Phant0m``s Rule-set $v4.0

It had been sent

 

thxxxxxxxxxxxxxx!!!!!!!!!!

 

Hey Phantom, long time no hear!
I have a d-link router and am using your 4.0 ruleset. I noticed with the, "Gateway ARP replies" rule, that I keep getting a broadcast from: 00:40:05X:XX:XX (Source address---Routers MAC) to:
FF:FF:FF:FF:FF:FF
Which LNS is blocking of course, because there is no rule for the above configured (Except for the one +FF:FF:FF:FF:FF:FF that is NOT enabled--- Now, under the "Gateway Arp replies", rule I have my router Mac addy to my Nic Mac addy- So obviosly the router is trying to broadcast to my Pc the way I see it. Kind of strange that it wants to broadcast to FF:FF:FF:FF:FF:FF instead of my Nic Mac addy-- Any thoughts?


Thx
Jazzie

 

Ok, I activated the (*FF:FF:FF:FF:FF:FF Rule)---
just a small note, I am also getting inbounds from my Nic IP:
00:40:05:8X:XX:XX to FF:FF:FF:FF:FF:FF--- So it seems that I would have
to make two "+FF" Rules--One from the router MAC ( 00:40:05X:XX:XX) and the other from My Nic 00:40:05:8X:XX:XX(Both are the Source of the broadcast and the Destination is of course FF:FF:FF:FF:FF:FF)........

Or just incorportate the Old May28 Rule of accepting ARP request in both directions Just to save having to make the extra rules!

CU
Jazzie

 

Hey Jazzie

Even though we already discussed this via E-mail, I’ll poster what I had E-mailed you.

Alright; “FF:FF:FF:FF:FF:FF” represents Broadcast, and if I’m not mistaking from what I read by you, the packets are Downlinks (Inbounds) with “Ethernet Source Address: 00:40:05X:XX:XX” including “Ethernet Destination Address: FF:FF:FF:FF:FF:FF”. These are ARP Broadcast Requests which isn’t necessary under such circumstances; take a gander at "Additional” column In Look ‘n’ Stop’s “Log” screen and you’ll notice on these particular ARP packets you’ll see IP:xxx.xxx.xxx.xxx MAC:00:00:00:00:00:00. The IP:xxx.xxx.xxx.xxx Informatics is what you should look at on ARP packets for accurate packet source Information, the Ethernet source Address on an Downlink (Inbound) packet (From Internet) should always be from “00:40:05X:XX:XX” if I’m not mistaking. For these particular annoying ARP packets the “+FF:FF:FF:FF:FF:FF” rule exists in Phant0m`` rule-set to be configured and then activated, Authorized or preferably Blocked and with or without warning.

-

For efficient Maximum Level Software Security the ARP needed serious tweaking, without it you’re vulnerable to System Attacks.

There are two ARP rules which need to be configured and activated;
#1. Broadcast ARP Requests
#2. Gateways ARP Replies

Like said on the Phant0m`` Rule-set page you need to configure and then
activate these rules, to keep this simplest as possible here is the
informatics needed to know;

00:11:00:11:00:11 represents your Ethernet Adapter Address which Connects to
Internet Resources.
00:11:00:11:00:12 represents your Gateway’s/Router Adapter Address.

In the 2 listed ARP rules just configure them by replacing those Adapter
Addresses with the accurate Adapter Addresses Informatics and you are set to go, and
there should not be any need to create other rules to authorize anything in
reference to ARP packets. The "+FF:FF:FF:FF:FF:FF" rule exists for soul
purpose of blocking without warning for those who are easily annoyed by
common events.

Bests Regards,

 

Hey Phantom!

I have the ARP rules (1 & 2) set up that way frm the beginning...
The Problem being is that the (Inbounds--Internet>>PC) are not comming from ARP rule #2 (Gateway replies) Which has my Router Mac addy 00:40:05X:XX:XX and my NIC Mac addy as the destination...
Now, what is getting blocked in the DESTINATION being FF:FF:FF:FF:FF:FF and not my NIC Mac addy... Thus, not allowing my software clients(--IE: Browser, E-mail, chat, ect..) to Transmit/Receive.. That is my I made the +FF rule active----(It has the same rule setup as the ARP #2 rule)
So that is why I am troubled with it..

PS: I only posted what we talked about in e-mail here, just in case someone else has the same problem!! Didn't mean that you weren't trying to rectify my situation!!!

Thx again
Jazzie

 

Hey Jazzie

With the two ARP rules configured and activated only (No-Other ARP rules), could you create raw-log file of the events when attempting to browse and then send me the Raw-Log file via E-mail?

Also after doing the above could you try re-booting the Machine and browse further?

 

Hello.

Just thought I'd put in my 2c as I'm having the same problem as Jazzie, (which I've posted about over at the spyblocker forum). I'm having exactly the same problem, and even though I have the 2 ARP rules (broadcast/gateway) configured correctly, because it's looking for a MAC address of FF:FF:FF:FF:FF:FF and not either of MY MAC addresses, the rule is void. This means I cannot even get allocated an IP address from my DHCP, never mind surf.

I know I can make a couple of rules to allow this, but I was hoping you could tell me (us) what would be the best way to keep the rule as tight as possible

Thanks.

 

Hey Ron1

You’ve came to the right place,

When double clicking on the packet entry in Look ‘n’ Stop’s “Log” screen you receive the “Packet’s Content” window which I like to have Window Capture of, showing me the Packet’s Content Info for these particular packets and E-mailed to me.

Also bit of Information would help a lot too, Windows Versions / Connection Type / Look ‘n’ Stop Version.

Example,
Windows Version: Microsoft Windows XP Pro
Connection Type: xDSL, Machine directly accessing Internet Resources through xDSL modem.

Alternative “Connection Type:”
Connection Type: xDSL, Machine accessing through Gateway Machine to access Internet Resources.

Connection Type: xDSL, Using split share Connection via Router.
…

Also Window Capture of Command Prompt shown with “arp –a” results, and Raw-Log file if not much troubles…

Thanks in Advance.

 

Hey Jazzie

Thanks for E-mailing me with my requests; I viewed over the both rules and your “Gateways ARP Replies” rule appears configured up properly with what you previously told me, 00:40:05X:XX:XX being your Routers Adapter Address and the other Adapter Address obviously belonging to your Ethernet Adapter.

However cannot say the same for “Broadcast ARP Requests” rule, the Window Capture you sent me shown that the Broadcast Adapter Address has been modified.

http://www.wilderssecurity.info/images/ARP-2.PNG

Only what’s circled in Red was supposed to be modified, you bad boy… Thus means don’t modify the field with the Broadcast Adapter Address “ff:ff:ff:ff:ff:ff”...

 

Hi Phantom!
Thx again for offering to help out with my situation! the only reason I edited that rule to put my Router Mac addy instead of ff:ff:ff:ff:ff:ff, was I was getting a lot of block attempts while leaving it at it's default value of (ff:ff:ff:ff:ff:ff).... I forgot to change it back--(Was early in the morning here!
Plus the raw log I sent you was in the opposite direction: Internet-->>PC not like the "Broadcast Arp request"PC-->>Internet.......................
Anyways I will monitor the traffic and let you know the result(s)...

PS: Here is one I am getting now, just like before, from the router Mac Addy: 00:40:05:dX:XX:XX to FF:FF:FF:FF:FF:FF
Internet-->>PC

SO we are back to the start again!!!!


Thanx as allways,
Jazzie

 

Hey Jazzie

Yea if you configured it up properly you should not be blocked from Communicating to the Internet resources, as for a lot of blocks of Inbound Broadcast Requests, that’s normal and not necessary and you can use that “+FF:FF:FF:FF:FF:FF” rule to block those without warning…

 

Hi all!

Ok, Phantom, I had to make TWO Broadcast ARP replie rules (one from my router Mac address--PC-->>Internet to Destination FF:FF:FF:FF:FF:FF and the other from my NIC Mac address--PC-->>Internet to FF:FF:FF:FF:FF:FF.. So in short I have 3
rules for ARP alone. So, why not just incorporate the old (May29) rule for ARP since it will cure the problem of my software clients not being able to transmit, Because of the blocked ARP transmissions At least in my situation!!!!

Thx
Jazzie

 

Hey Jazzie

Could you E-mail me with all three Window Captures of the Rule Editing properties for those ARP rules?

Thanks in Advance.

 

Hi again.

Just to let you know, I have everything working fine now thanks to the info from this thread.

Thank-you all very much and keep up the great support.

Now I just need Frederic to release the 'new' version....

 

Joy

 

Hi Phantom! Well I came to the conclusion (after hours of logging and trial and errors) I decided to just use the May 29 ARP rule.. Because of having to make six rules for my nic and router mac (both directions--inbound & outbound which makes 4 rules and then finally two rules to transmit ARP between each other (NIC and Router.. So in the end it is just about the same thing as being "any ARP rule in both directions--

Thx for your time and help
Jazzie

 

Hey Jazzie

Actually it’s not the same thing, far from being so…

But in any case I still don’t understand why it’s required 6 rules for that Computer to access Internet resources when it only takes 2 for everyone else I’ve assisted…

 

ARP (Address Resolution Protocol)

ARP is normally the first packet generated whenever you use “ANY” Internet-related protocol. ARP provides the means to translate local-IP addresses to Ethernet MAC addresses, and we could even say ARP is the big noise over the Internet. Unnecessary allowed ARP traffic is System & Internet Performance degrader, there are quite a few ARP exploits which attacks Networks and can incredibly Overwhelm ALL Windows Systems.

To get your Machine up and running on the Internet using ARP Safety measures with your Software Firewall you must create two ARP Rules, one to allow broadcast packets (ARP Request) to discover _?_ MAC address and one to allow ARP Reply…

ARP Requests
http://www.wilderssecurity.info/images/ARP-2.PNG

ARP Reply
http://www.wilderssecurity.info/images/ARP-1.PNG
​

* What’s circled in RED belongs to this Machine; it’s the MAC / Ethernet Adapter / Physical Address.

* What’s circled in BLUE belongs to my Gateways / Router.

One-way of getting your Machines MAC / Ethernet Adapter / Physical Address is using “IPCONFIG /ALL” in Win2K/XP, or WINIPCFG in Win98/ME. Under many circumstances you can get the Gateways / Router IP & MAC / Ethernet Adapter / Physical Address using “ARP –a” in Windows Command Prompt. Or you could do the old fashion way by monitoring your Software Firewalls Log-file for ARP Replies…

 

OK, I believe we went through this more than once Phantom..
I have to have MORE rules to allow incomming (ff:ff:ff:ff:ff:ff) transmissions to both Mac addresses (NIC and Router) and outgoing ARP transmissions( from both to ff:ff:ff:ff:ff:ff) or my connection with go to crap and my software clients won't transfer/receive...SInce I am behind a router NAT/firwall I believe I am somewhat safe from external attacks... From the inside, well to each his/her own!
I do have SOMEknowledge on how software/hardware firewalls protocols work.. SO I will leave the rule set the way they are untill a new version of LNS comes along and simplifies a way of making one rule, such as the allow all ARP rule.... Other than that, everyone else does not have the same setup/provider or hardware I have.. So I have a unique setup/position aside from being ignorant about making rules for ARP.....

CU
Jazzie

 

Hey Jazzie

This was meant for the public…

 

In Ipconfig I get

Windows 2000-IP-Konfiguration

Hostname. . . . . . . . . . . . . : notebook
Primäres DNS-Suffix . . . . . . . :
Knotentyp . . . . . . . . . . . . : Broadcastadapter
IP-Routing aktiviert. . . . . . . : Nein
WINS-Proxy aktiviert. . . . . . . : Nein

Ethernetadapter "LAN-Verbindung":

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Network of Xircom CreditCard Eth
t 10/100 + Modem 56
Physikalische Adresse . . . . . . : 00-10-A4-B9-F9-BC
DHCP-aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
IP-Adresse. . . . . . . . . . . . : 10.0.0.13
Subnetzmaske. . . . . . . . . . . : 255.0.0.0
Standardgateway . . . . . . . . . : 10.0.0.2
DHCP-Server . . . . . . . . . . . : 10.0.0.2
DNS-Server. . . . . . . . . . . . : 10.0.0.2
NetBIOS über TCP/IP . . . . . . . : Deaktiviert
Lease erhalten. . . . . . . . . . : Freitag, 5. September 2003 11:39
Lease läuft ab. . . . . . . . . . : Dienstag, 19. Januar 2038 00:14:

PPP-Adapter "Xircom":

Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physikalische Adresse . . . . . . : 00-53-45-00-00-00
DHCP-aktiviert. . . . . . . . . . : Nein
IP-Adresse. . . . . . . . . . . . : 200.xx.xx.191
Subnetzmaske. . . . . . . . . . . : 255.255.255.255
Standardgateway . . . . . . . . . : 200.59.xx.xxx
DNS-Server. . . . . . . . . . . . : 216.
216.
NetBIOS über TCP/IP . . . . . . . : Deaktiviert

and with arp -a

I get

Schnittstelle: 10.0.0.13 on Interface 0x2
Internetadresse Physikal. Adresse Typ
10.0.0.2 00-d0-41-10-2e-ae dynamisch

So which is which here --))

Ruben

 

Hey tosbsas


10.0.0.2 = Default Gateway IP Address
00-d0-41-10-2e-ae = Default Gateway Physical Address

00-10-A4-B9-F9-BC = you’re Physical Address (I could be mistaking on this one, could be using both or just the other one). I’m pretty sure we already got this covered via E-mail before, correct?

 

Hey yeah - thanks.

My confusion was because as the "normal" (not gateway) address we found 00:00:01:00:00:00 and not 00-10-A4-B9-F9-BC

Any ideas??

Ruben