Experimental rule set for -NiCeGuY-

Hi -NiCeGuY-

You say:
« Question 1 ) I saw many connect block from this rule {B. 07}; [ALL] << Non-routable IP ! >


Problem happen , becase , my gateway's IP is 192.168.2.1 , when have some connection with these , its got blocked

[e.g. 1] when i want to use Web Browser to change/see my Router's setting , its got blocked cause this rule .

[e.g. 2] this rules will blocked my gateway 192.168.2.1 connect to my IP:137 , its always happen in my log

Change & create another rule for this case ? »

Try this rule : {B. 90}; [Local] [TCP] {{Router configuration }}

Tell me if it's okay...

EDIT`: I put the fixed new rule for router config. access in the post # 12 of this thread.
Thank you again for testing...

{A. 90}; [Local] [TCP] {{Router configuration }}

[G/Recommended] -NiCeGuY- Tested !

 

If i use yr original one , its not work , So i changed rule's setting as this:

{B. 90}; [Local] [TCP] {{Router configuration }}
direction:inbounds
Ethernet Type: IP V4
Protocol: TCP
Source ip: 192.168.2.1
Source port: equal @ 80
Destination ip: Equal my @
Destination port: 1024 - 5000

I just testing , so source port just using 80 , as this setting , its work fine , i can use Web Browser access to my Router


http://i128.photobucket.com/albums/p182/niceguy_hk/3a46dc83.jpg

If i place rules here , its work very well


http://i128.photobucket.com/albums/p182/niceguy_hk/dadfbb80.jpg

If place here , not working B/c got {B. 07}; [ALL] << Non-routable IP ! > blocked

 

Hi -NiCeGuY-

Great !

So you find the solution to have an access to your router configuration:
congratulation -NiCeGuY- !

The position of the rule in the list is always important.
Your test with your new rule is an example of this.

Thank you very much -NiCeGuY- for your help, patience and feed-back.

For sure if you find some other problem or if you have question do not hesitate.

--------------------------------------------------------------------

About the Antispoofing for IP and MAC:

Did the local IP addresses of your system are fixed or dynamics?
I mean the IP add. of the PC 192.168.x.x ...

About other A subsets rules: did you try the:
{A. 21}; [Local] [Ethernet] { PC # 1} ?
and
{A. 60}; [Local] [IGMP] {{ Router }

 

Hi -NiCeGuY-

A.21 : ok.

A.60 : IGMP packets are used by routers combined with UDP packets.
If there is no IGMP blocked by any rule, forget it.
In this experimental rule set, there is no blocking rule specific to IGMP.
The blocking comes from the last rule Z.9999999
About this see the Patrice's post:
Configuring Look'n'Stop with Routers
https://www.wilderssecurity.com/showthread.php?t=9474

X.9998 : UDP packets on port 137 and in broadcast:
NetBios packets and or Router packets...
Check the rules A.80,81,82

UDP1900 : UDP packets from Simple Service Discovery Protocol, VideoLan Player, Azureus and may be uTorrent.
check this rule: {A. 61}; [Local] [IGMP] { IGMPv3 router}}

(Here may be the packets must in and out, not out only...)

Not a better idea for the moment.
Thank you and have a nice day.

 

Hi , climenole

I change rule A.60 , source address = MY router's mac , destionation addres equals 01:00:5e:00:00:01 , waiting effect

About this , i will keep to block it , didnt change anything

Hmmm... about UPnP , gateway 192.168.2.1@UDP1900 connect to 239.255.255.250@UDP 1900 , destination address = 01:00:5E:7F:FF:FA . So i create UPnP rules for this case , now solve this problem too

{A. 1900,01}[UPnP rule]
direction:inbounds
Ethernet Type: IP
Protocol: UDP
SourceEthernet Address: Router's Mac Add.
Source ip: 192.168.2.1
Source port: equal @ 1900
Destiantion Ethernet Address: 01:00:5E:7F:FF:FA
Destination ip: 239.255.255.250
Destination port: Equal @ 1900

Now everything runs good , will check any other problem happen later

If you got other rules or ideas , let me know & test , Have a nice days

 

Hi -NiCeGuY-

Okay. If there is an "effect" you'll see it in the log...

Great!

Okay. I'm stil working about the Anti MAC + IP spoofing...
I let you know.

Thank you again and have a nice day!

 

Good , keep on !

 

hi Climenole and -NiCeGuY-

has it already a version of climenole-v3-Eng-GEEK.rlz in French ?

 

Hi / Salut zozot

Yes Sir! / Oui Monsieur!

I'll post it in the Fr, forum.

 

thanks you

 

Hi All

About the rules:

{R.80443,02}; [TCP] { Http/Https Skype }
and
{R..9999999}; [TCP] < Skype: forbidden ports ! >>

They have to be used with the other «R» rules.
If these rules are used with only the «S» rules all programs using internet will be (obviously) blocked when Skype is in use...


Also: about IGMP packets and NetBios.

May be it's a good idea to add these blocking rules for IGMP and NetBios:

{A. 69}; [Local] [IGMP] << Block igmp ! >>
and
{A. 89}; [Local] [T/U] << Block NetBios !>>

[To be tested...]

 

Hi , climenole

i never use skype , so i dunno & never test

about netbios , i create rules to block netbios b4 , as this:

Direction: in & out
Ethernet Type: IP
Protocol: UDP
Soucre IP: all
Socure port: 137 -139
Destination ip: all
Destination port: all

it's work well .

about IGMP block rule... if i use this rule , is it against this 2 rules ?

{A. 60}; [Local] [IGMP] {{ Router }
{A. 61}; [Local] [IGMP] { IGMPv3 Router }}

let me know , ty 4 reply

 

Hi -NiCeGuY-

Your rule for NetBios blocking is excellent !

The remaining IGMP packets are blocked with the last rule "Z999" but I prefer to block this before... (this is optional...)

 

Hi , climenole

seems you need lil update / rewrite these few rules

{H. 04}; [TCP] << FIN & 13 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-FIN
TCP Frags: Set/Cleared +FIN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 05}; [TCP] << SYN RST & 4 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-RST-SYN-FIN
TCP Frags: Set/Cleared +RST-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 06}; [TCP] << SYN PSH & 2 Variants ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +ACK-PSH-RST-SYN-FIN
TCP Frags: Set/Cleared +PSH-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all


{H. 07}; [TCP] << SYN URG ! >
Direction: inbounds
Ethernet Type: IP
Protocol: TCP
Frag. Offset: all
Frag. Frags: all
TCP Flags: Mask +URG-ACK-SYN-FIN
TCP Frags: Set/Cleared +URG-SYN
{Source}
Ethernet Address: all
IP Address: all
Port: all
{Destination}
Ethernet Address: Equals my @
IP Address: all
Port: all

You may work hard on this weekend , have a nice day

 

Hi -NiCeGuY-

No Sir !

I forgot to list these 2 combinations but the rule blocked it (as far as I know... and I'll re-checked again but later...).

I' have to work hard this week-end but not on this... ;-)

Have a nice week-end.

 

Hi climenole,

i took your great rules, and you did a great work. I used it to improve my rulesets, you help me very much, but i have a kind of problem with the rules
"[local] [Ethernet]" becouse yes they work, but they allow even other packets different than Ethernet protocol.
Exactly i see that by these rules even UDP and TCP packets are allowed. I'm using 2.05p3 version with RAW plug-in, and i want to know if this beahviour it's normal or not, and if not, i hope you can help me to solve this problem.

Sorry for my english.
Thx

 

Hi WinCenzo

Why are you using this rule ?

This rule is used for PC connected with a hub (as far as I know) and they have to be tested (as I stated here in this thread)...

You say you're using my experimental rules set to improve yours. That's ok.

This is not a "key in hand" rule set: it required some research and experiment from your part especially with the "A" rules...

Have fun!

 

Hi climenole thx for you answer,
however i'm using this rule becouse i use a router and somethimes i saw that some connections with ETH protocol were forbidden, then i supposed that these rules were necessary for a correct working of my Lan. Infact i don't have problem with them. The only thing i saw and didn't understand was about some connection with UDP and TCP allowed locally by these rules, instead i think they were only for ETH.
So i'm not able to modify rules in RAW method, and i was asking you if these rules count to allow even those protocols.

 

Hi WinCenzo

Your router used IGMP and UDP packets I supposed...

The best for you is to read carefully the "sticky" post from Patrice:

Configuring Look'n'Stop with Routers
https://www.wilderssecurity.com/showthread.php?t=9474

Don't used the ETH rules we're talking about...

And keep things simple.

 

Thx Climenole i don't want abuse of your helpfulness,
but the reason of my choice was becouse in the post about configuration with router, Patrice spoke about the necessity of one rule for ETH too:

So i thought that your rules may be the solution to this problem.

But as i said this rule works even with other protocols and i don't know if this's my problem of it's simply normal.

Thx again

 

Hi WinCenzo

As shows by Patrice you may add the MAC address in the IGMP rule...
Seems that's better than the ETH rule...

 

Hi

For assistance in connection with version 3 you can contact me by email if it's necessary.
I will make my best to answer you according to my availabilities.

climenole[AT]gmail[DOT]com

Thank you.

 

Great work!

lovely man !