Application filtering - can't make it work?

Discussion in 'LnS English Forum' started by halcyon, Nov 14, 2004.

Thread Status:
Not open for further replies.
  1. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Please forgive my simple question, I just installed L'n'S, it's getting a little bit late and I can't seem to find how to get Application filtering working.

    Background:

    - XP SP2 (no security center, no MS fw), all patches
    - Connection via Ethernet LAN, static ip 10.0.0.1 -> dsl router (10.0.0.13:cool: -> WAN (public IP, so my router does NAT)
    - L'n'S 2.52p2 with d1 lnsfw1.sys drive (to stop latest outbound attacks)
    - Phantom v6 rule set

    My LnS GUI reads as follow (I rather not post million of screen shots):

    Welcome tab
    - Connected (ticked with a greyed out mark) IP address: 10.0.0.1 (this is my active Ethenet adapter through which I connect)
    - Statistics show outbound and inbound packets correctly (they increase as I use the net)

    Application Filtering Tab
    - Application filtering enabled (ticked)
    - No application rules yet defined (List of apps is empty)
    - List of Active applications is empty (does not get activated at all)

    Internet filtering
    - Internet filtering enabled (ticked)
    - Phantom_v6_rule_set.rls (active)

    LOG tab
    - Log showing system access to my printer (10.0.0.20), my DNS servers and some blocked inbound activities

    Options TAB
    - Network intefaces: Intel PRO/1000MT .... 10.0.0.1 (ticked) (this is my active adapter connected to my router)
    - Automatic selection: OFF (not ticked)
    - Automatic Start: NONE (I have the service starter beta installed)


    Now the problem.

    I can use any and all applications to connect to Internet and LnS will not stop to ask for permission about their connection.

    I have Application filtering enabled, but there must be some switch somewhere that I'm overlooking.

    So, application filtering is not working with my setup and all software on my machine can access network any which way they want.

    Any tips or check lists for me?

    Thanks!
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
  3. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
  4. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    I've conctacted Phant0m and I'm waiting for reply.

    I'd really like to get the thing working asap though :)

    I'll wait a while and then I'll run Frederic's patch.

    Thanks for the tips.

    regards,
    halcyon
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi halcyon

    Please see http://www.fluxgfx.com/forum/viewtopic.php?t=6

    :)

     
  6. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Thanks Phant0m. I've sent you the files generated by the utility.

    I then applied Frederic's patch (sorry, can't wait anymore) and rebooted.

    Application filtering seems to be enabled now.

    Time to start testing.

    Thanks for the quick help, all of you!

    cheers,
    halcyon

    PS BTW, what do I do now that I've authorized an application with Direct Network access and it still can't contact (or receive reply) from the Net? The software in question is Teamspeak client, which tries to contact a server at port 8767 and then fails (apparently due to not receiving a reply, although server is up and running).
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Thanks, I had looked it over, and I'm not telling you something you don't already know, but it is a Driver Loading anomaly.

    Loaded driver \SystemRoot\System32\Drivers\lnsfw1.SYS
    Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys


    lnsfw1.SYS suppose to be loading up after the tcpip.sys and not before it...

    I think Look 'n' Stop should come bundled with official checking mechanism, this problem been going on long enough...

    That is just my opinion however....
     
  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Agreed, even though I don't have a problem. Maybe for the next version.

    What does this patch actually do, and what happens if you apply it to a configuration that already works ?

    I ask because if it doesn't affect configs that already work, then the patch could be incorporated into the LnS release without to much effort.


    Phant0m - From your investigations, is this Application Filtering problem always related to the LnS driver loading before the TCP/IP driver ?
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If you run the patch on systems with Application-filtering functioning, I do believe it’ll just update anyways.

    Patch is available so that those who doesn’t encounter the problems will have driver loading speedy, applying the patch will increase its driver loading.

    The driver loading issue are linked issue with Application-filtering not functioning.
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    There is some other information in this thread:
    https://www.wilderssecurity.com/showthread.php?t=50745&highlight=grouporderlist

    And especially this:
    The Lnsfw1 service is using a DependOnService set to Tcpip, so according to Microsoft documentation, lnswf1 should be started after Tcpip.
    The root cause issue is there, I don't understand why this is not working on some PC.​
    I really don't understand why lnsfw1.sys can start before tcpip.sys since the DependOnService is correctly set.

    But anyway, yes, you're right, a solution has to be provided, even if this is not working as expected (I was only hopping to find an obvious fix about this problem, which would avoid the handling of a new tag).

    Frederic
     
  11. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    This is probably unrelated, but the things that differentiate my installation from a typical sp2 installation are as follows:

    - Installation of MS KB 884020 tcpip.sys driver (v. 5.1.2600.2505)
    - Patching of tcpip.sys (with XP-Antispy) from 10 to 50 connections

    I don't think this should change the load order, but just so that you know.
     
Thread Status:
Not open for further replies.