Experimental rule set for -NiCeGuY-

Discussion in 'LnS English Forum' started by Climenole, May 10, 2007.

Thread Status:
Not open for further replies.
  1. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    You ask me a copy of my experimental rules set. I'm glad to see you so deeply interested in learning LNS in general and my "experimental rules".

    Here some preliminary explanations about the rules set and some codes used in rules names and rules descriptions.

    One of the most frequent question about rules set firewall is: "Where I put that rule in the list?" I'll try to find a solution by adding to each rule name a code giving the relative position of the rule in the list.

    The general syntax for the rule name will be easy to understand with this example of a rule for basic web browsing :

    Name of the rule:

    {R. 80,01}; [TCP] { HTTP }

    Description of the rule:

    [S/optional: else {S..0000000} or G]
    [Hyper Text Transfer Protocol]
    Firefox, Opera, IE


    The "{R. 80,01}" means: a rule in the rules subset R , remote port 80, one remote port only.

    The "; [TCP] { HTTP } " means : a rule using TCP protocol (The "Transport layer of the TCP-IP protocols) and using the port related to the HTTP ( the "Application level layer" of the tcp-IP protocols).

    The description: "[S/optional: else {S..0000000} or G]" means : this is a specific rule (one program must be included at least in this rule othewise the more general rule {S..0000000} will be used instead.

    The "or G" means: you may leave it as a general rule anyway... :eek:
    [This will be more clear later...]

    There is an other coded indication in the rule name:

    {{ rule name }} means: packets authorised in and out for general rule
    { rule name } means : packets authorised in and out for specific rule
    {{ rule name } means : packets authorised incoming only
    { rule name }} means: packets authorised outgoing only

    << rule name ! >> means: packets blocked in and out
    << rule name ! > means packets blocked incoming only
    < rule name ! >>`means : packets blocked outgoing only


    In the rule description there is also some codes:

    G = general rule or for any program

    S = specific rule: at least one program must be listed in that rule
    (this is mandatory for server rules and Udp rules ...)[Exception: the DNS rule...]

    S/C means Specific rule and must be configured: most of the time the port used in the rule must be configured also in the program like utorrent for example. Etc. [corrected may 10 20:00 h !!!]

    u+e = if needed, this rule must be unblocked (remove the red dot) and enable ( check the first column...)

    experimental = self obvious. This rule was not fully tested and may require some fixes...

    recommended: not a mandatory rule but it's better to have it.

    mandatory: you must have this rule!

    optionnal: mostly for TCP applications. Normally TCP application used the general rule "{S..0000000}; [TCP] {{ Common Internet Applications }}" and you don't need more. Used these rules if you want it.

    testing: some rules are created for testing or learning. This is for "Geek" fun !!! Mostly about the TCP flags used in connections. See rules
    {S. 0}; [TCP] {{ ACK }} to {S. 7}; [TCP] {{ RST }}.

    Needed: rule for a server or for Udp protocol. The rule must be specific!!!



    :)
     
    Last edited: May 10, 2007
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here an overview of the rules and rules "subsets" :

    The rules subsets A concerned all rules used in local not between your PC and internet. Most of them are simply the same rules founded in the official LNS FAQ.

    One rule for ARP, some rules for PC authorisation with a Raw rule (one rule per PC), rules for IGMP and routers, connection sharing rules, NetBios rules Udp and Tcp, Dhcp, file sharing and Virtual Private Network...

    None of these rules was fully tested here and may required some works from you if you needs it.
     

    Attached Files:

    Last edited: May 11, 2007
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the subset B: IP addresses non-routables over internet.
    They are illegal (IP ending with 0 or 255) or reserved for local used only, etc.

    All incoming packets for any type, protocol and so on are blocked!
     

    Attached Files:

    Last edited: May 10, 2007
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the C subset: Icmp rules...
     

    Attached Files:

  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the E subset ( no D or F ): TCP and UDP abnormal packets.
     

    Attached Files:

    Last edited: May 10, 2007
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the G and H subsets:
    G for the DNS rule and H for abnornal / illegal TCP packets.
    The last one for ACK RST may be removed... (This was for testing only: some side effects ...)
     

    Attached Files:

    Last edited: May 10, 2007
  7. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the P subset: some server rules for FTP server, FTPS server (two not fully tested) and other server rules for Ident, P2P and Skype fully tested.
     

    Attached Files:

    Last edited: May 10, 2007
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the mandatory rule to block all incoming TCP packets with the flag SYN: The Q subset.

    All server rules must be placed before this rule, all client rules must be placed after this rule.

    This mandatory rule block all attempts of connection to your PC by worms like sasser, blaster and so on...
     

    Attached Files:

    Last edited: May 10, 2007
  9. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    The R subset:
    Here a set of specific and optionnal rules.
    At least one program is added to each rules.
    So check each of these rules on your system to add or remove programs...
    Ex. in HTTP , HTTPS and HTTP alt. rules, I put Firefox, Opera and IE.

    If you're using only Firefox you may remove the other from the list of these rules... Sometimes you have to removed all programs included in the list, save and add it again...
     

    Attached Files:

    Last edited: May 10, 2007
  10. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the S subset:

    The first general rules (S.0 to S.7) are only for fun.
    The only needed is the {S..0000000}; [TCP] {{ Common Internet Applications }}.

    For TCP programs, this is the only required rule.

    I put as local port the range 1 to 65535 to fit to Windows XP, Windows XP sp2 file sharing and Vista.
     

    Attached Files:

    Last edited: May 10, 2007
  11. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Here the T subset: rules for applications using UDP.
    This is mandatory to have specific rules if it's in UDP.

    Some rules used a local specific local port like the rule {T.21047,10}; [UDP] { Skype }

    port 21047 , 1 local port, all remote ...

    Etc.
     

    Attached Files:

    Last edited: May 10, 2007
  12. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)


    And finally, last but not least, the subsets X, Y, Z ,
    and the rule set
    plus the list of "lns_known_tcp_ports.txt".
    (make a backup copy of the original list and replace it with this one.
    The changes appears after rebooting...).

    {X. 9998}; [UDP] < Outgoing UDP Forbidden ! >>
    is a Warning of a "T" rule to be created or modified.

    and

    {X. 9999}; [TCP] < Outgoing TCP Forbidden ! >>
    is Warning of a Too Much Restrictive "P" or "S" or "R" rule
    [ port(s), addresse(s)... ]

    For the rules set, rename it by removing the .TXT

    Have fun !!! :D


    EDIT: May 11, 2007, 21:30 EST
    The rule name:
    {A. 72}. [Local] [UDP] { DHCP Offer/Pack }

    must be corrected to
    {A. 72}. [Local] [UDP] { DHCP Offer/Ack }

    Sorry for this mistake. :rolleyes:

    EDIT: May 11, 2007, 21:56 EST
    Orthograph error in {A. 72} rule is fixed!
    ;)


    EDIT: May 13, 2007, 22:33 EST
    In order to have an access to your router configuration and avoid blocking from one of the B subset rules
    I create a new rule based on the tests done by the user -NiCeGuY-.

    {A. 90}; [Local] [TCP] {{Router configuration }}

    [G/Recommended] -NiCeGuY- Tested !
    Router configuration access
    192.168.2.1 <-- enter the IP addr. of your router

    This rule must be modified to fit to your router config.
    Here, in this example, the addr. is 192.168.2.1



    :)
     

    Attached Files:

    Last edited: May 13, 2007
  13. lookcity

    lookcity Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    46
    Location:
    China
    Great work!
    Both ruleset and discription are nice.
    Thank you very much,Climenole.
    Best regards.
     
  14. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    WOHOOOOOOOOOOOO , great !

    TYVM , Climenole , appreciate it :D

    I have a very high regard for your abilities. :cool: ;)
     
  15. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi lookcity:)

    Thank you.

    Questions are wellcome too...

    Best regard

    :)
     
  16. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Thank you.

    If you have any question about the rules set don't hesitate to ask question.

    Have a nice day.

    :)
     
  17. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    Hi , climenole :)

    Alright , first question is coming lol

    I have 4 DHCP rules , My router Gateway = 192.168.2.1

    create as this :

    [DHCP rule 1]
    Direction: inbound & outbound
    Ethernet Type: IP V4
    Protocol: UDP
    Frag. Offset: Equal 0
    IP Address: Equal my @
    port: 68
    remote ip:192.168.2.1
    remote port: 67


    [DHCP rule 2]
    Direction: inbound
    Ethernet Type: IP V4
    Protocol: UDP
    Frag. Offset: Equal 0
    IP Address: 192.168.2.1
    port: 67
    remote ip:255.255.255.255
    remote port: 68


    [DHCP rule 3]
    Direction: outbound
    Ethernet Type: IP V4
    Protocol: UDP
    Frag. Offset: Equal 0
    Frag. Flags: !DF+!MF
    IP Address: 0.0.0.0
    port: 68
    remote ip:255.255.255.255
    remote port: 67


    [DHCP rule 4]
    Direction: outbound
    Ethernet Type: IP V4
    Protocol: UDP
    Frag. Offset: Equal 0
    Frag. Flags: !DF+!MF
    IP Address: Equal my @
    port: 68
    remote ip:255.255.255.255
    remote port: 67

    These 4 DHCP rules , is it same as yrs DHCP rules ?Can i replace them ?
    see picture ~

    http://i128.photobucket.com/albums/p182/niceguy_hk/b8a247fd.jpg


    yr DHCP rule {A. 70} [Local] [UDP] { DHCP }
    Direction: inbound & outbound
    Ethernet Type: IP
    Protocol: UDP
    Frag. Offset: all
    Frag. Flags: all
    IP Address: all
    port: 67-68
    remote ip: all
    remote port: 67-68


    yr DHCP rule {A. 71}[Local] [UDP] { DHCP Discover/Request }
    Direction: inbound & outbound
    Ethernet Type: IP V4
    Protocol: UDP
    Frag. Offset: all
    Frag. Flags: all
    IP Address: 0.0.0.0
    port: 68
    remote ip: 255.255.255.255
    remote port: 67


    yr DHCP rule {A. 71}[Local] [UDP] { DHCP Offer/Pack }
    Direction: inbound & outbound
    Ethernet Type: IP V4
    Protocol: UDP
    Frag. Offset: all
    Frag. Flags: all
    IP Address: Equal 192.168.1.1 or 0.0.0.0
    port: 67
    remote ip: 255.255.255.255
    remote port: 68



    The second question , its my gateway's ip connect to port@137 , why got blocked ?

    blocked from this rule --> {B. 07}; [ALL] << Non-routable IP ! >

    http://i128.photobucket.com/albums/p182/niceguy_hk/365b05b8.jpg

    The third question , haven't Anti-Mac Spoofing & Anti-IP Spoofing rules in yr rules set ? If so , which one ?
    If no , ami need add them , and place where ?

    http://i128.photobucket.com/albums/p182/niceguy_hk/95cecb86.jpg

    Sorry for so many question :p

    ty for reply
     
    Last edited: May 11, 2007
  18. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    The "DHCP rule {A. 70} [Local] [UDP] { DHCP }" is a "generic" rule for DHCP.
    Actualy the most simple possible.

    I Suggest you to use that one in a first step (disable the others) and check what are the entries in your log.
    Base on these entries you will be able to modify the other DHCP rules accordingly.

    Presently you have 4 rules. Why not?

    Actualy the DHCP process have 4 steps:

    --------------------------------------------------------------------------

    1- Discover: Src=0.0.0.0 Port=68 Dest=255.255.255.255 Port=67
    Here the client (the PC) sent a broadcast on the network to find the DHCP server. Then:

    2- Offers: Src=192.168.1.1 Port=67 Dest=255.255.255.255 Port=68
    Here it's the server (with the IP add. 192.168.1.1 in this example).
    The DHCP server sent to the client PC an IP add. like "192.168.1.2" for example

    3-Request: Src=0.0.0.0 Port=68 Dest=255.255.255.255 Port=67
    Here the client (The PC) accept the IP proposed by the DHCP server.
    In this example: "192.168.1.2".

    0.0.0.0 means any address...

    4- acknowledgement: Src=192.168.1.1 Port=67 Dest=255.255.255.255 Port=68

    Here the client(PC) with is accepted IP addr. (Here "192.168.1.2") accept and transmit the acknowledgement to the DHCP server...

    [Please note that the rules was written {A. 72}. [Local] [UDP] { DHCP Offer/Pack }
    instead of {A. 72}. [Local] [UDP] { DHCP Offer/Ack } :eek:


    These are the 4 theorical DHCP steps. So I create 3 rules :
    The generic one to study the entries in the log and two experimental rules to be modified accordingly to the entries founded.
    I Guess it's possible to reduce the 4 steps into 2 rules.

    The Discover and Request have similar parameters:

    - Src=0.0.0.0 Port=68
    - Dest=255.255.255.255 Port=67

    So we have to put packets in and out for this combined rule...

    The Offers and acknowledgement have also similar parameters:

    - Src=192.168.1.1 Port=67
    - Dest=255.255.255.255 Port=68

    Here also we have to put packets in and out

    --------------------------------------------------------------------------

    An other experience is to used these 4 rules (and disable the other ones) and check again in the log to see if it's possible to simplify to a less number of rules.

    I hope my answer give you some lights (not confusion) about the DHCP.

    1 generic rule or 2 combined rules or your four rules ?
    Choose the best for you. (And tell me which one(s)...)

    Feed back , questions and comments are always appreciated.

    Take care.

    :)
     
  19. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    MAC addresses (such as your Ethernet adapter MAC Add.) are not transmitted over internet ...

    To prevent MAC or IP spoofing in a local network is a complex job.
    I'm not sure it's really required or possible with this rule...

    I have an hypothesis about this:

    ARP protocl is used to convert MAC addr. to IP, since in a local network it's possible to have a configuration of fixed IP local addr. (in the 192.168,*.*), it's also possible to create a rule rejecting all packets with a local IP and the wrong MAC address. This must be done on the LAN server.

    1- We can create some rules to associates each local (fixed!) IP to the MAC addr. of the Ethernet adapter of the corresponding PC and authorised these packets. (With a raw rule editing ?)

    2- Then create some rules to block any packet different than the previously authorised MAC+IP combination rules...

    and (?) on each PC a rule to block any incoming packets equal to the PC's MAC addr. o_O
    (Assuming all incoming packets must be different than the PC MAC addr. ...)
    This is my last idea for tonight... ;)

    The only problem I see is with a configuration with dynamic local IP addr. ...
    How to recheck each time the correct MAC+IP combination and put this in rules ?

    Is this make sens? :doubt:

    Tell me. Your opinion is important! (Don't be sorry for "so many questions" ;) )


    :)
     
    Last edited: May 11, 2007
  20. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    Hi , Climenole :D

    {anti - mac spoofing rule}
    Direction: Inbounds
    Etherent Type: all
    Protocol: all
    Frag. Offset: all
    Frag. Frags: all
    [ source ]
    Ethernet Address: Equal pc's mac address
    ip: all
    port: all
    [ Destination ]
    Ethernet Address: all
    remote ip: all
    remote port: all


    {anti - ip spoofing rule}
    Direction: Inbounds
    Etherent Type: all
    Protocol: all
    Frag. Offset: all
    Frag. Frags: all
    [ source ]
    Ethernet Address: all
    ip: Equal my @
    port: all
    [ Destination ]
    Ethernet Address: all
    remote ip: all
    remote port: all

    As yr question , isnt need anti-mac spoofing & anti-ip spoofing 's rule , i was no cue right now o_O o_O

    1) As yr rule set , u allow all ARP , is it a big problem ? So i create 2 anti-ARP rule before it

    2) As i think yr DHCP rules was enough , so i will take it simple/easy , use yr original one :cool:
     
  21. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    May be, may be... For sure incoming packets must have a different MAC addr. than the destination PC.

    This rule is ok for a PC as client but not for the PC used as server...


    Same comment.

    The only problem I see here is how to test this?
    You have to spoof IP and MAC addr. by editing packets and resend these modified packets to see what's happen.

    May be with this:
    http://www.networkchemistry.com/products/packetyzer.php


    ARP is used locally to translate MAC addresses to IP addresses...
    It's needed with a router for example.

    ARP is not the problem, only the incomming packets which differ from the combination "MAC addr. + Fixed IP local Addr."

    About the DHCP. So my 2 combined rules works well for yous system. Good news! :)

    :)
     
  22. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    Hi , Climenole :D questions questions questions are coming coming more & more :blink:

    Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >

    Direction: inbounds
    Ethernet Type: all
    Protocol: all
    Frag. Offset: all
    Frag. Frags: all
    {Source}
    Ethernet Address: all
    IP Address: 192.168.0.0 - 192.168.255.255
    Port: all
    {Destination}
    Ethernet Address: Equals my @
    IP Address: all
    Port: all

    Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

    [e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

    [e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

    Change & create another rule for this case ? :D

    Question 2) Wht's different around those protect rules ? from Phant0m rule set VS yr rule set

    [ICMP][+MBONE broadcasts]
    Direction: outbounds
    Ethernet Type: IP V4
    Protocol: ICMP
    Frag. Offset: all
    Frag. Frags: all
    ICMP Code: Equals 10
    ICMP Type: Equals 10
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Adress: Equals 244.0.0.2
    Port: all


    [ICMP][+MBONE broadcasts]
    Direction: inbounds
    Ethernet Type: IP V4
    Protocol: ICMP
    Frag. Offset: all
    Frag. Frags: all
    ICMP Code: Equals 10
    ICMP Type: Equals 10
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [ICMP][+ICMP broadcasts]
    Direction: inbounds
    Ethernet Type: IP V4
    Protocol: ICMP
    Frag. Offset: all
    Frag. Frags: all
    ICMP Code: all 0
    ICMP Type: all 0
    {Source}
    Ethernet Address: all
    IP Address: Mask 0.0.0.255/0.0.0.255
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+FIN:Stealth Scan]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+XMAS:Stealth Scan]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +URG-PSH-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+NULL:Stealth Scan]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-FIN-RST-PSH-ACK-URG]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +URG-ACK-PSH-RST-SYN-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-FIN-RST-PSH-ACK]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +ACK-PSH-RST-SYN-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-FIN-RST-PSH]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +PSH-RST-SYN-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-FIN-RST]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +RST-SYN-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-FIN-PSH]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +PSH-SYN-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-FIN]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +SYN-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+SYN-RST]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +RST-SYN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+FIN-RST-PSH-URG]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +URG-PSH-RST-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+FIN-RST-URG]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +URG-RST-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+FIN-URG]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +URG-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+FIN-PSH]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +PSH-FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+FIN-RST]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +FIN-RST
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [+ACK-URG]
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +URG-ACK
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all




    {H. 04}; [TCP] << FIN & 13 Variants ! >
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +ACK-FIN
    TCP Frags: Set/Cleared +FIN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: Equals my @
    IP Address: all
    Port: all


    {H. 05}; [TCP] << SYN RST & 4 Variants ! >
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +ACK-RST-SYN-FIN
    TCP Frags: Set/Cleared +RST-SYN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: Equals my @
    IP Address: all
    Port: all


    {H. 06}; [TCP] << SYN PSH & 2 Variants ! >
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +ACK-PSH-RST-SYN-FIN
    TCP Frags: Set/Cleared +PSH-SYN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: Equals my @
    IP Address: all
    Port: all


    {H. 07}; [TCP] << SYN URG ! >
    Direction: inbounds
    Ethernet Type: IP
    Protocol: TCP
    Frag. Offset: all
    Frag. Frags: all
    TCP Flags: Mask +URG-ACK-SYN-FIN
    TCP Frags: Set/Cleared +URG-SYN
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: Equals my @
    IP Address: all
    Port: all


    Colour red = Phant0m , colour blue = you

    Wht's different between those rules ? Am i need combine these 2 rule set( Phant0m & your) to form one big rules set ?

    [+NULL:Stealth Scan] = {H. 02}; [TCP] << NULL ! >

    [+SYN-FIN-RST-PSH-ACK-URG] = {H. 03}; [TCP] << FULL ! >

    These 2 rules same , can u compare another(colour red & blue)wht's different between you & Phant0m 's Rules ?



    TYVM for reply , have a nice day :thumb:
     
    Last edited: May 13, 2007
  23. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    Strange. That's why I put all local connections in the subset rules "A".
    Just uncheck that rule for the moment and I'll try to find a solution...

    For the other question about the TCP abnormal / illegal packets:
    I'm using combination of "masks" and "active" (enable in Eng. version?)

    For example the rule {H. 04}; [TCP] << FIN & 13 Variants ! >
    block all these combinations:

    FIN, FIN-SYN, FIN-RST, FIN-PSH, FIN-URG, FIN-SYN-RST, FIN-SYN-PSH, FIN-SYN-URG, FIN-RST-PSH, FIN-RST-URG, FIN-PSH-URG, FIN-SYN-RST-PSH, FIN-SYN-RST-URG, FIN-SYN-RST-PSH-URG.


    and so on...

    :)
     
  24. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    ty , understood this way :thumb:

    How about these 3 rules ?

    [ICMP][+MBONE broadcasts]
    Direction: outbounds
    Ethernet Type: IP V4
    Protocol: ICMP
    Frag. Offset: all
    Frag. Frags: all
    ICMP Code: Equals 10
    ICMP Type: Equals 10
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Adress: Equals 244.0.0.2
    Port: all


    [ICMP][+MBONE broadcasts]
    Direction: inbounds
    Ethernet Type: IP V4
    Protocol: ICMP
    Frag. Offset: all
    Frag. Frags: all
    ICMP Code: Equals 10
    ICMP Type: Equals 10
    {Source}
    Ethernet Address: all
    IP Address: all
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all


    [ICMP][+ICMP broadcasts]
    Direction: inbounds
    Ethernet Type: IP V4
    Protocol: ICMP
    Frag. Offset: all
    Frag. Frags: all
    ICMP Code: all 0
    ICMP Type: all 0
    {Source}
    Ethernet Address: all
    IP Address: Mask 0.0.0.255/0.0.0.255
    Port: all
    {Destination}
    Ethernet Address: all
    IP Address: all
    Port: all

    Seems yr rules set haven't these 3 rules , am i need add or not ?

    tyvm :D
     

    Attached Files:

  25. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)

    [ICMP][+MBONE broadcasts]
    IP Adress: Equals 244.0.0.2


    This one: {B. 09}; [ALL] << Reserved IP ! > >
    Reserved by I.A.N.A . 240.0.0.0 - 255.255.255.255

    [ICMP][+MBONE broadcasts]
    ICMP Code: Equals 10
    ICMP Type: Equals 10


    This one: {C. 999}; [ICMP] << Icmp Lock ! >>


    [ICMP][+ICMP broadcasts]
    IP Address: Mask 0.0.0.255/0.0.0.255


    This one: {B. 02}; [ALL] << Invalid IP ! >

    :)

    P.S.:

    About the rule: {B. 07}; [ALL] << Non-routable IP ! >
    I'm working on this issue...

    What is your LAN configuration?

    One router + PC(s) ?
    or
    One PC used as server for Internet Connection Sharing?
    or
    o_O

    :)
     
Thread Status:
Not open for further replies.