Can Someone Just Beat It Into me Please :)

Discussion in 'other firewalls' started by FireDancer, Jul 31, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hello All,

    Writing today to again to :( ask about some things, and hope I dont look
    to dumb in doing so. I have been really struggeling with understanding
    what DHCP, DNS, ICMP and IGMP is and how it works and why?

    What orders they should go in and why? For a few days now I have been
    reading from differant links and I find they all have one thing in
    common... it's all "Techno Talk". I have read that to make your firewall
    good and secure it is "critical" to make the order of your rules work.


    When I installed my firewall and opened up the rules tab I got scared..
    . but I did notice they came with defaults so I thought to myself, self
    this wont be to hard.. boy was I wrong. Im one of those guys that if I
    can see it or touch it and watch it work I can understand it.. in my
    neck of the woods we call that (simple) or a "corn fed country **** !
    LOL! well you get the idea anyways.

    I have set or for lack of a better word..(HIJACKED) some rules for my
    frewall and I dont feel by doing this I am learning anything but to steal
    and be ignorant to what I am doing. I have some questions for you so bear
    with me ok?

    Rule number 3 is DHCP UDP both ways Local any/any(6:cool: remote XXX.XXX.XX(67)
    in this DHCP rule XXX.XXX.XX would be my IP address that my router gives off
    correct? And below that I have DHCP broadcast TCP out local any(6:cool: remote
    XXX.XXX.XXX(67) would be the sub net mask correct?
    Whats the differance between DHCP and DHCP Broadcast? what does DHCP do?

    Rule 4 I have set for DNS. I made 2 rules 1 each for XXX.XXX.XXX which would
    be my isp's DNS servers correct? I made these rules because I think that
    I would not always be using one specific address and so I can make 2 rules
    in the case that I dont connect to one I can always connect to the other
    What is DNS's specific job?

    What does ICMP do?

    Now to the really fun part :) ICMP ugh... I have several rules set for this
    Incoming ping 8 Inbound any/any which I think.. means Echo Request i.e. are
    you there? I would think that needs to go Outboundo_O

    next outgoing ping 0, 3, 11 inbound any/any well lets just say im lost here
    0= echo reply 3= destination unreachable 11= time limit exceeded. I think
    that it depends on who is knocking on the door as to what answer I am gonna
    give. 0 would be I am here and alive 3 would be I am unreachable and 11
    would be you took to long!!! am I close?

    Next I have outgoing ping 3, 8 now this I dont get 3 dstination unreachable
    and 8 echo request... who is unreachable? and who is making the request?

    next I have outgoing reply 0, 8 these are to me, ask and answer
    0= asnswer.. yes i am here and alive 8 asking if they are there?
    If I am even remotly close then these orders are bad correct?

    Block all other ICMP would be if I get a responce other then what I
    have listed i.e. a 10 or a 15 ignore it!!!!o_O?

    Below I am posting a screen shot of my current rules hope some one
    can take a good look at them and tell me if my firewall is working
    properly or if I need changes and if so for what reasons.
    As you can tell I am far from being a GURU... LOL maybe I should
    keep my day job huh? :D. I greatly appreciate Wilders Security
    for helping me and all the patcience by Wilders put into a
    Knuckle Head like me!!!! :)

    Best Regards,
    Desperatly Wanting To Learn
    FireDancer
     

    Attached Files:

  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Re:Can Someone Just Beat Into me Please :)

    Your trying to take advice you don't understand from multiple sources, and use all of them. That is the problem since its making you confused because you don't understand the material. You have been given many links, and examples. Not everyone does it the same way, when you understand rule based firewalls you develop your own way of working with it since the configurations can be highly complex.

    To alter the rules you have right there, here's my suggetions:

    DHCP Broadcast - Change the remote to 255.255.255.255 which is the correct address.

    DNS - If those are your DNS servers that should be fine, but also note you can use your custom address group. You can stick all your DNS servers in there so you only need one DNS rule.

    ICMP - I will do inline rules

    [_] In ICMP 8 (Allow Remote Ping/Trace) - Enable this when you want to, and you can even make one of these rules with a certain remote address so only that site will be allowed to ping you. You can also see this link which was previously posted for your viewing. Example ICMP Configuration Note this suggestion doesn't 100% match the link, but for a basic configuration you will be fine.

    [X] In ICMP 0, 3, 11
    [X] Out ICMP 0,3,8
    [X] Block all ICMP

    With your system ports blocking rule, you can delete the first netbios rule you have, and move the second one below your block all ports rule. I don't recommed that you have your block all ports rule on alert, and you should rename it to 'Block lower ports' as its not a true block all rule.

    The order of the rules only is important for function, however many peole like me keep them orgainzed into groups while also considering their order so they work properly. If you want something allowed, make sure there is no rule above it that would block it first, and if you want something blocked, make sure there is no rule that would allow it first.

    As far as how protocols work, that's getting into more advanced 'techno babble', but if you want to learn more about them just go on google. I don't have any 'how they work' links, all of my links are technical with all of their protocols, types, codes, etc... without explaining what they are.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:Can Someone Just Beat Into me Please :)

    Hi FireDancer

    Better to ask, learn and get it right than leave yourself wide open :).

    Generally speaking you will want to keep what I refer to as System Rules, at the top of your rule set. These will include what you have mentioned: ICMP, DNS, Bootp/DHCP and Loopback. The reason for this is that they are required for your system to function properly.

    While some may have a different order, my rule of thumb is:
    ICMP
    DNS
    Bootp/DHCP
    Loopback

    Your Bootp/DHCP rules allow you to obtain and renew your IP address from a DHCP server. The IP address of your DHCP server will be available when you run ipconfig /all.

    This rule should be UDP and the broadcast address is 255.255.255.255

    The first rule being restricted to your DHCP server(s) is just to limit/tighten up the rule set. Most default Bootp/DHCP rules allow in/out to any address. When obtaining/renewing your IP your system will use a broadcast to do this.

    Your DNS rules look fine and it is a good idea to restrict those to your ISP's DNS servers. If you have multiple DNS servers (my ISP has 4), you could use BlitzenZeus' suggestion and add them to the custom address group allowing for one rule.

    One basic function of DNS servers is to look up and convert www.wilderssecurity.com (which you type into your browser) and convert it to an actual IP address (66.227.68.99) that the internet uses.

    Basically for network (Internet) error messages and troubleshooting.

    Most user will only require to allow a few ICMP types.

    Allow ICMP, Inbound, type 0 (echo reply), type 3 (destination unreachable), type 11 (time exceeded)

    Allow ICMP, Outbound, type 3 (destination unreachable), type 8 (echo request)

    This will allow you to ping and traceroute other systems (types 0, 8, 11) and the type 3 helps with high speed connections and allowing troublesome connections to time out properly.

    The following will cover what I would consider the most basic requirements.

    ICMP Rules

    Allow ICMP, Inbound, type 0, 3, 11
    Allow ICMP, Outbound, type 3, 8
    Block ICMP, direction Both, Any, Log.

    DNS Rules

    Allow UDP, direction Both, remote service/port 53, remote address "your ISP DNS server"

    Bootp/DHCP Rules

    Allow UDP, direction Both, local service/port 68, local address Any, remote service/port 67, remote address "Your DHCP server"

    Allow UDP, Outbound, local service/port 68, local address Any, remote service/port 67, remote address 255.255.255.255

    LoopBack Rules

    Allow TCP/UDP, direction both, local service/port Any, local address 127.0.0.1, remote service/port Any, remote address 127.0.0.1

    Regards,

    CrazyM

    Edit: first Bootp/DHCP rule direction to Both
     
  4. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi CrazyM and BlitzenZues

    I have studied your most recent post to me and I am now understanding a little bit more about the specific "Rules" and how they work. I want to thank you both for giving me the answers I needed. I have made a few changes to my rules per your instructions/advice/teaching and came up with what I belive to be a basic, but secure set up for my needs.

    I want to ask a question here and see if I am correct in my thinking.
    As fas as DHCP goes.. could you per say stack the rules for UDP both ways in and out? So to set a single rule. As CrazyM explained to me in his post the DHCP rule would need a inbound and a outbound to obtain and renew your IP address so I am assumeing that the out bound UDP is in affect keeping me in contact with my ISP. And the inbound UDP is keeping my ISP in contact with me. This is what keeps me "ALWAYS" connected via cable modem correct? this being a constant loop for only me and my ISP.

    Could I stack the rule for UDP both ways to handle the traffic ways in one rule? Or does this defeat the the local and remote enpoints, IP and sub net mask?

    Example: DHCP UDP both ways local any 68 remote XXX.XXX.XXX/XXX.XXX.XXX 67 (would this example work?) (IP add) (sub net)

    DNS resolves my request to a particular site www.blah.blah and converts it to 111.111.111.0 thru the particular severs I use AND only thos servers not just any. Correct?

    BlitzenZeus, with making a DNS rule for all servers, I opened the rule up and in remote address
    it gives me the the Cusom Address to click on but no where do I see where to enter the address's
    does this function automaticly detect your addresses oro_O am I doing something wrong?

    ICMP is the request and responce of who I am pinging, or is pinging me
    and what I have set in my rules will dictate this as to how it is asked and asnswerd correct?

    Loop Back enables me to stay connected to whatever site I am visiting. Sending data packets back and forth from a site to me and keeping the connection. UDP/TCP Am I correct?

    In as much as rules... Thanks to Blitzen' I now have something stuck in my head.. and it was exactly what I was looking for in laymen terms.

    Quote: The order of the rules only is important for function, however many peole like me keep them orgainzed into groups while also considering their order so they work properly. If you want something allowed, make sure there is no rule above it that would block it first, and if you want something blocked, make sure there is no rule that would allow it first.

    this above statement cleared alot up for me as for some reason in recent posts from others (wink Blitzen!) I was not getting it.

    CrazyM thanks for the help with order of basic rules it gives me a starting point. If I am understanding correctly it is not the order
    (by classification)... meaning if you start with DHCP settings or DNS settings or ICMP settings as long as the rules all filter from the top to the bottom of the list. Running the defaults would give you basic protection but in essence, but would not be very tight if you did not make tweaks to the local/remote end points or ports

    And as Blitzen so elequently put it keeping your setting in order such as DHCP at top next DNS settings and so on down the list makes for easier and neater controling of rules.

    I have decided to go with set up in this order for rules
    and feel comfortable with all setting at this time incuded is a screen shot of current rules
    I would appreciate any responces... Again HUGE Thanks to CrazyM and BlitzenZues!!!


    Sorry bout the long post I just wanted to get all I could in so that I wont have to bother you
    both so much... but as for picking your brains :) I am not sure i am ready to give that up!!!! LOL

    DHCP
    DNS
    ICMP
    Block all other ICMP
    Block all other IGMP (theres a whole new set of questons!!! LOL)
    LoopBack
    Block all lower ports 1-1023 (period) as Blitzen said it was not a real rule set to Block ALL Ports!
    NetBios
    Applications/Software Updates

    Best Regards,
    FireDancer
     

    Attached Files:

  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    You could have one rule, UDP, direction both, local port 68, remote port 67, but the addresses would have to be left to any.

    On reviewing my earlier post and seeing your rules as they are now, just change your first DHCP rule to direction Both. This allows connections both ways with the trusted DHCP server. You will still require your broadcast rule which is fine. This separate outbound is still required because this outbound request (broadcast) will not be allowed by the first rule.

    Correct.

    In the advanced admin there should be tab/location for custom addresses. There you can add trusted IP's, such as DNS servers, and then use the option of Custom Addresses in your rule(s).

    I would change the wording for your first few ICMP rules for clarification.
    Inbound ICMP type 8 (disabled)
    Inbound ICMP type 0, 3, 11
    Outbound ICMP type 0, 3, 8
    With your block other ICMP rule, these ICMP rules will allow you to ping and traceroute other systems. Remote systems will not be able to ping you. If you enable your first rule, Inbound ICMP type 8, then remote systems will be able to ping you. (Note you will have to add Outbound type 0 to your Outbound rule)

    The Loopback rule allows your system and applications to talk to themselves, so to speak. These communications are restricted to 127.0.0.1 or localhost, which is your own system. They do not leave your system. If you look in the connections window, you will see Kerio utilizes loopback to communicate with itself. IE also uses UDP loopback to function properly as another example you will see in the connections window.

    Regards,

    CrazyM
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    Just to keep life interesting, I notice in your sig that your behind a router. You could always configure your system with a static IP and do away with your DHCP rules.

    Regards,

    CrazyM
     
  7. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    CrazyM,

    Hi there thanks for all the help and would static be benificial? I went to the advance admin and highlight rule I want to edit DNS and when I click on remote port
    options I see Custom Addresses but can not chane it or type there. There is also a ability to select network/Range and thats how I have it now when you click those you get 2 boxes First Add: Last Add: so I enterd one in one box and the other in the other :) rofl

    Hey! you think im getting handle on this stuff? :)

    As far as ICMP are you saying I need to add another rule or was that optional?

    Very Best Regards,
    FireDancer
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It can be depending on what advanced features of your router you may use. It can also be helpful when defining firewall rules for LAN systems. If these are not concern, don't worry.

    Using the range is fine if your DNS server IP's are sequential. If not, you are better off to have individual rules or add them to the custom address list and then use that option in the rule. (Have you added your DNS servers to the custom address list?)

    :)

    Just add type 0 to your Outbound ICMP rule.

    Regards,

    CrazyM
     
  9. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    CrazyM,

    LAN features hmmm lets see I have a second puter shareing the accsess but no shared file/printer
    to be honest I think that 2 or more shareing is considered LAN.

    As far as DNS rule I guess I can make 2 rules as I can not find where to add the address to once I click on the option custom address (nothing opens up for me to type in)

    Static.... hmmm CrazyM are you trying to make me Crazy!!LOL I am just getting this down rofl :D but if it is more benificial then I want to learn.. well I just want to learn period!

    My firewall protects just my puter right? If so I need to put something simple on my kids as only God knows what my oldest daughter lets happen :(

    Regards,
    FireDancer :cool:
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You first have to add your DNS server IP's to the custom address group. You will find this under administration > firewall > advanced > miscellaneous

    Once entered there, you only need to select custom addresses in your rule.

    Regards,

    CrazyM
     

    Attached Files:

  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    After all this hard work, be sure to save off your rule set. You can do this under administration > miscellaneous > firewall configuration files.

    Once saved (by default to the Kerio directory), copy it elsewhere for safe keeping. If you ever have to reinstall you can then just load that .conf file without having to redo your rules. This file is also portable between systems.

    Yes just your system. You could install Kerio on the other system, load your saved .conf file as a good start for a rule set for that system. If it ends up being quite different, save it once it is done with a different name.

    Regards,

    CrazyM
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If you should decide to enable file/printer sharing, be sure to password protect it. In Kerio you can go to the Microsoft Networking tab and enter a trusted address group = your LAN. This will allow basic sharing without having to make specific rules for it.

    Regards,

    CrazyM
     

    Attached Files:

  13. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi CrazyM,

    I got the custom address' in and working :)
    Do I need to have (enable DNS resolve) check marked?

    As far as the other system in the house I just installed AVG 6.0 and free ZA as they are both easy for my daughter to use and give some decent protection.

    ZA I set it for here applications and will check it frequently to make sure there are no problems

    BTW I sent you a e mail hope you get a chance to look at it and give me some input. I want to thank you very very much for all the hard work you have put in today I feel it really paid off. :D :D


    Very Best Regards,
    FireDancer
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    That is good, and helps keep down the number of rules.

    No, you can leave that disabled. That is for resolving addressess in the logs.

    Sounds good.

    Glad we could be of help and check your mail :)

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.