Phant0m's ruleset

Can someone tell me if Phant0m's ruleset is better than the rulesets Standard and Enhanced which are included with the application? And if so, why it's better?

Best regards

 

Yes ,it is .It's more restrictive which lead more safe.

 

On my 2nd computer I have Phant0m's ruleset but when it's loaded I can't access the internet. I'm using v6 of Phant0m's ruleset, and I'm behind a router.

 

It also provides more detailed logging info.

Re. not being able to access the Internet, have you set up the DNS-Allowed-1 rule ?

 

No I haven't set it up, but it's standard also not activated.

 

Mark, please go here for information about Phant0m``'s ruleset.

 

The DNS -allowed-1 should be modified by your own and be enabled.
Take a try.

 

Hi,
I did modification of the rules as Phant0m describes on his site.
Now I see after following his instructions that still not all rules are activated.
Like ''?NetBIOS'', ''+Anti-MAC Spoofing'' and a few others.
Do I need to activate those too?

 

Hi,
It depends on what you need . Not all the rules need to be actived.Most action of these rules is "allow",which will allow something special.If you need ,active what you want.
Regards.

 

can anyone tell me what do i need to activate some of the rules in phantom like:
1. anti-mac spoofing
2. DNS- allowed 1
3. BOOTP/DHCP --> there are 2 of them
it said that they are needed to modify to be activated
I'm sorry..I'm new to this firewall and phantom's ruleset. Thanks for the help.

 

Agustan, same for you...

 

I have put together a ruleset that is in my opinion very restrictive for web browsing only. If someone would like to test it against various exploits you are welcome.

I welcome Phant0m to test it's integrity, as I do not have the capacity to run exploit test in a lab environment.

This is not a challenge! It's only an invitation for someone that knows how to test, and I welcome all advice of any flaws discovered. I simply would like to help develop a simple ruleset for those that would like a great ruleset for surfing only.

BTW, the ruleset is based on Phant0m's ruleset v6. I simply have made it extremely restrictive for DNS, DHCP and all port including 80, 443 and 53.

If someone (including Frederic and Phant0m) are willing to test the ruleset and/or improve upon it, that may help many who may want a very restrictive ruleset for browsing only.

 

Hi,

Does it matter in which order the rules are applied? And if so, how do I know which rules have to be on top and which at the bottom?

 

And can someone tell me why many .ini system files are displayed? also in Program Files? Are they changed by malware?

 

Yes, it matters. Set the block rules in a higher position than the allow rules you'd like to protect. Set the allow rules high enough to prevent blocking by rules that does not protect that rule.
Not sure if that makes sense, but that's what i've come up with.

 

Don't fully understand what your saying.
Can you pls explain more clear?

 

OK, what it generally boils down to is that if you're:

1. Blocking something.. ensure that all rules that you want your block rule to affect are placed BELOW (after) the created rule.

2. Allowing something.. ensure that no rule is placed ABOVE (before) the allowed rule that would block what you are trying to allow.

There are some variations, but that's the general guideline that i've learned. There are others here that are much better with rules than I. Maybe Frederic, Phant0m or a few others could offer more.

 

Let’s say I wanted to host BitTorrent share, I would not put a server-rule at the very top of a beautiful rule-set, simply so I know I have it in the correct spot and not be bothered.

For instance, I would like my Fragmented-Deny rule(s) be before server-rules, think of IDS…

 

Hello Phant0m,

I using your ruleset, and I have added some extra rules, for example for BitTorrent, DC++, MSN Messenger, etc. But I really don't know where they should be placed, I now have them just placed all on top of the rules.
Can I send my ruleset to you so you can make the modification?

Thanks,
Mark Klomp

 

Hi Mark Klomp

All server-rules (like for TCP connections initiation from remote systems), gets placed between +TCP : Block incoming connections and +ACK-URG rules, and for restrictive rule-set aka paranoid rule-sets that you create client rule per service that you use (like … http, POP3) you place JUST below +TCP : Block incoming connections.

k

 

And how about the UDP server-rules? Where should these placed?

I also see that your ruleset has standard some rules not activated like ''?NetBIOS'', ''+Anti-MAC Spoofing'' etc. So, which do I need to activate?

And what can I do to allow Pinging? I saw these rules: ''ICMP : Ping other (Req)'' and ''ICMP : Ping other (Rsp)'' which are also standard not activated.

 

Thanks for those notes, Phant0m. I never thought to ask where new rules should be placed. Awesome!

 

http://www.mntolympus.org/phpbb2/viewtopic.php?t=1487

 

But you have to pay $9 before you can use this special installer for Phantom's Rule-set v.7!

Would be better if you could try it out first. Simply to make sure it works before paying.

I think I will stay with the enhanced rule-set

 

And I was thinking why reading PhantOm's forum requires a registration! Now I Know

Thomas