Building Your Own Privacy Package

Discussion in 'privacy technology' started by Reality, Aug 5, 2014.

  1. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Near the top above any "permit all" types of rules.
     
  2. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Thanks. Now have to do some more rules for other apps and hopefully get everything in the right order.
     
  3. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Getting lot of Pale Moon loopback rule popups from Kerio. loopback rule.JPG
     
    Last edited: Apr 12, 2015
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Other than when you first start the browser, is there another activity that triggers the alerts? If the browser is working right, I'd shut the alert function off. On mine, when I disable the loopback blocking rule for PaleMoon, it generally tries twice to establish a loopback connection, then stops. Newer versions might be different.
     
    Last edited: Apr 12, 2015
  5. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    HMPALERT.EXE | protocol UDP | Local Address 127.0.0.1 | Remote Address 0.0.0.0:0 | State Listening
    Firewall log window:
    Rule TCP ack packet attack Blocked: In TCP... localhost:1025 (several entries)

    Had to make a HMPA UDP out rule with 127.0.0.1 remote endpoint.
     
    Last edited: Apr 12, 2015
  6. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    This thread needs to be released as an e-book.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Is that HitMan Pro, the alert component? I wouldn't block that until you determine exactly what that connection is used for. I'm not familiar with it or how it functions but the info you posted leads me to believe that at least part of it functions as a proxy. What is that loopback connection connecting back to, itself, another of its components or something else?
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That is one of the long term goals of this thread. Most everything in this thread exists elsewhere on the web. That's the problem with a subject like this. The information is all over, badly fragmented, hard to find, and even harder to organize. I'd like to see this thread used as a collecting point for this information with the eventual goal of organizing and compiling it into a comprehensive guide that covers as many aspects of privacy and security as possible. The form this guide would take, e-book, website, whatever, hasn't been discussed. We're nowhere near that point. The amount of knowledge and skill on this forum is huge. There's several very good guides here on specific subjects that are getting buried. I'd like to see a group effort that brings the best of it together into an organized, searchable format, freely available to all, compiled by the membership of Wilders. The manuals that mirimir has been putting together are one example. There's another on group policy and permissions that's very good. Everything one would need to know is available, here and elsewhere. It just needs to be brought together.
     
  9. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Yes. HitmanPro.Alert which includes HitmanPro. It apparently uses UDP out on several local endpoint ports
    and remote address 127.0.0.1 . Looks like same local and remote ports being used. The UDP 127.0.0.1 contains
    hmpalert.exe (app executable path)

    Firewall rules for apps that need to connect out:

    Protocol: UDP
    Direction: Out
    Local endpoint: Any port
    Application: <app path>
    Remote endpoint: Single address > Host address: 127.0.0.1 (Any port)
    Action: Permit

    Should I be more specific for the local endpoint and remote endpoint instead of using Any port?
    Maybe possibly use on local endpoint the Port/Range and use 1024- ? rather than using
    one specific entry. (e.g. 1034) ? = whatever range number is needed.

    Use specific DNS server addresses for apps on UDP protocol over port 53.

    Protocol:TCP
    Direction: Out
    Local endpoint: Any port, Single port or Port/Range (which one?)
    Application: <app path>
    Remote endpoint: <single host address> Single Port (80) (443)
    Action: Permit

    Note: There will obviously be more (popups) when using specific customize rules.

    Loopback Rule for browser:
    Protocol: TCP and UDP
    Direction: Both directions
    Local endpoint: Any port
    Application: <browser path>
    Remote endpoint: Single address > 127.0.0.1 (Any port)
    Action: Deny & display alert

    Would be placed below other localhost (127.0.0.1) rules.
     
    Last edited: Apr 12, 2015
  10. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    There's been some great input into this thread, especially from noone_particular. I'm very grateful that he's shared his amazing knowledge and given us his time. He also has a good way of explaining things where newbies or the less knowledgeable are more likely to grasp things. I think that's one of the key things to consider when there's something as complex as internet security/privacy to deal with. I'm also grateful to others' input. It all adds up.

    I too would like to see it eventually come together in such a way that is beneficial to all. It will be a huge undertaking because it not only covers many topics but there's differing threat models as well as how much a person wants to, or is able to, utilize the necessary tools at their disposal. It means, to be properly effective, it has to lay concepts for people like me who have had, and still have much to learn. That's easier said than done, when each particular path one takes has it's own unique learning curve.

    @noone_particular .... "with the eventual goal of organizing and compiling it into a comprehensive guide that covers as many aspects of privacy and security as possible."

    I'm all for including hardware in this thread but especially with security and privacy in mind. In light of the fact that this thread covers such a broad area anyway, it's worthy of discussion. There's a hardware section at Wilders but it doesn't necessarily have security / privacy in mind.
     
  11. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    octet.JPG
    Saw this alert after bootup. UDP datagram from (null) (0.0.0.0:68 ) localhost 67
    Local area connection status - limited or no connectivity.
     
    Last edited: Apr 13, 2015
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Could you post the actual settings you have in the zero octet rule? Where is this rule in relation to your DHCP rules?
     
  13. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    The zero octet rule is placed near the top of ruleset. It is above the DHCP rule.

    Zero octet rule:
    Protocol: Any
    Direction: Incoming
    Network/Range: 0.0.0.0-0.255.255.255
    Action: Deny & display alert

    Looks like it needs to be placed below DHCP. Looking at screenshot in post #4 (Kerio learning thread)
     
    Last edited: Apr 13, 2015
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @KeyPer4Life
    I'm not clear on the format you're using in post 359. Except for the last rule, none of them mention an application. Does "Application: <app path>" mean any application?
    This can be a bit difficult to put into user friendly terms and still remain reasonably accurate. I apologize in advance if I don't succeed. Just to make sure that we're using terms in the same way:
    Rules that apply to any or all applications are global rules.
    I'm assuming that this rule applies to any application since you didn't specify one. The host address (the IP of the traffics destination) identifies this as a loopback rule. This rule allows any application or system component to establish loopback connections using the UDP protocol. Was this your intention?
    If this rule is placed below the previous rule, it will only block TCP loopback traffic. It will not be applied to UDP loopback traffic because the rule above it has already permitted that traffic.

    Local port refers to the port on your PC. There's no real need to specify local ports for outbound traffic. Windows will use the first one available above port 1024 (not positive on the exact port number). When a browser makes a standard HTTP connection, it's connecting to port 80 on the server, in the firewall rules, that's the remote port. It will depend on the application whether or not you specify a remote port. With browsers for example, most of the connections will be to ports 80 and 443 but are not limited to these. If you connect to an FTP server, you'll see connections to port 21. A web site or service can use any port that they choose. Except for proxies, Tor, etc, I would not restrict the browsers outbound traffic. For inbound traffic it is necessary to specify the local port. Tor for example, when running on Windows as a relay, needs to receive incoming TCP traffic on ports 443 and 9030 from most any remote IP address. The matching firewall rule would permit inbound only to Tor, limit the traffic to TCP, and only to those 2 ports.

    Regarding DNS, the rules should include the IPs of your DNS servers. If you're using conventional, unencrypted DNS, it will be UDP to remote port 53. The rule needs to allow traffic in both directions. If you're using Tor, VPNs, and/or filtering proxies, the DNS rules will get more complicated. Also refer to the earlier posts regarding the Windows DNS client.
     
  15. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Lots to digest here. Basically I use 2 DNS servers set in Windows properties and then set each application to those
    DNS servers. Then I set a block rule below that over port 53. I currently only have a few apps that need firewall
    rules and was able to get Pale Moon (sandboxed), HitmanPro.Alert, and Proxomitron with some changes
    in Sandboxie settings to work.
    I don't think Sandboxie on it's own connects (In/out) but uses child processes. The only time
    I'm aware of is when updating and activating the license. Have no firewall rules for Sandboxie. If I run Pale Moon
    unsandboxed then I receive more Kerio popups IIRC relating to localhost (127.0.0.1) I'll see if I can be more
    specific later when I have more time.
     
  16. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    @noone_particular
    If this would be okay with you I would like to tackle one issue at a time and once solved then
    move on to the next one.

    I have set Kerio to 'Stop All Traffic' on bootup. I moved the zero octet block rule below
    the DHCP rule, but same result as before. (alert screenshot posted already in this thread)

    DHCP Rule:
    Protocol: UDP
    Direction: Both directions
    Local endpoint: Single Port 68
    Application: Path of svchost.exe
    Remote endpoint: single address <DHCP server> single port 67
    Action: Permit

    The Generic Host Process rule is however set below the zero octet rule. Do I need to move this
    rule above the zero octet rule?

    Note: When I get a Kerio popup on zero octet rule after bootup (doesn't happen at every reboot)
    I see limited or no connectivity in local area connection status window.
    If I then reboot there is no zero octet popup alert and status shows connected.

    Generic Host Process rule:
    Protocol: UDP
    Direction: Outgoing
    Local endpoint: Single port 68
    Application: Path of svchost.exe
    Remote endpoint: Single address 255.255.255.255 single port 67
    Action: Permit

    Note: Application: <app path> means ( e.g. C:\Program Files\Pale Moon\palemoon.exe)

    Appreciate all the help.
     
    Last edited: Apr 13, 2015
  17. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    http://www.sandboxie.com/index.php?ServicePrograms
    SandboxieBITS.exe will be used by some apps to download in the background. I know Chrome based browsers will eventually engage this file. I didn't encounter this file being called by a Firefox derivative.

    My firewall threw up a request, eventually had to hardcode a rule because the notification never ceases.
     
  18. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Interesting. I think IE browser uses SandboxieCrypto.exe. The only processes I have running are
    SandboxieRpcSs.exe, SandboxieDcomLaunch.exe, SbieCtrl.exe and SbieSvc.exe. Just to test I just
    put firewall rules for crypto, BITS and WUAU executables. I suspect I may not see any alerts from firewall.
     
  19. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    Have you seen this four-part writeup with rules spelled out
    https://www.wilderssecurity.com/threads/customizing-firewall-rules-system-wide-rules.4413/
    it's worth looking at, IMO. Three sections follow this link.

    Your DHCP is about broadcast. You need more than that. Try these rules, assuming your router's IP is in the custom group, else hardcode DHCP server address of your ISP if that's what you use
    Kerio-DHCP-rules.png
    actually the first rule should be only outbound, and the second only needs UDP inbound when the router issues you IP. Oh, well, old Kerio rules, and I don't think it hurt me on my trusted LAN, and I count on noone_particular to correct.
     
  20. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    My Custom Address Group contains IP address blocklist which is different from the Trusted Address
    Group which I don't use.
    DHCP rules I'm using 2 that both use svchost.exe as the application and DHCP server single address
    for remote endpoint. It may be the order that needs changing.

    Update: noone_particular mentioned using static IP addresses and no DHCP.

    I set the IP address, subnet mask and default gateway in Windows network connections.
    DHCP Client service is set not to run and disabled DHCP rules in firewall .

    Connection status > Address type: Manually Configured
    Able to connect to Internet.
     
    Last edited: Apr 14, 2015
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @KeyPer4Life
    All of my physical PCs use static IPs as do my current virtual systems. None of them need or use DHCP. As soon as I get time, I'll set up a virtual XP that uses it and detail the rules required. It'll be a few days before I can. Right now, I have some sad real life duties that I need to attend to.
     
  22. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    That's okay. Take all the time you need and understand that real life duties are far more important to attend to.
     
  23. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    In Kerio filter rule under Application heading I noticed when you click on the arrow to expand the drop
    down menu there are other entries added to the specific app path I originally selected.
    e.g. C:\Program Files\Kerio\personal firewall\persfw.exe
    C:\Program Files\pale moon\palemoon.exe
    C:\Program Files\system32\svchost.exe
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Those entries aren't part of the rule. It's a list of the internet capable applications and components that Kerio has seen so far. It's a quick way to select one of those applications without having to browse to it. The rule will only apply to the application displayed in the unexpanded drop box.
     
    Last edited: Apr 14, 2015
  25. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,241
    Okay. I wasn't sure since I didn't add those entries. Thanks for the explanation.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.