8Signs & Port Stealth

When running 8Signs firewall with a rule allowing inbound TCP traffic on a port, say 6881 for biottorrent, is it possible to stealth the port without disabling that rule when the bittorrent client is not running? I tried testing this using shields-up and it said the port was closed, but not stealthed.

Anyone?

 

I don't think so.
stealthing = no reply [or reply ONLY to trusted servers]
Unless you configure an ALLOW rule for given port AND ALL KNOWN BITTORRENT DNS ADDRESSES, it's useless.
and you know how hard it is to keep track of server DNSes [except when spyware makers force feed DNSes into their spying apps]

 

Anyone else using this? It looks like the only alternative is to manually disable the rule for an open server port when the server application is not running..

Perhaps this is in keeping with the aim of the developers. 8Signs seems to be aimed at protecting servers. Everyone knows where the server is, so stealthing all ports is not as important.

 

No, if you wish to keep a stealth response while not using Bittorrent the rule will permitting the inbound traffic will have to be disabled.

While the firewall permits or denies the specified traffic to your system, it is the application/service running on your system that will actually open the port for connections. With the permit rule in place and the application not running (holding the port/service open) it is normal for your system to respond to inbound connection attempts with a closed response. Closed is still secure.

Regards,

CrazyM

 

CrazyM-

I recognize that closed is still secure. Perhaps stealth is not the ultimate in security. It might cause an attacker to go somewhere else, but when running something like bittorrent or eMule for hours on end, everyone knows where you are in the first place.

Anyway, there is quite a bit about 8Signs that makes it attractive, even without application control. For one thing, it is damn hard to terminate.

Of course, this gets into the whole thing about how important is application control, will your AV catch the stuff first and if you have application control, do you need sandboxing to prevent an override of your application control.

 

Diver... I you like 8Signs then you might also like CHX-I. It's even lighter with better stateful inspection. Runs as a kernel service. Works a little differently with the rules also, but it's extremely cool. Same general idea as 8Signs (no app control etc). It's my favorite for those times when I don't care about app control..

 

8Signs is a great firewall.

Application control will always be subject of much debate. As always, individuals will have to assess their needs and use what best suits them.

Regards,

CrazyM

 

K-

One of these days I will fill out the form and get a non-commercial free license for CHX-1.

Sometimes I think firewalls are just puzzles. If I can understand what is going on with one of the more difficult firewalls, then I like it. That makes CHX-1 a challenge. I guess that statement on their site "this is not a personal firewall" might put me off for now, but not forever.

Most folks probably run ZA products with each application treated as trusted so far as outbound connections are concerned. It is a pain to set up detailed rules on the latest versions. I used to run the old ones that way, but have not done much with ZA lately.

In the rules based category, I have a pretty good handle on Kerio 2.15, Jetico PF, and 8Signs. Outpost did not get me excited, but that does not mean it is bad.

Tiny PF is a bit beyond me at this point. However, I think someone (you?) posted that it was not possible to disable dns. That may show how incomprehensible it is.

Anyway, with rules based FW's there is a chance that what you see is what you get. I prefer that to the black box approach.

 

Right now I'm giving Kerio 4.2 beta a try.. They've said that the duplicate logging will be fixed in the next release, so I'm waiting for that. I still have some crazy faint hope that someday Kerio 4 will turn out to be as good as Kerio 2.

When the new Tiny 6.5 Pro is released I may have to spend some time with that as well.

 

K-

Its always good to hear from you.

Diver is feeling very good this evening. Could be the Friday effect, or something to do with the grapes. Next week Diver will be doing what he likes best, diving in salt water with The Mermaid, in a far off place.

My best to all...

 

Sounds good Diver..

 

Me too.

I don't understand. Elaborate... please.

TPF is also rules based. It has a separatemodule for EVERY SINGLE THING. Crazy. Hard to configure. But fun to tinker with. LOL

 

If they can just get the logging to be as good as Kerio 2 it would be a miracle.

I was thinking about finally trying Tiny firewall as well when the new 6.5 version came out, but I'm not to sure now after reading about the companies greediness on there forums were they are forcing there users to pay up again when the new version comes out even if they just recently purchased the 6.0 version. They were supposed to give 12 months of free upgrades and they are trying to sneak out of that it seems like and make up excuses so that they can milk there users for even more money. I think its really poor.

 

The documentation for CHX-I on there web site is a very good read you might want to check out if you haven't already. I know it helped me out alot in understanding and using CHX-I. http://www.idrci.net/doc/packetfilter/index.html

 

The logging in Kerio 4 is really strange and it bothers me a lot. Not just the dups you see when you first install it without any rules. That's fixed supposedly in the next version. But what bothers me is how it works when you have rules. If you enable logging of packets to closed ports and then create a rule to say block incoming traffic to say port 1028 or something, then turn on logging, Kerio won't log because of your rule, it'll log because of it's own internal rule that tells it to log packets to closed ports. So basically you can't use the rules to log or turn off logging of events. It kinda sucks... It does however obey the rules when it relates to open or listening ports. It's all messed up I think...

And I doubt they'll ever fix that. It's basically a poor design of things...

 

Yeah, that's pretty poor...

I can't quite figure out Tiny's firewall. I was playing with it again tonight for a while (version 6.0) and no matter how hard I tried, I couldn't kill DNS. I was trying to stop DNS from working, which you can easily do in most firewalls. In Tiny, I even went to the extent of deleting ALL the network rules completely, but DNS and browsing still worked. What the heck? Is it hard coded into the firewall or something? Or am I missing something? Who knows.. Very strange though...

 

If they can't even get something so basic as logging to work properly how do you even have much confidence in the rest of the firewall? There now onto what like there 3rd release of 4.x now and they still don't have it fixed right. That is very very strange to me.

 

I have no idea. The last Tiny firewall version I used was version 2.0.1.5 right before the split up and creation of Kerio. I have always heard great things about there sandbox technology (fka Tiny Trojan Trap) that they created, but I haven't heard much about there firewall really. The sandbox part of it sounded very complex to me, which is why I put off trying it for so long. It almost sounds like the firewall part of it is just as complex/confusing. I think I'll stay away from this firewall. I'm not going to deal with a company who think its alright to go back on there word and lie to there customers. They don't sound like the type of people I would even want to deal with. I'd rather just keep using and watching CHX-I, 8Signs, LookNstop, and Jetico.

 

All good ones. The only one of those I haven't looked at enough probably is Look N Stop. I'll have to check it out again soon...

 

Try removing applications one by one from "trusted" zone and remove checkmark from "Learning Mode" in right click menu of tray icon.

 

Firewall Festival...

Well, I downloaded CHX-1, but have not tried to do anything with it yet. Will continue to play with 8Signs for a while. A while being defined as until the next Jetico build, or until I get back from diving. (I leave Wednesday mmorning.)

 

Not meaning to post off topic in this thread, but since you are not a member and just a guest here, I wish I could learn how do dive here in the Cleveland area, do you know of any place around here?

 

Slovak- Pull out the Yellow pages and find a dive shop. they all offer instruction because it opens the door to sell gear. From your area most diving would be in cold water. Great Lakes or flooded rock quarries. I don't remember the name, but one of the more popular quarries is in your area. I travel to where the water is warm, must be a wuss.

Back on topic:

does anyone know if 8signs needs a loopback rule?

I don't have one now and I do not see any log entries for blocked connections to 127.0.0.1, so I suspect the answer is that a loopback rule is not needed.

 

Yeah, I even did that no13.. I removed Services.Exe from the trusted zone since it's services.exe that does DNS lookups in Win2k. Also the learning mode was not checked either. Very weird...

 

Nope, I never needed a loopback rule in 8Signs. I assume it handles it internally somehow. All I had was rules for dhcp, dns, email, browsers, newsreaders and so on.

8Signs is a great firewall...

If I'm running one with no app control I like CHX-I even better. 8Signs just has TCP stateful inspection, but CHX-I has TCP stateful and also UDP and ICMP pseudo-stateful, which is nice too. CHX-I even lets you tweak the stateful values in the registry if you like, for example if you want to change the default UDP stateful timeout from 60 seconds to say 3 or 4 seconds or something. Very nice and handy at times.

If you're looking for a start in CHX-I, just read the docs online for a general understanding, and then download the sample rule set. It consists of 2 rules if I remember right. One to allow TCP/UDP inbound except SYN packets and one for the same for ICMP. Be sure to turn on Stateful Inspection in the interface properties menu also! Very important. Without it it lets stuff in that you don't want. Just remember that in it's default state without any rules, CHX-I blocks nothing in or out. IF you use the sample rule set, and then do a few Force Allow rules for stuff you need inbound then it should work for you. Mostly just read the online docs and you'll figure it out.

Sorry, I didn't mean to hijack this topic from 8Signs to CHX-I.. I just really like CHX-I...