.

 

Ah I read too much into your question. I don't know what OA means by this word "restricted"

We can wait here for Mike Nash or one of the OA experts to explain or you could post this question over on the OA forum.

Your call!

See ya

 

Ports only allowed within the LAN (Blocked to Internet)

 

Thanks a lot Stem!

 

I found this Q and A in OA latest on line help site

http://www.tallemu.com/webhelp/Notify_when_blocking_country.htm

After reviewing the log as the Q and A suggested I found the ip that was blocked by my denied country list that I now need to unblock. It happened to be in the Netherlands.

So to allow access (for an updater) I allowed the whole country! I didn't want to do it that way but it was the quickest.

I could just allow the 1 ip? I could add it to the exe's list of allowed ip's but I'm not sure what the most secure way would be?

 

How I Rationalized my Blocking Lists (your needs may vary)

To minimize duplication of blocking lists I no longer use OA's Black lists feature in the FW tab. The goal for ip blocking is maximizing privacy.

To be clear here, this OA feature is a good feature IMHO IF you don't use any blocking list application such as PG 2. I'm not trying to sell you PG 2 in a LT on OA but these technologies interact so they need to be addressed and tuned.

Both OA and PG 2 get their lists from the same free site Bluetack in the UK so that is the source of my duplication challenge.

I have now increased the PG 2 lists to cover off the OA 2 lists I had AND I get the added advantages that PG 2 gives me automatic updates to the lists and flashes in the task bar when an ip is blocked.

The list of blocked countries in OA I still use as it transends specific ip lists and blocks by nation. There is some duplication with PG 2 for sure, BUT when PG 2 is off line I have that blocking in OA 2. When OA 2 is off line I have PG 2.

That's all she wrote on this matter for me for a while, unless there are questions.

 

Thank you so much for this thread Escalader

OA is my first FW exept Windows own FW so consider me a newbie. Never used a blocklist before but I consider it now. By default there is no blocklist in OA so I guess I download from Bluetack, and then add it to OA. Thats easy.

At the Bluetack site theres 16 different list to choose from. Can I add as many as I like? From your previous post I guess updates are not automatic. So everytime a list updates I have to download the new list, delete existing list, and add new list to OA? That means a lot of work to keep it updated.

In my "Safe p2p"-thread someone suggested PeerGuardian but OA can do this just as good? (I try to avoid too many applications running on my pc, but thats not easy )

Did you notice any slowdown using blocklist feature in OA?

Thanks

 

Hi tepe2,

You can add as many lists as you want. You have to download the lists manually, updates are usually once a week. You don't have to delete existing lists, just unzip the new list in the same folder, and you are done. You won't notice any slowdown. Please read about these lists at the Bluetack Forum. There might be overlap and/or sites in the lists you don't want to block at all.

Gerard

 

Thanks Gerardwil

I downloaded the ipfilter.dat for my uTorrent like described here: http://jesus-is-a-pervert.blogspot.com/2006/05/protecting-yourself-against-bittorrent.html But if I add the ip.filter-list to OA then I would not need to put it in uTorrent folder, right? If Yes I like OA. If No I still like OA

Edit: I found this https://www.wilderssecurity.com/showpost.php?p=1103261&postcount=14

 

Blacklists in OA need a .txt extension.

Gerard

 

Hm. I have not noticed this. Just added a blacklist with lst extension. I hope you are not disappointed

 

Hi,

Blacklist are handled by syntax not by extension

Format to use is :

"description" : IP range (start - end)

Regards,

MaB

 

As I was saying I don't use OA blocklists via OA any more. That said you can do it and you will not notice slow downs if you do.

Don't go crazy on 16 lists, you can do fine with say 6 or so.

Some of the other posts have answered the how list in OA questions. Just use one to start so you learn how they work and how they update.

BTW some of the Bluetack lists update more frequently than weekly, the P2P list updates daily.

In my view decide one or the other not both. As to P2P PG 2 will do the job as would OA 2 version. It's a choice you make.

Again I use OA 2 for country blocks cause it is easier. IMO for the other 6 lists it is easier using PG 2.

But as a newbie, you may want to learn how to use the FW first and ease back on lists for a bit. It's your call!