About 8signs ???Help me

Discussion in 'other firewalls' started by purplegold, Mar 19, 2007.

Thread Status:
Not open for further replies.
  1. purplegold

    purplegold Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    5
    I have installed the 8 signs firewall,and find it a light and powerful fw for me.My computer works in a LAN,so I only set few filter rules below:

    TCP group:
    1.mail rules: tcp myaddress[1024-5000]->mailservers[110,25] action ALLOW
    2.Http&https: tcp myaddress[1024-5000]->all addresses[80,8080,3128,443] action ALLOW
    3.Ftp: tcp myaddress[1024-5000]->FTPservers[21] action ALLOW

    UDP group:
    4.DNS udp myadress[1024-65535]<->DNSservers[53] action ALLOW

    ARP group:
    5.allow arp: ARP myadress<->gateway address action ALLOW
    6.block other arp: ARP all address<->all address action BLOCK

    that is all of my rules for my LAN adapter,are these enough o_Ois there any rule to add to enhance my security?

    another question:in the ARP group,why not control the MAC edit,but only the IP address??As Known to us ,ARP rules must based on the MAC control

    in addtion,do i need to add block invalid UDP packets ,LOOpback, anti MAC spoofing,land attack....suck blcok rules that in LNS must addo_O?


    thans !
     
  2. prk.uk

    prk.uk Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    10
    Location:
    Essex UK
    Welcome Purplegold

    I have been using 8-Signs for a few years now and have built up a ruleset that may be of use to you. This ruleset has been posted on other sites. However If this is OK with the Moderators I could post it here for discussion.

    Is this OK?

    prk
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello prk,

    Of course you can post your ruleset.
     
  4. prk.uk

    prk.uk Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    10
    Location:
    Essex UK
    Hello purplegold

    This ruleset may be of use to you. If you have any specific or general queries regarding 8-Signs, myself or any of the resident experts here will I'am sure be able to help you.

    The ruleset text was generated using the "Write Ruleset in Readable Form" command.


    prk.uk 8-Signs ruleset as dated 08 September 2006.

    Hardware:

    Dell Dimension 4100 (1GHz)....Intel PRO/100 S Adapter into a Vigor 2800VG Router. MaxADSL BT connection.

    Software:

    Win2000 SP4....Firefox 1.08...Pocomail 3...NOD32 2.7...BOClean... 8-Signs/Zone Alarm 2.6.362 ....etc

    (Note: Zone Alarm 2.6.362 is used as an outbound application control)


    8Signs Firewall version 2.3.

    Ruleset filename is C:\Program Files\8Signs Firewall\Rules.rul
    Log filename is C:\Program Files\8Signs Firewall\Logs\200609.log
    Current state is 'Filter Traffic'
    Firewall is set to start automatically on bootup.
    When the firewall is not running, traffic is: Blocked.

    IP Group named 'DNS Servers':
    194.72.9.34
    194.72.0.114

    (Note: your DNS Servers)

    IP Group named 'Default (preset) DNS servers':
    194.98.0.1
    192.168.1.1

    (Note: my Router needs this)

    Port Group named 'Commom Ports':
    21-23
    25
    42
    53
    79-80
    98
    110
    113
    143
    443
    124-129
    1214
    3128
    8080
    3372


    Adapter 2: 'Local Area Connection', IP address='192.168.1.11', MAC address='00-02-B3-xx-xx-xx',

    medium='Ethernet'.

    Adapter 2:

    TCP rules:
    Rule #1: 'Web Browser-HTTP'
    Allow My Address [1024-5000] --> All Addresses [80] (F)

    Rule #2: 'Web Browser-HTTPS'
    Allow My Address [1024-5000] --> All Addresses [443] (F)

    Rule #3: 'Email: POP3'
    Allow My Address [1024-5000] --> All Addresses [110] (F)

    Rule #4: 'Email: SMTP'
    Allow My Address [1024-5000] --> All Addresses [25] (F)

    Rule #5: 'Telnet'
    Allow My Address [1024-5000] --> 192.168.1.1 [23] (TF)

    Rule #6: 'FTP'
    Allow My Address [1024-5000] --> All Addresses [21] (F)

    Rule #7 (disabled): 'FTP-Active connections'
    Allow My Address [1024-5000] <-- All Addresses [20] (F)

    Rule #8: '8Signs IP Tracer'
    Allow My Address [1024-5000] --> All Addresses [43] (F)

    Rule #9: 'ADSL speed test'
    Allow My Address [1024-5000] --> xxx.xx.x.x. [8095] (TF)

    Rule #10: 'Port 135'
    Block My Address [135] <-> All Addresses [All] (L)

    Rule #11: 'Port 137-139'
    Block My Address [137-139] <-> All Addresses [All] (L)

    Rule #12: 'Port 445'
    Block My Address [445] <-> All Addresses [All] (L)


    UDP rules:
    Rule #13: 'Boot 1'
    Allow 0.0.0.0 [68] --> 255.255.255.255 [67]

    Rule #14: 'Boot 2'
    Allow 255.255.255.255 [68] <-- 192.168.1.1 [67] (F)

    Rule #15 (disabled): 'Assign DHCP Server'
    Allow My Address [68] <-> 192.168.1.1 [67] (LF)

    Rule #16: 'ISP DNS from Router'
    Allow My Address [1024-5000] <-> 192.168.1.1 [53]

    Rule #17: 'ISP DNS for Email Prog.'
    Allow My Address [1024-5000] <-- [DNS Servers] [53] (F)

    Rule #18: 'ISP DNS error'
    Allow My Address [1024-5000] <-> [Default DNS servers] [53] (L)

    Rule #19 (disabled): 'DHCP Broadcast'
    Allow My Address [68] --> 255.255.255.255 [67] (L)

    Rule #20: 'Local broadcast on port 137'
    Allow My Address [137] --> 192.168.1.255 [137]

    Rule #21: 'Broadcast'
    Block My Address [1024-5000] <-- 255.255.255.255 [All] (L)

    Rule #22: 'Port 135'
    Block My Address [135] <-> All Addresses [All] (L)

    Rule #23: 'Ports 137-139'
    Block My Address [137-139] <-> My Address [All] (L)

    Rule #24: 'port 445'
    Block My Address [445] <-> All Addresses [All] (L)

    Rule #25: 'Block Common Ports'
    Block My Address [Commom Ports] <-- All Addresses [All] (L)

    Rule #26: '127.x incoming'
    Block My Address [All] <-- 127.0.0.0-127.255.255.255 [All] (L)


    ICMP rules:
    Rule #27: 'Type 8 Allow ping and trace'
    Allow My Address [0] <-- All Addresses [8]

    (Note: allow ping and trace or not?)

    Rule #28: 'Type 10'
    Block My Address [10] <-- All Addresses [10]

    Rule #29: 'Type 0'
    Allow My Address [0] <-- All Addresses [0] (LF)

    Rule #30: 'Type 3'
    Allow My Address [3] <-- All Addresses [3] (LF)

    Rule #31: 'Type 11'
    Allow My Address [11] <-- All Addresses [11] (LF)

    Rule #32: 'Type 8'
    Allow My Address [8] --> All Addresses [0] (L)

    Rule #33: 'Block ICMP'
    Block All Addresses [0-255] <-> All Addresses [0-255] (L)


    ARP rules:
    Rule #34: 'NIC to Router I/C'
    Allow My Address <-- 192.168.1.1/255.255.255.255

    Rule #35: 'NIC to Router O/G'
    Allow My Address --> 192.168.1.1/255.255.255.255

    Rule #37 (disabled): 'Allow all ARP'
    Allow All Addresses <-> All Addresses


    Ethernet rules:
    Rule #38: 'NIC MAC'
    Allow My Address <-> 00-02-B3-xx-xx-xx

    prk
     
    Last edited: Mar 20, 2007
  5. purplegold

    purplegold Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    5
    hello prk
    thank you! indeed your rules is helpful
    but because i am in a LAN and have an IP address not need DHCP,so my UDP group only on rule,
    allow my address[1024-65535]<->DNS server[53]

    and in my TCP group i only one rules now
    allow my address[1024-5000]->all address[most common ports]
    mostcomon ports :21,23,,43,80,443,25,110,1024-65535

    and this rule is equal to your #1-8

    Rule #1: 'Web Browser-HTTP'
    Rule #2: 'Web Browser-HTTPS'
    Rule #3: 'Email: POP3'
    Rule #4: 'Email: SMTP'
    Rule #5: 'Telnet'
    Rule #6: 'FTP'
    Rule #8: '8Signs IP Tracer'


    and your 135,137-139,445....block rules also can combine to one rule ,make a trojan port group list and block this group

    IN the UDP group ,i dont know if i need any other rules except the DNS 53 rule,IMO,the firewall may block any packet that no match allow rules,so i think there is no need to add so many block rules,only allow that you want to incoming or outgoing

    but there is still a problem that confuse me a long time ,the 8signs firewall do not have UDP SPI (only TCP SPI),so the UDP may not safe enough,how do i make UDP rules perfect in a LANo_O

    and in the ARP group ,the problem is why this firewall can not edit MAC but only IP address, as known to us, most firewall control arp packets use MAC not IP ,why 8 signs us IP in ARP ruleso_O?
     
  6. prk.uk

    prk.uk Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    10
    Location:
    Essex UK
    Hello purplegold

    The layout of the ruleset quickly gives me an overall picture of the rules and allows me the flexibility to allow/block/log/ a specific port or address. I could for example just block my Email application. But this is just my personal preference.

    purplegold stated:

    "but there is still a problem that confuse me a long time ,the 8signs firewall do not have UDP SPI (only TCP SPI),so the UDP may not safe enough,how do i make UDP rules perfect in a LAN"

    These are my thoughts on the UDP protocol:

    1. UDP is a connection-less protocol ie it does not require the sender and receiver to establish a connection before the data is transmitted. The destination computer may not be online.

    2. It is an unreliable Internet protocol. No guaranteed delivery, no provision for acknowledgement of packets received. If the data dosn't arrive it is lost and that the data grams may not arrive in the same order they were sent.

    Is it therefore possible with UDP for the firewall to have reliable stateful inspection. I understand that filtering decisions are based not only on defined rules but also on information contained within prior packets that have passed through the firewall. As shown in 1 and 2 above this may not be trustworthy.

    The question is: can UDP protocol be handled statefully?

    I don't know. I have to leave the answer to this with one of the resident experts.

    purplegold stated:

    "and in the ARP group ,the problem is why this firewall can not edit MAC but only IP address, as known to us, most firewall control arp packets use MAC not IP ,why 8 signs us IP in ARP rules"

    purplegold I will post back latter with any thoughts on this.

    prk
     
  7. prk.uk

    prk.uk Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    10
    Location:
    Essex UK
    purplegold stated:

    "and in the ARP group ,the problem is why this firewall can not edit MAC but only IP address, as known to us, most firewall control arp packets use MAC not IP ,why 8 signs us IP in ARP rule

    My thoughts:

    The sequence of events in my computer are: Rules 13 (Boot 1) and 14 (Boot 2) then Rule 35 NIC to Router O/G (ARP protocol), Rule 38 NIC MAC address and Rule 34 NIC to Router I/C (ARP protocol)

    Rules 13 (Boot 1) and 14 (Boot 2)

    On bootup your computer sends a message, allowed by rule 13 (Boot 1), saying "my network card MAC address is 00-02-B3-E6-xx-xx so tell me my IP address". The response comes back "your IP address is 192.168.1.11 (in my case). This response is sent by the router (192.168.1.1) on port 67 as a UDP broadcast to port 68 which allowed by rule 14 (Boot 2).


    Rule 35 NIC to Router O/G ARP protocol


    ie source 192.168.1.11 to destination 192.168.1.1

    - - - - - - Ethernet header - - - - - -

    Destination: FF-FF-FF-FF-FF-FF (Broadcast)
    Source: 00-02-B3-E6-xx-xx
    Protocol Type: 08-06 (ARP)

    - - - - - - ARP header - - - - - -

    Hardware Address Space: 1
    Protocol Address Space: 08-00
    Hardware Address Length: 6
    Protocol Address Length: 4
    OpCode: 1 (ARP request)
    Sender Hardware Address: 00-02-B3-E6-xx-xx
    Sender IP Address: 192.168.1.11
    Target Hardware Address: 00-00-00-00-00-00
    Target IP Address: 192.168.1.1


    Rule 38 NIC MAC address

    ie source 00-02-B3-E6-xx-xx to destination broadcast

    - - - - - - Ethernet header - - - - - -

    Destination: FF-FF-FF-FF-FF-FF (Broadcast)
    Source: 00-02-B3-E6-xx-xx
    Protocol Type: 08-06 (ARP)

    - - - - - - ARP header - - - - - -

    Hardware Address Space: 1
    Protocol Address Space: 08-00
    Hardware Address Length: 6
    Protocol Address Length: 4
    OpCode: 1 (ARP request)
    Sender Hardware Address: 00-02-B3-E6-xx-xx
    Sender IP Address: 192.168.1.11
    Target Hardware Address: 00-00-00-00-00-00
    Target IP Address: 192.168.1.1

    Rule 34 NIC to Router I/C

    ie source 192.168.1.1 to destination 192.168.1.11

    - - - - - - Ethernet header - - - - - -

    Destination: 00-02-B3-E6-xx-xx
    Source: 00-50-7F-D4-xx-xx
    Protocol Type: 08-06 (ARP)

    - - - - - - ARP header - - - - - -

    Hardware Address Space: 1
    Protocol Address Space: 08-00
    Hardware Address Length: 6
    Protocol Address Length: 4
    OpCode: 2 (ARP reply)
    Sender Hardware Address: 00-50-7F-D4-xx-xx
    Sender IP Address: 192.168.1.1
    Target Hardware Address: 00-02-B3-E6-xx-xx
    Target IP Address: 192.168.1.11

    So now my computer and Router know each others MAC address. Communication between Router and Computer will then continue ie Rules 34 and 35 to verify this.

    Note for information only: With regard to Rule 38 MAC Address Filtering, a MAC address is specific to one individual network interface, so if you can allow or block traffic from a particular computer on your network whose IP address may change.

    purplegold: I am sorry this is so long but I was trying to determine in my own mind an answer to your question thats why I just copied the logs. So if Rule 38 (NIC MAC address) is not your answer then I must ask a resident expert.

    prk
     
  8. purplegold

    purplegold Registered Member

    Joined:
    Mar 15, 2006
    Posts:
    5
    hi prk,thanks a lot ,you are great! and your long answer give me more information to understand the rules and even the principle ,and i think now i have know what you say and understand why you set rules like that

    thank you!
    yours
    purplegold
     
  9. prk.uk

    prk.uk Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    10
    Location:
    Essex UK
    hello purplegold

    You are most welcome

    prk
     
Loading...
Thread Status:
Not open for further replies.