[bug]Strict & Lan gaming

Discussion in 'ESET Smart Security' started by funkydude, Apr 5, 2009.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should capture the communication using Wireshark and send the log to support[at]eset.com with a description of the issue. Couldn't it be that you're running the firewall in automatic mode?
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Most definitely not. :)
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So what mode are you running the firewall in?
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I should have said, Interactive. The application in question had both in/out allowed.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I should add that this happens in p2p gaming also, such as LAN RTS where no server is used. Sharing mode is still required for people to connect to you.

    I have never used wireshark before so I'll try tinker with it, but I might not be able to get a log for a while. What exactly is it you're looking for? Have the firewall on in sharing mode and just log?
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Bump, I need a reply from you on what situation you want me to start logging/with what settings or I will miss my opportunity.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That happens because ARP requests from computers not being in the Trusted zone are dropped if they weren't initiated by your computer. Disabling ARP cache poisoning should help, or simply add the remote computer to the Trusted zone.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I'd prefer not to do either as I feel they are a compromise in security, this worked fine in v3 so what changed that made ESET require you to turn of sharing (which in my opinion doesn't relate to gaming) in v4?
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Enabling ARP cache poisoning detection with the firewall module v. 1045 will make your computer stealth against unitiated arp requests from outside the Trusted zone.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I don't mean to be rude Marcos but I'm not sure how that helps. I had this problem during rc at which point the module was 1044. Are you saying I'm going to need to use allow sharing on every pc from now on encase they might want to LAN game? Before I could in most cases use strict protection because I could guarantee the person would never need to share files/etc in their current situation but I can never guarantee if one day they might want to play a game.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I dont understand your problem.

    You can set the LAN or just the PCs you game with as trusted, then disable the netbios rules. It takes a couple of minutes at most.


    - Stem
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Are you saying allow the application in/out on the trusted zone in my firewall rules? If so, that was automatically requested by the app when launching it, it has full access. It still won't work without sharing enabled, again, this was not a problem at all in v3.

    Here is a screenshot:
    rules.jpg

    I will never, ever, make custom rules for a firewall. It has always automatically asked for everything and worked perfect in v3, the fact it now fails to show something is broken.
     
    Last edited: Apr 16, 2009
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You have rules to allow inbound/outbound to the trusted zone, but what is in the trusted zone? If you have not placed any IPs or the LAN in the trusted zone, then the application as no other IP to comm with.

    you are comparing 2 different implementations


    - Stem
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    So I'm guessing in v3 every networked computer was assumed to be trusted which has changed in v4?

    In which case, is allow sharing the correct approach for this problem?

    It needs to be a simple set it and forget it not a customize every rule as it's made, because I need to be able to set this up for other PC's without needing to configure it when he/she installs a new game.

    Also, the IP's on the network can be dynamic as PC's join/leave.
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    There are a number of ways to help prevent ARP poisoning/DOS. ESSv4 as gone to what I would class as, going to the far extreme of protection by blocking all Unsolicited inbound ARP, and blocking requests not from the gateway. This type of protection, when implemented correctly, will block all the nodes on LAN, simply because the other nodes on LAN cannot retrieve routing info from the PC with ESSV4 installed. Therefore for example, if there is then an attempt to scan you from another node on LAN, then such a scanner as Nmap will return with a "host not up"
    I have not looked at version 3, so do not know what ARP protection was in place (if any?)

    I think your best approach at this time would be to disable the ARP poisoning protection, which will then allow routing(ARP) info to be requested. Yes, it is disabling protection, but such protection is normally only needed on an unknown/not trusted LAN.

    I did look at that possibility, and due to the inability to bind MAC/IP, then on such a LAN placing specific IPs as trusted can be a possible future problem if IPs do change.

    Personally, I would go with disabling the ARP poisoning IDS rule.


    - Stem
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Thanks for the suggestion, the problem I have with that is gaming on unsafe public networks, which is what a lot of the PC's are doing. Public LAN gaming. It seems a bit flawed to have this new extra protection, yet need to disable it (allow sharing) to game, seems like back to square one?

    I actually feel less secure now than with the old modules, even though they technically upgraded security.
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Why do you mention "allow Sharing"?
    If you disable the ARP poisoning, then keep the LAN as restricted, then there is no sharing, it is just a case that other PC(s) on LAN can then ping or connect to you if you have rules set to allow the inbound, or if set to interactive and no set rules, then you will be given a popup.

    I think the ARP protection does need changing, possibly splitting into a poisoning/DOS protection option, then an option to block all ARP requests from all nodes within the LAN.

    - Stem
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,

    I have been looking at V3. The ARP protection is not good, I can bypass and DOS the PC.

    If you had no problems with V3 with gaming on the untrusted LAN, then you can disable the ARP poisoning attack IDS rule with V4.

    I have put in a bug report for V4 ARP protection, so we will see what develops.

    - Stem
     
  21. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Thanks, so you're saying I'm more secure disabling ARP and gaming than allowing sharing and gaming?
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes,

    With the latest ESSv4 release. If you set the LAN as trusted, which then allows file/print sharing due to the current default rules, then also the ARP poisoning IDS rule does not cover that trusted LAN. If you just disable the ARP poisoning rule, then you can allow with rules inbound from the restricted LAN and file/print sharing will be blocked.

    - Stem
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Funkydude,
    the good news is that the upcoming version of the firewall module will introduce a new option in the IDS setup that will enable you to allow ARP request from outside the Trusted zone.
     
  24. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    As much as I'm grateful:

    1. I haven't even had a chance to test whether disabling ARP works.
    2. Won't such a feature leave me as unsecure as disabling the protection anyway? How will it be better than disabling ARP protection?
     
    Last edited: Apr 25, 2009
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I'm testing it right now, I actually disabled everything under "intrusion detection" and it won't work, the only thing that works is running Allow sharing.

    But this issue is currently only with Warhammer 40,000: Dawn of War 2. I tried with Left4Dead +strict+all attacks detection on and it works. Hosting a game in dow2 (which is mainly p2p) does not work without allow sharing, no matter if intrusion detection methods are on or off.

    So currently I think adding that feature would be useless Marcos.
     
Thread Status:
Not open for further replies.