Configuring Look'n'Stop with Routers

Discussion in 'LnS English Forum' started by Patrice, May 20, 2003.

Thread Status:
Not open for further replies.
  1. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hello everyone!

    I'm writing this thread for those of you, who are using Look'n'Stop with a router. It's not that easy to configure Look'n'Stop correctly if you are behind a router and that's why I would like to share the knowledge I gained during the configuration tests I made.

    I'm having a Linksys BEFSR41 router, on my systems Windows XP Pro Service Pack 1 is installed.

    If you run Look'n'Stop for the first time after having put a router in front of you, you will realize very soon, that the firewall is blocking some packets (I'm using EnhancedRules Set). There are two/three different types of packets being intercepted. I would like to talk about these ones in depth:

    First of all, you will see in the Log section, that a so called IGMP packet is intercepted at around every two minutes. An IGMP packet is used by IP hosts to register their dynamic multicast group membership. It is also used by connected routers to discover these group members. As you certainly understand now, the router is sending a query to ask who is inside his network. For those among you who are interested more into the technical details, those packets are called IGMP version 1. Here you find additional information about these packets (just for those who really are interested!): ;)

    http://www.networksorcery.com/enp/protocol/igmp.htm

    Now it's time to write a rule for those packets. These packets aren't bad and therefore you should allow them to come through. I suggest that you use the information which is provided by the log of Look'n'Stop. In my example I have the following information:

    Packet: IGMP
    Source: 00:04:5a:f2:0f:74 (which is the MAC address of my router)
    Destination: 01:00:5e:00:00:01 (which is the "all-hosts" group)


    For those of you who are interested more into the technical details, 01:00:5e:XX:XX:XX is the Multicast address:

    Multicast IP address are Class D IP address, from 224.0.0.0 to 239.255.255.255. They are also referred to as Group Destination Address (GDA). For each GDA, there is an associated MAC address. This GDA MAC address is formed by 01:00:5E:XX:XX:XX, followed by the latest 23 bits of the GDA multicast IP address in hex.

    For Example :

    GDA 224.10.10.10 corresponds to MAC address 01:00:5E:0A:0A:0A
    GDA 239.255.255.255 corresponds to MAC address 01:00:5E:FF:FF:FF

    O.K., let's go back to the rule we wanna write. Now go to the internet filtering page and create a new rule. There you do it like this:

    Name: IGMP packets
    Direction: Internet >> PC
    Ethernet type: IP
    Protocol: IGMP
    Frag. Offset: Is equal to 0
    Source: Is equal to 00:04:5a:f2:0f:74 (enter the MAC address of your router!)
    Destination: Is equal to 01:00:5e:00:00:01 (enter the address which is provided in your log!)
    (IP address: Is equal to 224.0.0.1 ->not absolutely necessary, you need to understand how Multicast IP addresses are built to have the right address!)


    Have a look at the first attachment (IGMP Rule) I made, there you see all the above mentioned. ;) Don't forget to uncheck the stop sign, so that the rule is allowed!

    Well, this was the first issue. Now let's go further. You will realize, that when you restart your computer, that Look'n'Stop is still intercepting some strange packets. Both have the destination address FF:FF:FF:FF:FF:FF What the hack is that? The answer is quite simple, your computer tries to get an answer from the network (router) and is looking for it (him). The above mentioned address is a so called Broadcasting signal. Normally you will have two different packets: ETH and UDP packets.

    First let's talk about the UDP Rule, we have to write. It is a signal which starts from your computer, that means that you have to write a rule PC >> Internet. In the IP section you choose the UDP packet. The Fragmentation Offset is equal to 0. The source is as I already mentioned your computer, so put in your MAC address. You can also specify your IP-address (in my case it's 192.168.1.11). Now specify also the TCP/UDP port: in this special case it's port 138 netbios-dgm, which you allow. In the destination window you choose the address FF:FF:FF:FF:FF:FF, the so called broadcasting address. Also here you can enter the IP-address, normally it's 192.168.1.255, but look closer at your Look'n'Stop log file to be sure about this address. Again choose the port 138 and allow it. Have a closer look at the UDP Rule screenshot. ;)

    The ETH Rule is a little bit different. Unfortunately you cannot specify this special packet more closely, so you have to write a more "general" rule. The direction is again PC >> Internet. I just entered the source and the destination fields. I know, that you can make some other settings for the ethernet and the IP fields to tighten this rule (security), but I didn't try it out. This rule is already good enough and secures your network well enough. Don't forget that these ETH packets are just sent inside your network and I don't think that someone inside it would attack you... Look at the ETH Rule screenshot to be sure. ;)

    The source is again your MAC address, the destination the address FF:FF:FF:FF:FF:FF

    But don't forget, perhaps your configuration has to be a little bit different, because you use another router and/or another system. Just check the log section in your Look'n'Stop software. There you will see these different packets with all the needed addresses for your configuration.

    If you have done all this, uncheck the Stop signs in front of the rules and place them in front of all other rules, so that you don't encounter any problems. If you are more familiar with placing the rules, place them where you think they are right. ;)

    If you have further questions or suggestions, let me know. I'm here to help you! ;)
    Hope that helps some of you!

    Best regards!

    Patrice
     

    Attached Files:

  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Screenshot UDP Rule:

    Note: This rule is very restrictive! If you encounter any problems try to change it in the way, that you allow more ports for NetBIOS. On both sides (Source, Destination) change TCP/UPD port:

    in Range A:B
    137 netbios-ns
    139 netbios-ssn

    This should solve the problem. Like that NetBIOS can communicate without any restrictions. ;)
     

    Attached Files:

  3. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Screenshot ETH Rule:
     

    Attached Files:

  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    If you are using a Log Viewer (WallWatcher, LinkLogger,...) for your router and the Logging function is enabled, you might realize, that another packet is blocked. Look'n'Stop should pick up that your Log Viewer is listening for logging traffic from your router (on either UDP port 162, or UDP port 514 depending on what router/firewall you are using). The router tries to send you the log via port 162 or port 514. That's why you have to write a rule with the direction Internet >> PC. For this special rule you need the MAC address of your router and the PC where the log is being sent (as set in the router's setting). Besides you need the IP address of both as well. Now you can write a rule which looks the following:

    Note: change the MAC and IP address according to your network settings
    00:04:5a:f2:0f:74 change this with your router's MAC address
    00:e0:7d:ba:26:94 change this with your computer's MAC address, where the log is being sent
    192.168.1.1 change this with your router's IP address -> Check router's settings
    192.168.1.10 change this with your computer's IP address, where the log is being sent
     

    Attached Files:

Thread Status:
Not open for further replies.