Config with Router Question

Hello,

I have tried to follow Patrice's excellent advice above for configuring Look n Stop when using a router.

I have a question however. Do I need to create a rule for each computer on my home network? I have two pc's and one laptop hooked up to my Linksys BEFSX41 router.

When I go into the log, I repeatedly keep seeing netbios and snmptrap traffic in my log. (I can provide if necessary).

Now when I initially set up my rules, I included the range of IP addresses used in my home network and a range of 137-139 ports for netbios traffic as well. Why do I keep seeing this traffic come through on the log? Is there something I should do differently?

Also, what type of rule should I create for the snmptrap traffic that is being posted in my log?

I am currently running...

Windows XP Pro w/SP2
Windows Updates are up to snuff
Linksys Router BEFSX41

I also have another question, although I have not seen it in my logs as of yet. Do I need to create any special rules to allow pings via ICMP or UDP from my ISP?

I should also mention that I am using the trial version of Look N Stop, with Phantom's enhanced ruleset.

Thanks to all for any/all replys.

Regards,

Jag

 

Some quick questions & answers below.

Frederic

This is strange, are you sure the packets are not matching the rule you created ?

Just create a new rule with a right click on the alert from the log.

If you didn't see alert then probably you don't need to allow these packets.

 

Did you also allow for the UDP NetBios broadcasts?

If you are seeing snmp trap messages being blocked you probably having logging enabled on your BEFSX41. You could disable this on the router or configure it to send the messages to a specific IP running a logging utility.

Regards,

CrazyM

 

I am bringing this to the top again as I am trying out LNS but still having the same issues.

I am running a Linksys BEFSX41 router.

I continue to see netbios and snmp trap info in my logs between my pc and router.

Could someone please help me create rules so that I do not have to continually here beeping sounds and see LOTS of activity in my log?

Thanks,

Jag

 

Hi Jag, I don't know if you have tried this yet, for file sharing, I imported the rules from here.

If your local network is not using IPs like 192.168.x.y, you need to edit the rules to change 192.168 to the sub-network you are using (according to the router configuration). I imported this file into each PC and sharing was instant using a Netgear Router.

Hope this helps...

Cheers

 

Well hello there Mr. Blackspear. Nice to see you here on the LNS forum.

I did notice those rules but I wonder if they will work? I have file and printer sharing disabled for my home network.

The msgs in my logs are between the router and pc (the Netbios ones anyway). I assume that these would still work however since after all it is Netbios

I still need to get a fix for the snmp trap msgs. I know it is because I have logging enabled in my router and also use Wallwatcher to keep an eye on things.

Anyways I know I am rambling here but does this make sense to you or anyone else?

NOTE: I only get these msgs with Phantom's ruleset not the enhanced one.

Regards,

Jag

 

I'm poking my head in a little trying to learn. At the moment I'm using the Enhanced Ruleset and the "File sharing on a local network" Ruleset, other than that, not a single clue, for whatever reason I can not access Phant0m's website from this network, I'll try it at work.

Cheers

 

Good luck to you Blackspear and thanks.

I will await some of the firewall gurus to give me a hand with this.

Regards,

Jag

 

Hi Jag

Can you post a sample from your logs? Seeing what exactly is being blocked will help determine what kind of rule is required.

Regards,

CrazyM

 

Hi Crazy M,

Thank you for offering to help. Today I was ready to send or post some logs here on the forums, but when I booted up, I realized that my logs in LnS were empty!

So I had to sit back and think about what I did yesterday. Then I remembered that I went into my TCP/IP properties, advanced, and into the WINS settings. There I disabled Netbios over TCP/IP. So that explains why my log was empty.

As for the SNMP trap msgs, those only show up "sometimes". Again I think I know why. I have logging enabled on my Linksys because I watch activity in it via Wallwatcher. I also have Wallwatcher set up as an acceptable application in LnS. I think that sometimes however WW starts up so fast, that LnS does not have time to catch up. Most times however it is fine and the rule I have setup for WW is enabled when the program has started up.

Now, if I shut off WW or WW has started up to quickly upon bootup, then WW is empty. If I shut it down and then start it up again, wella, I have a flood of msgs in LnS regarding SNMP trap.

Now the rule that I have setup for LnS with WW can be found HERE.

I do not know if this is the "best" rule than can be used with WW however so if you have a better one please let me know. Also regarding the disabling of Netbios over TCP/IP I would assume is OK considering this is a home network and not used in a corporate environment. I feel that XP alone is chatty enough as it is without having Netbios on as well. If you feel that there could be some negative effects by doing this, please let me know and I will re-enable Netbios over TCP/IP and provide you with the logs for both Netbios broadcasts and SNMP traps as well.

I really like the look and feel of LnS so far as it’s pretty easy to setup for the most part and nice and light on resources/memory. I’m only a few days into my trial period and so far so good. I have a feeling that I may not see much activity in my logs (as I have seen none so far outside of what I mentioned already) which I suppose is a good thing. It almost makes me feel as if it is not working, however, I do have the Linksys and I wanted to get a software firewall to prompt me for "outgoing" requests to the internet.

I am in the IT business myself and I know that security always comes first and foremost for me. However I will say that I am not an expert by any means of firewall setups and all activity that goes on with them, it is just simply not my area of expertise.

I apologize for this long winded post, but I wanted to give you as full of a snapshot as possible of what is going on, and am looking for advice from you (or others) that are more knowledgeable than I on such matters.

Thanks again for your help, I look forward to any/all replies.

Best Regards,

Jag

 

Well I am now getting some activity in my log, but not what I saw before.

Click on piccy for full screenshot.

http://img173.echo.cx/img173/9594/log2by.th.jpg

Can someone help me create a rule for this? It looks to be chatter between my pc and router that is being blocked.

Thanks again, sorry for so many posts.

Jag

P.S. This is with using Phantom's ruleset.

 

Here is a new snmp trap message that just popped in.

Click piccy for full image.

http://img30.echo.cx/img30/1616/log17xq.th.jpg

Regards,

Jag

 

I hate to bump threads but could someone pls help me setup these rules?

Kind Regards,

Jag

 

With your Linksys you only need to permit the snmp (UDP 162) from your routers IP, not the syslog (UDP 514) in that rule.

Depends on the other systems on the LAN and if you are file/printer sharing. If you are, you may want to leave it enabled so systems will show as expected in network neighbourhood. If not, then no problem leaving it disabled.

Regards,

CrazyM

 

Hi Jag

In regards to the first screen shot and the blocked ICMP. You can safely create rules permitting ICMP on the LAN. Such as permitting destination unreachable (type 3) and pings (type 8 - echo request and type 0 - echo reply). This can be restricted to specific IP's on the LAN or your rules could permit this for the entire subnet.

Regards,

CrazyM

 

Crazy M,

Thanks for the reply man, but I kinda need some screenshots to help me out.

Regards,

Jag

 

There is an easy way with just a right click on the alerts in the log.

Frederic

 

Frederic,

Yeah I noticed that, however I want to make sure that the rules I setup are correct, and I would like to gain more of an understanding of rule making in general.

Any good websites you (or anyone else) could refer me to?

Thanks and Regards,

Jag

 

Hi,

To see if the rules are correct, normally just looking at the log is sufficient to see if the alerts are still there or not.

Rules in Look 'n' Stop are very close to Internet protocols definition.
So the basic documentation is with RFCs. But these are somehow complex if you are not a bit familiar with protocol and computer science.

Unfortutanely, I don't know good sites to learn step by step about that.

Frederic

 

Is it required to enable Netbios over TCP/IP to use a router with Look N Stop?
I've also read that specific rules are needed (ports 137-139) to communicate the router and PC. I've used a router in the past, but without needing to enable Netbios over TCP/IP in TCP/IP properties. Is this so?