Help on look 'n' stop rules...

Discussion in 'LnS English Forum' started by lorife, Sep 26, 2005.

Thread Status:
Not open for further replies.
  1. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Hi, I'm a new look 'n' stop user, and I'd really like to understand how rules work..
    Actually, I'd like to understand:
    - in which order I should import them
    - how to understand if a rule should be before or after another rule
    - some general help to understand the basic concept of rules..

    I also have a problem with look 'n' stop and MSN. MSN is REALLY slow on file transfers and video conversations. I've read that it could be a problem with the firewall. Please would you help me to configure it correctly?

    Please could you try to answer to all my questions? I'm really interested to all of the answers..

    Thanks in advance..
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  3. Technic

    Technic Registered Member

    Joined:
    Aug 31, 2005
    Posts:
    428
    Hello!

    Link above does not answer all the questions asked. Like:

    - in which order I should import them
    - how to understand if a rule should be before or after another rule

    I would like to have some info too. :)
     
  4. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Thanks for the answer, but I have to agree with Technic...those topics don't really answer my first questions..and actually they don't even help me with the problem I have with MSN...

    Could you please try to be more specific, and maybe try to answer all of my questions? Sorry if I am bothering you..but I'd really really like to understand those things..

    thanks!!
     
  5. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    could anybody help me, please! o_O
     
  6. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    You can load the enhanced ruleset and check each entry:
    There are 5 basic sections, (1) everything above "Block incoming connections (with sync-flag)", (2) everthing above "Block all other TCP", (3) everything above "Block all other UDP", (4) everything above "Block all other ICMP", (5) everything above "block any other packets".

    Rules should be added to the corresponding protocol type, and for example each "allowed" TCP rule must go ABOVE the rule "block all other packets TCP".

    The difficult part is the one above "Block incoming connections (with sync-flag)". You should avoid adding rules to this section. However, some rules need to be there, for example port 113 requests, or some FTP traffic.
    First, you should try to adding rules BELOW the "Block incoming connections (with sync-flag)" line. If it does not work, you can try the rule above the "Block incoming connections (with sync-flag)". But be careful, this could damage your defense!

    My advice: try and error :D You will learn LnS as better as more you play with it. And there is always GRC.COM to test for possible holes...

    Thomas :)
     
  7. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Thanks..I'll try something, you've been really helpful!!

    Would you try to help me with the problem I have with MSN too? Please..
     
  8. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
  9. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Thanks for the answer..and yes, I imported all the rules.

    As for the logs, I seem to remember that something is blocked, I'll post you a screenshot as soon as I go back home (i am at work! :) )

    Could it be because I just imported all the rules and I left them on the top of the list? I still don't understand the exact position to place them (both MSN and netmeeting)...
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    No, it is not because you left the rules on the top.
    In case of rules allowing packets, the ideal position is on the top of the ruleset.

    Frederic
     
  11. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Yesterday I didn't have time to send the log...I'll try later today..
    What I don't understand is this: I know that LOTS of people have speed problems when using MSN and a firewall. Is it possibile that nobody has a solution?

    Anyway I'll post the log..

    May I ask another question? I need to know where to place 2 kind of rules..
    the first is to authorize an ip address, and the 2 to authorize UltraVnc. Is it ok to place all of them before TCP:Any other packet?

    thanks..
     
  12. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    No MSN here :doubt:
    We need one more MSN & firewall user to answer your question...

    Here is what Frederic mentioned in this same thread:
    To authorize an IP address I put the rule below the "TCP:Any other packet".

    Thomas :)
     
  13. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    ok, I tried...
    in the log I can't find anything wrong when using MSN, however MSN is slow. Reading MSN's help I found this:
    -----
    If you are having problems with the voice or video connection, or with a slow file transfer rate, your computer or the computer of the person you are communicating with might be behind a network address translator (NAT) (A device that is used to plug more than one computer into an incoming home Internet connection. Sometimes called a router. ) or a firewall (A security feature designed to help protect a computer from unauthorized external access. Can be hardware, software, or both.) . To fix this problem, you must enable Universal Plug and Play (UPnP) (A popular standard for connecting computers to devices that allows compatibility among a wide variety of networking devices.) on your NAT or purchase a NAT which is UPnP enabled. Also, you may need to upgrade your NAT firmware (A combination of hardware and software in a self-contained device, such as a NAT or router.) .
    -----

    Is it of any help? how do I enable UPnp? Any advices?

    Thanks
     
  14. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Anybody can help?
     
  15. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    If the problem is there only when Look 'n' Stop is started (please confirm this) then the above information is not necessary and the problem is only with Look 'n' Stop configuration.

    What is strange is you get nothing in the Look 'n' Stop log, so if it is confirmed the problem is there when Look 'n' Stop is started, please try first to Let look 'n' Stop running and just disable the Internet filtering to see if the problem is linked to this filtering.

    Frederic
     
  16. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Ok, I started by disabling the firewall as you asked me...and everything worked. File transfer was really fast.
    As soon as i reactivated the firewall (the file transfer was still going on) this is the log I had...

    213.140.17.97 was the ip that was sending me the file...

    -----------------------------

    10-04-05,22:23:13 D-2930 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:13 D-2931 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:13 D-2932 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:13 D-2933 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:13 D-2934 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:13 U-2935 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:61024 Src:1383
    10-04-05,22:23:13 U-2936 'ICMP : All ICMP types (n' 85.65.64.107 ICMP Type:3 Code:3
    10-04-05,22:23:13 U-2937 'ICMP : All ICMP types (n' 195.157.221.229 ICMP Type:3 Code:3
    10-04-05,22:23:13 U-2938 'UDP : Any other packet ' 195.157.221.229 UDP Ports Dest:137 Src:137
    10-04-05,22:23:13 D-2939 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:14 D-2940 'TCP : SYN flag alone ! ' 86.134.204.87 TCP Ports Dest:6699 Src:33555
    10-04-05,22:23:15 U-2941 'UDP : Any other packet ' 195.157.221.229 UDP Ports Dest:137 Src:137
    10-04-05,22:23:15 D-2942 'TCP : SYN flag alone ! ' 213.52.222.153 TCP Ports Dest:6699 Src:33617
    10-04-05,22:23:15 D-2943 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024
    10-04-05,22:23:16 U-2944 'UDP : Any other packet ' 195.157.221.229 UDP Ports Dest:137 Src:137
    10-04-05,22:23:16 D-2945 'TCP : SYN flag alone ! ' 81.156.180.20 TCP Ports Dest:6699 Src:49644
    10-04-05,22:23:17 D-2946 'TCP : SYN flag alone ! ' 86.134.204.87 TCP Ports Dest:6699 Src:33555
    10-04-05,22:23:18 U-2947 'UDP : Any other packet ' 195.157.221.229 UDP Ports Dest:137 Src:137
    10-04-05,22:23:18 D-2948 'Stateful Packet Inspecti' 213.140.17.97 TCP Ports Dest:1383 Src:61024


    ----------------------

    What I don't understand is this, as soon as I re-enabled the firewall the download stopped. So I Hit cancel.
    Then He asks me to open an ftp on my pc for him, and I import the rules "FTP server" and "authorize IP address". He logs on my ftp and everything goes ok.

    Then I ask to my friend to send me another file. and the file trasfer is at optimum speed. Now I ask you. Am I just lucky, or it's because I added the rule "authorize IP" and I authorized him? Thats weird....do I have to authorize every people I send/receive file with? Or it's just a coincidence...
     
    Last edited: Oct 4, 2005
  17. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Any ideas?
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi lorife

    When you activate Stateful Packet Inspection or re-activate ‘Internet Filtering’ any current connections existing will trigger this type of alerts. Simply re-connect to servers with programs you had running.
     
  19. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    thank you...but why when look 'n' stop was closed the file transfer was fast?

    and I also have another question..is it normal that if I open an ftp on my pc I have to authorize every ip address that connects to it? If I don't do that, nobody can't connect!!
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    There can be some reasons why MSN Messenger File-Transfer be slow, ensure you don’t block UPnP packets..

    Use Passive Technology with your FTP’n Software (PC to establish the data connection to the FTP site instead of the site establishing the data connection to your PC).
    :)
     
  21. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Hi Phantom..thanks..could you please tell me how to authorize uPnp??
     
  22. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    please..
     
  23. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Add new rule, and make changes as shown below,
     

    Attached Files:

    • uPnP.png
      uPnP.png
      File size:
      10.8 KB
      Views:
      950
  24. lorife

    lorife Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    27
    Hi Phantom..umh..it's me again..
    I created the rule as you told me, and I placed it at the top of the list.
    Then I closed MSN and reopened it and I asked to a friend to send me a file..
    this is what the log told me:

    --------------
    10-20-05,21:19:05 D-541 'TCP : SYN flag alone ! ' 83.176.6.133 TCP Ports Dest:6348 Src:2419
    10-20-05,21:19:08 D-542 'TCP : SYN flag alone ! ' 83.176.6.133 TCP Ports Dest:6348 Src:2419
    10-20-05,21:19:14 D-543 'TCP : SYN flag alone ! ' 83.176.6.133 TCP Ports Dest:6348 Src:2419
    10-20-05,21:19:36 D-544 'TCP : 139 netbios-ssn ' 82.60.83.53 TCP Ports Dest:139 Src:3180
    10-20-05,21:19:45 U-545 'ICMP : All ICMP types (n' 64.4.12.200 ICMP Type:3 Code:3
    10-20-05,21:19:50 D-546 'All other packets ' 192.168.100.1 IGMP Data:17 100 238 155
    10-20-05,21:20:13 D-547 'TCP : SYN flag alone ! ' 213.140.17.97 TCP Ports Dest:1244 Src:34742
    10-20-05,21:20:16 D-548 'TCP : SYN flag alone ! ' 213.140.17.97 TCP Ports Dest:1244 Src:34742
    10-20-05,21:20:22 D-549 'TCP : SYN flag alone ! ' 213.140.17.97 TCP Ports Dest:1244 Src:34742
    10-20-05,21:20:50 D-550 'All other packets ' 192.168.100.1 IGMP Data:17 100 238 155
    10-20-05,21:21:41 D-551 'TCP : 139 netbios-ssn ' 82.60.185.72 TCP Ports Dest:139 Src:4246
    10-20-05,21:21:44 D-552 'TCP : 139 netbios-ssn ' 82.60.185.72 TCP Ports Dest:139 Src:4246
    10-20-05,21:21:50 D-553 'All other packets ' 192.168.100.1 IGMP Data:17 100 238 155
    10-20-05,21:22:11 D-554 'TCP : 139 netbios-ssn ' 82.66.3.81 TCP Ports Dest:139 Src:3862
    10-20-05,21:22:14 D-555 'TCP : 139 netbios-ssn ' 82.66.3.81 TCP Ports Dest:139 Src:3862

    ---------------


    My friend's ip was 213.140.17.97, why was it blocked?? What did I do wrong nowo_O I am sorry to create so many problems! :(
     
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Normal, it just indicates, connections initiating remotely and blocks.
    With the UPnP rule in-place, for file-receiving the sender makes the initiating connection.
    Without the UPnP rule, the transfers were done through MSN Messenger server, and capped / limited speeds.

    You paste another log of a new block upon MSN File receive attempt?
     
Thread Status:
Not open for further replies.