Once and for all - question re: proxy issue

HiTech, or anybody for that matter, if I have missed something here then please point out the error of my ways:

Simple firewall type question:
1 - I want to AV check all http(80) traffic
2 - I want to allow Internet explorer http(80) only
3 - I need to allow svchost http(80), and https(443) for Microsoft Update

I could do it with NOD32 v2.7 and Outpost any version.
How do I do it with NOD32 v3 and Outpost or Comodo??

The point, just in case we missed it, is I do not want to allow the kids to tunnel out through https (and this is something of an example so lets not go down any kind of discussion about why would you want to do that).

TIA for any clarification/advice.

[My day job involves looking after, amongst other things, a number of corporate Checkpoint NGX firewalls]

 

have you tried asking the question on the outpost or comodo forums? seems to me you might get more response.

 

Thanks for the thought deckie, the nod proxy bit has been mentioned there already:
http://outpostfirewall.com/forum/showthread.php?t=21760
http://outpostfirewall.com/forum/showthread.php?t=21782
http://outpostfirewall.com/forum/showthread.php?t=21852

and I know exactly how to drive Outpost already.

This question is about how EAV v3 filters browser activity...

...the very simple question at the top of the page still stands.

 

my bad.
after reading all the problems with nod ver 3, i stayed away from it. still am using 2.7.
good luck getting your answer!

 

I am still working in the dark concerning this Web access protection(proxy) feature Nodrog, so bare with me as I ask a question concerning your question\s

In your Simple firewall type question: item 3 above, are you asking how to disable portions of Nod's proxy feature so that Outpost and\or Commodo would handle "svchost http(80), and https(443)".

The Help file is informative but thru a better explanation of this proxy feature....I just know the light will finally come on.

Sorry if I have intruded on your thread but I too would appreciate a little deeper understanding of the Web access protection(proxy) feature.

Bubba

 

Hi Bubba

No... I want the AV to filter any and all browser activity from any and all applications, on any and all ports that may be in use for browsing - this is just filling in the blanks and ticking boxes in EAV.

The problem is, from an access to the Internet point of view, I want to allow svhost http and https, so:-

Allow svchost -> localhost tcp30606
Allow ekrn -> Internet tcp80 + tcp443

to filter IE we now have to add
Allow IE -> localhost tcp30606

remember, ekrn is already allowed 80 and 443 so IE instantly gets this as well - but remember the question; I did not want to allow https from IE.

That is complicated enough to show the issue, without starting to introduce ftp and other ports for online games etc.

regards
Gordon

 

In a nutshell... (clear as mud... huh?)

to AV filter a browsing application your access rule is

application1 -> localhost tcp 30606
application2 -> localhost tcp 30606
application3 -> localhost tcp 30606
...
there will be lots of these, 1 for each application.



to actually get to the Internet you then have to allow

ekrn -> Internet ports

...because ekrn is the only application actually going to the Internet, whatever access/ports you end up giving it (dictated by your list of applications and ports being AV filtered) - you effectively end up giving (by default) to each and every one of your applications.

= no granularity
= no individual application access control
= an issue!

(still clear as mud... huh?)

regards
Gordon

 

Nodrog: As I just asked in the original thread, does your example hold true for the Vista firewall or is it specific to Outpost?

Many thanks.

Gary

 

Every Software firewall has this problems. Even if you disable 127.0.0.1 (localhost) from trusted adresses and intercept local trafic to the NAV-Kernl, you can't control application as Nodrog already stated.

 

Ok here it is in picture form for those that want granularity control.
As we all know https(443) and to my knowledge was never decrypted and scanned by IMON in 2.7 or what ever version, so lets work on that.

Step one:
Enable your web access protection.




Step 2:
Select http and pop3 ports (forget about defining browsers, that gets ghosted with this option anyway)




Step 3:
Define your ports in the http filter (in your case only port 80) or any others you so desire.




Step 4:
Disable global local host rules in your firewall, and let each application call for the connection (thats that issue solved), define the custom (sudo port 80 rule for granularity control) 30606
(remember you will be running without a global localhost rule so dont forget to run with the rules wizard for a while or manualy create them so other apps and system calls that need local loopback get access)




The results:
as you can see, https 443 is going out via firewall with no ekrn.exe(imon) intervention - therefore can be blocked by rule.
Port 80 is going through the scanner proxy, just like mother (v2.7) used to make. but can also be blocked by deselecting the sudo port 80 rule. there is your granularity.................

Damn straight. As said before, it's new software just because it does not work the way you are used too, does not make it useless or insecure - The forest is there, sometimes you just need to see past the trees...

Hope this clears a few things up for some and give a bit of closure and granularity control to others.

 

@MaVRiC
Good posting for clearing some basic issues between NAV and a Firewall regarding 'generell' application control.
I think that never was the problem. The problem is that you can't use a firewall anymore for 'Full' control of a application which seeks internet connection as with NOD 2.7.
But this affects only control freaks like me and some others who for example want to limit IP ranges for one application and allow those for an other (more examples can be listed).

The whole discussion is by the way useless. NAV is for itself a very good programm, but does not fit the needs of some control freaks like me. That's all. This won't change till the proxy concept of NAV is altered or changed.

 

NAV or NOD?

 

(N)OD32 (A)nti-(V)irus!

Cheers,

TH

 

DOH! Thanks.

 

Thanks for the pics MaVRiC however, they don't answer the question.

Actually, and all due respect (this is meant to be a discussion), all you've done in these configuration shots is show how to switch EAV to filter/proxy a specific list of ports rather than a list of applications which actually shoots your arguemnt a bit in the foot...

If you filter http on 80-83 (as you show) but not IE itself as an application, then any browsing by IE on ports outside your range will NOT be AV checked. (remember I want to filter any/all traffic).
[This could obviously start a discussion on the pros and cons of various EAV settings, but I don't want to get into that in this thread]

What your config does, is NOT AV check port 443 (OK OK bad example - where is the end of the SSL tunnel; the OS, ekrn, or the application - the latter probably but regardless, remember I want to filter any/all traffic).

Forget about 443, try 2 websites, one http on port 1080, the other http on port 2080.

You want to allow IE access to the first but NOT to the second, and FF to the second but NOT to the first... oh, and you want to AV filter both sites.

Or lets try Tommys requirement to only allow certain applications to certain websites by IP address rather than port number.

I'm not saying that everybody cares about this, but a lot do - especially within the corporate infrastructure environment and it simply can not be done with EAV v3 and someone elses firewall!!

Jump in here anyone actually from ESET and tell me I'm wrong.

regards
Gordon

 

As long as HTTP checking is checked, Nod will filter all HTTP traffic no matter what port.
You would have to make a rule in your firewall for ekrn.exe not to allow traffic on a certain port that you do not want to use.

 

That's not quite the case... you do have to tell it which ports - see MaVRiCs screenshots above. It definitely doesnt do protocol checking on all ports looking for http. Or change the protocol checking option to check Applications or both applications and ports. That way it will check all outbound activity from any of the applications you then tick.

regards
Gordon

 

Yeah..can't confuse with NAV...

EAV.