Creating application rules

Discussion in 'LnS English Forum' started by danieleb, Feb 1, 2007.

Thread Status:
Not open for further replies.
  1. danieleb

    danieleb Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    111
    I'm using Phant0m's rule set v7.6 and just recently I have been trying to learn and understand about making application rules (ports and protocols used and so on) to "harden" my security. Now, I've looked at the sticky "Firewall Questions for beginners" posted by Paranoid2000 in the forum for "Other firewalls". It is my understanding after comparing the rules suggested there with Phant0m's rules, that I only have to configure remote TCP ports for applications I have installed, such as web browser, e-mail client and program updater. No need to tweak port settings for other processes, e.g Generic host process and such? It seems straight forward and simple, but please correct me if I'm wrong :)

    Thanks
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi danieleb :)

    With any ruleset such as the LNS Enhanced rule set, the Phant0m's one or any other rule set the majority of rules are "general": they are used for any packet incomming or outgoing ...

    You may create new specific rules for each internet application like a rule specific for web browsing, an other for email, an other for instant messaging and so on...

    But we have to put some limit otherwise the rule set becomes hardly manageable.

    1) there is a limited number of rules
    2) the applications are also controlled by the application filtering
    3) the "art of making fw rules" include this "rule of thumb":

    Avoid to multiply redondant rules. In other word : Keep It Simple !

    To take the LNS Enhanced rule set as example, there is a general rule allowing the application you authorised in the application filter layer:

    TCP : authorise common internet programs
    ("unofficial" translation of this rule from the french version name... ;) )

    This rule authorise for any allowed application to used the local port 1024 to 5000 and all remote ports in TCP...

    This work for a vast number of internet applications: browsing , email, Irc and so on...

    You may, for sure, modified this by creating some specific rules which included all browser you have installed and authorised into a rule like this:

    local ports 1024 to 5000
    remote port 80 (Http) or 443 (Https)
    from @IP
    applications: IE7, firefox, opera

    and this rule will give you a specific control over these applications and have specific entries in the log...

    One problem here: this rule must be completed by an other one for the Ftp used in some browser dowloading, some specific rules for the Irc (in opera), or an other rule for email feature of the Mozilla suite...

    See the problem ? If you have, like me and many poeple, hundreds applications: 3 browser, 4 instant messaging, 2 Ftp client, 5 Audio-video utility and so on your rule set will be somewhat complex but not more secure...


    The only situation where we have to create specific rules is for some applications using a combination of TCP and UDP, UDP only, local ports used as "server" or a like, or for server applications such as P2P programs with client and server feature...

    Example of application requiring specific rules:

    The eDonkey's local standard local port for their server feature
    local ports 4661 to 4665 in TCP

    The Windows Live messenger or Msn Messenger
    local port 6901 in TCP and UDP for the "voice" feature

    And almost all VoIP programs using UDP on specific ports like:

    Skype: in UDP , local port 21047

    Gizmo, Wengo: in UDP, [Simple Traversal of UDP through NATs] remote ports 3478-3479 and local ports from 1024 to 64064...

    and, for Gizmo [Real-Time Transport Protocol] remote ports 5004, 5005 and local ports rom 1024 to 64064...

    plus port 5060 for SIP [Session Initiation Protocol.] ...

    and so on...

    Shortly said IMHO the best is to have:

    a general rule for all applications in TCP
    some specific rules for applications using TCP-UDP
    some specific rules for applications using UDP

    This give you less rules and a better control on what happen with your internet connections...

    In the following screen capture of my rules (partial view)

    in A

    The "central rule used to block incomming connections. The equivalent of Phant0m rule "+TCP : Block incoming connections"

    in B

    The general rule allowing any application in TCP

    in C

    A limited set of specific rules for appliactions using TCP and UDP or UDP etc.


    With this limited set of specific rules I can run almost any programs...

    Hope this help.

    :)
     

    Attached Files:

    Last edited: Feb 1, 2007
  3. danieleb

    danieleb Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    111
    Hi Climenole , and thank you for replying :)
    So... maybe not as simple as I thought (head spinning :D )? One thing that seems to makes things easier is that I don't really have that many programs that require internet access, I don't use any p2p programs for example. I's just the basic stuff I'm running: Firefox, Thunderbird, NOD32, Sandboxie and some program updaters. So if I understand correctly, whit this general TCP rule, which is just like you described it, the best is to just use the application control to specify the remote ports for each of the programs that need to use this protocol? I could specify ports 80;443;21 for Firefox and 110;25 for Thunderbird and thats all i need to do (and then I would not need to create a special FTP rule)? One other thing i don't really understand is programs that seem to "listen" for connections. For example I have to allow FirstDefense ISR to connect to the internet, but i've never understood why it needs a connection and i'm not sure how to "treat" it. Is it somehow listening for connections coming from my computer (so it would seem)? Sorry for not understanding these things, feel a bit stupid :oops:
     
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi danieleb :)


    Okay. :)

    Yes, it's possible to control or limit the remote ports used by a program from the application tab or within a specific rule in the internet filtering tab... The only question is: did it's really needed ?

    In your example with Thunderbird it's true to say that remote ports 25 and 110 are used for email but Tb used also 80 Http and (may be) 443 Https for the updates, the port 80 to display pictures in HTML emails and the port 11317 if you're using Enigmail and check the public keys in a HKP server...

    The things goes worst with a browser since it used also the Passive Ftp mode which required a large range of local and remote ports...(for downloading ...)

    N.B. if you limit the number of ports allowed within the application tab you may block the application... beware and used the double ! to keep track of this in the log.

    I guess the best is to allow all port in the application tab and limit them with the specific internet rules (in the case we're talking about...)

    What you can do is to create your specific rules for browsing, emailing and so on with rules specific for these applications like this:

    TCP
    from @IP
    local ports 1024 to 5000
    remote post 80 or 443
    application: include your browsers in the list with the applications button of the rule edition

    TCP
    from @IP
    local ports 1024 to 5000
    remote post 25 or 110
    application: include your email client in the list with the applications button of the rule edition

    and put these rules just before the general rule allowing the "common internet programs"...
    (TCP local ports 1024 to 5000, any remote ports, any applications...)

    If these applications required an access non included in the specific rules then the following general rule will be applied for, as example, the Passive Ftp feature of your browser...

    See the idea? ( In a rule set firewall, the first rule matching exactly a packet is applied,
    if not the following rule is checked until a rule matched the examined packet...)


    First, don't feel stupid with this... nobodies knows everythings... right?

    There is 2 kind of listening programs:

    1- some programs like anti-spam (K9, SpamPal, Spamhiliator), anti-virus,etc., are listening on local ports and make a local loop to the application but they are not accessible from outside internet)...

    There is NO "UN-Stealth" local port for this... Nobodies from outside may scan your PC and find these ports "open"...

    2- There are some other programs listening (waiting for a connection from outside [in TCP with a flag syn]).

    An example of these programs are Instant Messaging or VoIP (Voice over Internet Protocol) which listen on some ports to accept incomming connections to your PC.

    Same with a local web server with Apache + MYSQL, or a local Ftp server, or with a P2P program ...

    Here an example of this:

    A : applications listening and looping locally (Avast and K9)

    B: applications in the state "established" : the connection is made between my PC and a server.
    Here Msn Messenger connected to the MSN sites. In this case the PC is steath since the connections are relayed by Msn Servers.

    This is not the case with skype which is a true p2p program therefore a client AND a server...
    In the case of a "true" server program, the local port on which the program is listening is not stealth:
    it's "visible" for any remote machine scanning your Ip address...
    When there is no security flaws in the application this port is accessible for a remote client using this application. Otherwise it may be used for unauthorised accesses and exploit of security flaws...

    C and D : Skype waiting for an outside connection ...

    You may check these connections and their different states with TCP view:
    http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx

    Is it more clear ? I hope so.

    :)
     

    Attached Files:

    Last edited: Feb 1, 2007
  5. danieleb

    danieleb Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    111
    Yes, thank you! Now I'm beginning to understand. I will try to experiment a bit and see if it works out :) . If not, i now guess it's not a problem to leave things as they where (so much easier :D )

    Edit: By the way, this TCPView program seems to be very handy. I found out that FirstDefence ISR is listening on remote address [computer name]: 0. Does it means it's indeed listening for connections from my computer?
     
    Last edited: Feb 1, 2007
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi danieleb :)

    FirstDefense ISR ? It's a system recovery program I guess...
    May be only a case of listening and looping locally.

    :)
     
    Last edited: Feb 1, 2007
  7. danieleb

    danieleb Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    111
    Yes, Immediate System Recovery

    Thank you for your assistance, it was much appreciated! :)
     
Thread Status:
Not open for further replies.