Help! 8Signs Firewall blocks WiFi-LAN connection

Discussion in 'other firewalls' started by luozhiqi, Nov 23, 2006.

Thread Status:
Not open for further replies.
  1. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    Platform: Windows Server 2003
    Connection: WiFi LAN

    With cable-ethernet, the 8signs firewall works perfectly~

    On the contrary, 8signs seems to be incompatible with WLAN, which is Web-Login authentification based (no WPA, no WEP). 8signs firewall blocks all incoming packets, so that the DHCP server can't assign my WiFi adapter IP.

    I tried to "Allow All Traffic" and even shut down the firewall, but no positive effect as expected.

    Once I uninstalled the 8Signs firewall, and reinstalled Look 'n' Stop, everything went as normally as before~

    Any solutions?

    Thanks!
     
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Why don't you try 8-signs again, and this time look at your logs and see what is being blocked. Also, ensure that you have the proper rules for dhcp installed. Then, post back with your log results and then let's see if we can help you.

    Cheers,

    Alphalutra1
     
  3. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    2006/11/24, 00:49:33.520, 1150, Opening new log file.

    2006/11/24, 00:49:33.520, 1004, Starting firewall version 2.3.
    2006/11/24, 00:49:33.780, 1054, Using configuration file "C:\Program Files\8Signs Firewall\Rules.rul".
    2006/11/24, 00:49:33.890, 1005, Device 1: Address=0.0.0.0, "Dial-Up Adapter"
    2006/11/24, 00:49:33.890, 1005, Device 2: Address=192.168.100.129, "Wireless Network Connection"
    2006/11/24, 00:49:35.142, 1170, Device 1: Address=0.0.0.0 no longer in use.
    2006/11/24, 00:49:35.533, 1050, Firewall state has been changed to "Filter Traffic" by the user.
    2006/11/24, 00:49:54.390, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:54.400, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:55.131, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:55.131, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:55.902, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:55.902, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:56.673, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:49:56.673, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:52:18.006, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:52:18.016, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:52:18.788, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:52:18.788, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:52:19.559, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:52:19.559, 2026, Device 2, Blocked incoming packet (unknown protocol)
    2006/11/24, 00:53:08.038, 1050, Firewall state has been changed to "Allow All Traffic" by the user.
    2006/11/24, 00:57:24.988, 1050, Firewall state has been changed to "Filter Traffic" by the user.
    2006/11/24, 00:58:56.369, 2026, Device 2, Blocked incoming packet (unknown protocol)

    P.S: I have the default rules good for most users. And I have to unintall 8Signs again in order to connect to internet!
     
  4. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Can you please post your ruleset, in addition to the log. One of the rules is obviously blocking all other protocols somewhere in your ruleset, which in turn will kill your internet connection.

    Sorry I can't help too much ATM, but I need more info. Dr. Watson :D

    Alphalutra1
     
  5. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    You are too demanding:D

    Now I am enjoying the CHX-I v3.0 with your settings, which is more simple to configue than imagined!

    Concerning Anti-ARP-Sproofing, how should I modify the ARP rules (Wireless network adapter <->Wireless router)?

    Regards,
     
  6. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    It is elementary dear Watson :p
    It is pretty simple, and I am glad that you are liking it :thumb:
    I don't have very much knowledge in terms of arp and preventing arp spoofing, but you will need to try and isolate your computer from any kind of malicious computers out there that may try to steal and use the data you send to other pcs.

    The best way to do this is encryption. If you could do it, I would recommend enabling WPA or WPA2 on your wireless router if it is yours in order to prevent any pcs other than your own from connecting to your access point.

    If you cannot do this, establishing a VPN session between the pcs you are trying to contact, or the wireless router would prevent any man in the middle attacks. You could also use SSH, which is definately simpler.

    As to advice to harden up your rules based on the CHX-I ruleset on ARP, I really do not know a way to go about this due to my lack of knowledge on the subject. Maybe some more knowledgeable people will come into this discussion (like Stem and Paranoid2000 to name a couple) who could help you.

    Here is a discussion on the matter of security inside a LAN and here is some info on some flaws off DHCP

    Sorry I couldn't help any more, but hopefully that set you on the right track.

    Cheers,

    Alphalutra1
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What is your setup? (work/home LAN) are you behind router and/or switch?(how many nodes?) Please remember this is a problem concerning LAN.
     
    Last edited: Nov 24, 2006
  8. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    Thank you very much!

    Your solution is very comprehensive and all-around. I think you'are in major of Mathematics and so on.

     
  9. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    In fact it's a greedy Internet service company offering WiFi connection to the poor students in university dormitories.

    We paid at 14.9 Euros per month, then we will recieve our login ID and Password.

    We open a random URL, then the WLAN router redirect automatically to a Login page, we'are required to input the ID and pass to browse other external sites.

    I use a 802.11g Wireless network adapter.

    There are a few Wireless Access Point devices, all of which have an independent MAC address.

    I configue manually my network adapter parametes as the DHCP server do automaticaly:

    Physical Address: 00-13-XX-XX-XX-XX
    IP Address: 192.168.100.129
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.100.1
    DNS Servers: 129.168.100.1, 192.168.1.254, 212.85.152.58
    WINS Server:

    The gateway 192.168.100.1, which has a different MAC address than AP emitters, (also the primary DNS server) connect to many PCs, you can imagine how greedy the provider is~

    The router sets a limit of download speed to 80K/s, which can not satisfy most users who are fond of Flashget.

    So there'are many guys attacking the gateway and the hosts inside the WLAN with NetCut or other Winpcap based tools.

    In Look'n'Stop, I use the following rules to withstand ARP spoofing:

    Allow ARP Out: My PC MAC -> FF:FF:FF:FF:FF:FF
    Allow ARP In & Out: My PC MAC (on left blank)<->Gateway MAC (Right side blank)
    Block All Other ARP: any<->any


    In Jetico, I add only one rule to block ARP spoofing:

    Allow ARP protocol inbound : source = My PC MAC / Gateway MAC
    destination = My PC MAC / Gateway MAC / FF:FF:FF:FF:FF:FF

    For the moment, Comodo can do nothing about ARP-Filtering.

    The CHX-I ARP rule: Allow Incoming (deny all Except)
    Source MAC = Gateway (Router) MAC
    Destination MAC = Defined List including: My PC MAC + FF:FF:FF:FF:FF:FF

    it appears to work, however, there might be advanced spoofing techniques bypassing the 3 rules.

    CHX-I is the No.1 among packet-filters. But I am a newbie for CHX-I fans. So I am eager to know the advanced configuration in CHX-I, especially Anti-ARP-Spoofing settings.

    Thank you in advance!
     
    Last edited: Nov 24, 2006
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Sorry for the delay in reply.

    There is only limited filtering for the ARP, you do appear to have covered this,.. but would check on binding the gateway IP to the Gateway MAC. I will have time later today to re-install and re-check on the ARP setup for CHX.
     
  11. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    Thanks a lot Stem,

    How to bind Gateway IP to Gateway MAC by adding CHX-I rules?

    From the CHX log I found a serie of ARP incoming packets, which are generated by Access Point Wireless Switch, are blocked, if only I permit the ARP communication between My PC MAC/Broadcast MAC and Gateway MAC.

    In this case I add all AP Switch MAC to CHX defined MAC list to allow incoming.

    I don't know whether I should add these AP MAC address to "Allow - but Deny all Except". AP is supposed to send low-level protocol other than ARP. I am curious why in CHX log the AP incoming packets are classified into "ARP" category...
     
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have got mixed up, you cannot bind IP to MAC in CHX. I would advise you look at a program such as Netcut which can provide protection from ARP spoofing.
    Another approach would be to add a static ARP entry for the Gateway
     
  13. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    Well, then could you upload a strict CHX-I ruleset?

    I enabled TCP/UDP/ICMP Stateful Packet Inspection,
    [​IMG]
    and added 3 rules:

    ***UDP&TCP_NO_SYN(Stateful ON) Filter Allow 0 - Lowest Incoming Wireless Network Connection (MAC:00 13 D3 XX XX XX) IP Any Any TCP+UDP Any Any Any Any - NA - - NA - - NA -

    ***Incoming ARP Filter Allow 0 - Lowest Incoming Wireless Network Connection (MAC:00 13 D3 XX XX XX) ARP ARP Source ARP Destination - NA - - NA - - NA - - NA - - NA - - NA - - NA - - NA -

    ***ICMP (Stateful ON) Filter Allow 0 - Lowest Incoming Wireless Network Connection (00 13 D3 XX XX XX) IP Any Any ICMP Any Any Any Any Type: Any, Code: Any - NA - - NA -


    Regardless of application filter, are rules above enough to secure in/out packet filtering?
     
    Last edited: Nov 25, 2006
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi luozhiqi,
    There are some pre-defined filters for workstations,.. "Alphalutra1" is probably the best for links/info on these. I myself define for the SPI an outbound direction for filtering. Placing block inbound for SYN (Rather than a "allow inbound,~not SYN") As with ARP, my rules only allow the outbound, with SPI for return, and block unsolicited.

    As for you filtering internet inbound by MAC,... I have not attempted this, and could see a few possible problems.
     
  15. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    Thank you, Stem.

    You are not English, are you? Your verbal expression was a little weird for me:D

    Perhaps I get used to BBC English...
     
  16. luozhiqi

    luozhiqi Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    23
    CHX-I, an amazing packet firewall with a TCP/UDP/ICMP Stateful Packet Inspection, simplifies the rule composing.

    You don't need to convert complicated Look 'n' Stop ruleset into CHX-I rules. Preset SPI is able to manage almost everything for you.

    It cost zero RAM (if the log service shut down) and CPU usage, and works compatibly with other prevalent Firewalls in the market-place.

    CHX-I, reliable and powerful, more than you can imagine.

    Still hesitate? Just remember it's totally free of charge for personal use!

    Please share your trial exprience and joy in this forum:cool:
     
Loading...
Thread Status:
Not open for further replies.