Block IP rule doesn't work with IIS

Discussion in 'LnS English Forum' started by SwitchUser, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. SwitchUser

    SwitchUser Guest

    Hi there.

    First of all, I would like to say that Look'n'Stop is possible software we are going to buy, if it matches our needs. We need small firewall program, which could be installed & run on Windows 2000 Server via Remote Desktop Connection without blocking RDC port when installing (so we won't lose RDC possibility next time), and which allows easily import IP list which could be created in any other program. Until that, Look'n'Stop looks excellent and probably is the first program we have found, which provides everything above.

    The problem is, when we import rule called "Block a given IP" and set IP to the necessary, LnS blocks not only chosen IP, but the general web-traffic to the server on every IP. We are running IIS on this machine, and it looks like IIS is not responding anymore when this rule is imported & created. When it's removed, and LnS is restarted, IIS is working again.

    What could be the fault?
    Thank you.
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Could you give us more details about the rule you created ?
    Also if there was some alerts in the log after you activated the new rule, it would be nice to have them to understand what's happening.

    Thanks,

    Frederic
     
  3. SwitchUser

    SwitchUser Guest

    Thank you for reply!

    This is the rule I have just downloaded and imported from LnS site -

    http://www.looknstop.com/En/rules/rules.htm

    Block an IP Address

    I have just changed IP to necessary; but after that, I've noticed, that nobody could not connect to web-server anymore. I've changed IP later, restarted LnS, rebooted system - nothing helps... Either this rule is not installed at all, and server is opened for everyone, either it is installed with some specific IP, and nobody is able to connect.

    As about logs - there is no specific log on this rule. I turned off all logs except for Block IP rule and watched it... when I am connecting from blocked IP, it shows connection attempt from this IP, when from anothers - nothing happens.
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    This is very strange, never seen that before.
    This is a basic feature which should work.

    I really don't understand why adding a simple rule could block everything, and this rule actually working correctly compared to the log it provides o_O

    Could you confirm the following:
    - you only added this rule on top of the standard ruleset
    - to have things back to normal, simply deactivating the rule (green check on the left) is sufficient ? or do you need to remove the rule and press apply ? or do you really need to quit/restart Look 'n' Stop ?
    - when the problem occur, could you open the console windows, then ask for the driver logs and copy paste the content of the window here
    - do you have other network related application installed on this computer (firewall, sniffer,...) ?
    - if you try to specify more field in this rule (IP Protocol, Ports,...), is there a difference in the behaviour ?

    Thanks,

    Frederic
     
  5. SwitchUser

    SwitchUser Guest

    >>Could you confirm the following:
    >>- you only added this rule on top of the standard ruleset

    I experimented a little bit and could conclude that rules from Standard Rule Set are conflicting one with another. The proof:

    1) I started to remove rules from Standard Set from bottom to top, keeping "IP Block Rule" on top. There was no succes, until I keep ALL Standard Rules and remove ALL TCP rules - program blocks EVERYTHING, every possible port. I wasn't able to connect via FTP, WWW and another protocols.

    2) If I remove ALL rules EXCEPT "IP BLock Rule" - it works really nice!

    So, I could expect that "IP Block Rule" is conflicting with another rules, probably TCP, and maybe TCP rules are conflicting with another, too. I can not repeat that error anymore, because I needed to call my provider and reset the machine; on my luck, I didn't save changed rules set, so on start up, LnS loaded previous working version. Notice that I am doing that via Remote Desktop and have limited possibilities in testing...

    Frederic, could you tell me, how long program responds to all rule changes made? Or what I need to do so it responds immediately on all changes? Or it is responding immediately?

    >>- to have things back to normal, simply deactivating the rule (green check on the left) is sufficient ? or do you need to remove the rule and press apply ? or do you really need to quit/restart Look 'n' Stop ?

    Simply deactivating the rule WORKS - I tried it when "Block IP rule" is alone in the list.

    >>>- when the problem occur, could you open the console windows, then ask for the driver logs and copy paste the content of the window here

    Sorry, I didn't understand completely - what information exactly do you need?

    >>- do you have other network related application installed on this computer (firewall, sniffer,...) ?

    I have some - FTP, IIS, IPCheck and a couple of small web-log utility tools.

    >>- if you try to specify more field in this rule (IP Protocol, Ports,...), is there a difference in the behaviour ?

    I am really not professional on this and don't know what exactly fields I must set. If you provide me more specific information, I could try.

    But as I said above - I am expecting it conflicts with some another rule(s).

    Thank you.
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Do you mean you removed only the TCP rules in 1) and for the 2) you only have your rule ?
    If yes, I suppose the 1) was not sufficient ? or was it ? (in this case why trying the 2) ?)

    Rules are completely independant, so I don't know how introducing a new rule could change the behaviour of another rule.
    Obviously, this is true except if there is a major bug somewhere. But a major bug like that should be discovered since a long time... or you are really using something very specific somewhere.

    Immediately after you press the Apply button. When the button is not greyed this means a change is not yet taken into account.
    Note that changing the attributes, is applied immediately (if there was no other change waiting to be applied).
    Since the behevior is correct with only this rule alone, it is normal deactivating this rule works.
    The point was to try that when you have a complete ruleset not working.
    In the options there is a console checkbox, after you experienced the issue click on it. In the new windows that will open, click on the Drivers Logs button, then copy/past the content of the window.
    For instance just try to specify TCP for the IP protocol.
    Could you also send us the ruleset which doesn't work ? (including the rule you added).

    Thanks,

    Frederic
     
  7. SwitchUser

    SwitchUser Guest

    Yes, in the first case, I have removed all TCP rules from Standard ruleset, but Block IP rule also was included. It was not sufficient. Block IP rule actually works if there are no another rules set.

    I really don't know, is deactivating working or not... As I described, when there are another rules, Block IP doesn't work correctly. I have tried the following:
    1) Imported Standard ruleset again
    2) Imported Block IP rule
    3) In Block IP rule, wrote in my IP (let's say, it is "A"). Immediately, I have lost remote desktop connection this time
    4) I have entered RDC from another PC (let's say, its IP is "B"). I have disabled Block IP rule from it, and was able to connect from "A" again. But this time, I've lost connection from "B"!

    Maybe something incorrect happens, when you APPLY this rule?

    then - 5) I get connected from "A" again, and have removed IP rule totally... only then I was able to connect both from "A" and "B".

    Ok, found it. There are a lot of messages similar to "[11:31:27] 1 message Downlink [11:31:29] 2 message Uplink" I will not paste them all here. At the end of logs the following appears:

    3Com EtherLink XL 10/100 PCI Fo - 00:04:75:ff:8d:4d - [MY.IP.HERE]
    WAN Miniport (IP) - Look 'n' St - 0e:fe:20:52:41:53
    FW:
    Driver Entry Win2k/XP
    WAN Miniport (IP) - Look 'n' Stop Driver
    3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Look 'n' Stop Driver
    FW1:
    EMOTE.EXE
    C:\PHP\PHP.EXE
    UC:\PROGRAM FILES\IPCHECK SERVER MONITOR 4\IPC4REMOTE.EXE
    UC:\PHP\PHP.EXE
    UC:\PHP\PHP.EXE
    ASOK:C:\PROGRAM FILES\IPCHECK SERVER MONITOR 4\IPC4REMOTE.EXE
    C:\PROGRAM FILES\IPCHECK SERVER MONITOR 4\IPC4REMOTE.EXE
    ASOK:C:\PROGRAM FILES\IPCHECK SERVER MONITOR 4\IPC4REMOTE.EXE
    C:\PHP\PHP.EXE
    ReSLIN!

    and so on - a lot of references to IPC4REMOTE.EXE and PHP.EXE in different order.

    No success. I have tried the following:

    1) Imported Standard ruleset and Block IP Rule
    2) Set my IP in Block IP rule, but also specified TCP protocol (not All) - this time I have not lost the RDC connection (good!).
    3) I was unable to connect via WWW from my IP - good! but:
    4) when I disabled Block IP rule, I still was unable to connect :-( In true, after that, I don't see that Apply button become active. It's still passive, so I am unable to apply this disabling - is this correct?
    5) I have removed Block IP rule totally, but still it's not possible to connect!
    6) Finally, I have removed all another rules and only then is able to connect.

    Could I expect that some another rule is blocking incoming WWW connections?

    For sure, I can. Only I don't know your email, or URL to send, or whatever - could you provide that?

    Thank you.
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Ok, thanks for the information.

    I suspect the problem is coming from the fact you are doing the configuration remotely.
    When applying a rule, perhaps there is an internal transient state in the firewall and some packets dropped, including some packets used by your RDC program which would not accept that and close the connection on the client side.
    What is your RDC program ? do you know which protocol is used ?

    At the step 4, did you really try to connect again with the first computer ?
    If RDC is using TCP you have to wait a while to be able to connect again (because of some internal timeout of TCP stack).
    Actually if at step 4 you are able to connect from another computer, this means the rule is really working and all IPs are not blocked.

    The drivers log are correct.
    I suppose the ruleset will be correct, if you are anwyay not sure to have created the rule correctly, you can send it to looknstop@soft4ever.com.

    Regards,

    Frederic
     
  9. SwitchUser

    SwitchUser Guest

    Frederic: I doubt that RDC is the main trouble instance here. I am using standard Remote Desktop Connection tool which is built-in Windows XP. In general, LnS works PERFECTLY via RDC, yes, it looses the connection sometimes, but then re-opens it again, not as many-many firewalls we tried that block EVERYTHING from the first try...

    I just leared some things about TCP this week, and will experiment with LnS rules little bit more. Than I'll report you. Thanks.
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Is there a window capture of Rule Editing for that rule for changes you made?
    Or a downloadable rule for that rule with changes you had made?
     
Thread Status:
Not open for further replies.