Hints on using Online Armor FW-a Learning Thread 4

Discussion in 'other firewalls' started by Escalader, Oct 26, 2007.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Okay, thanks. Must be me! Maybe my monitor is sqeezing OA's windows.:D

    If they could be expanded as per normal that would help me anyway.
     
  2. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    You are very welcome, my hope is it helps members and OA where I have a vested interest in their success.

    In my screens, THEY are NOT recommendations.
    So if I were you I would leave it in standard mode for now since it works for you in that mode. We are learning advanced mode.


    Don't think you did anything "wrong". Maybe Mike or Stem could comment on any "fighting" between your Network Magic and OA. I can't comment my self.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I wanted to allow my security products to update "pop up free" and TESTthe FW country blocker feature ( IF I untrusted your country, don't get :mad: at me) and take it personally, this is just a drill)

    I find this list works for me anyway. Your symptoms may vary!

    What happened to me is when I used the denied list and put in a bunch of countries to deny, some of them must have blocked Nod32 from updating. Nod 32 has a whole bunch of servers they use on automatic pick a server thing y so this way of allow except worked for me. I went through the massive list Mike gave me and asked this question:

    "do I have any software needing this country?", like PC tools needs Australia so I did not say except for it, and so on.

    Again this has zip to do with you! So don't get mad. Make your own list.
    If you trust all countries fine, leave the list blank. But if you don't trust any except your own try it! See what happens.

    When Nod 32 got blocked from updating I knew the except list worked!
     

    Attached Files:

  4. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Thanks Mike and Escalader.
    If nothing else, I've just learned something.
     
    Last edited: Oct 28, 2007
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Hugger,

    Right, then the thread has value! Learning is the thread purpose.
     
  6. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Hi Escalader.

    Didn't spot the difference earlier, but per your settings CCleaner will only give pop-up if it changes as it is set to trusted.

    To get the pop-up each time you need to set CCleaner to untrusted and set to ask. I had done it this way to block some stuff and it was blocked. It needs to be set the same as your "age of empire" settings. I realized and checked your settings after seeing this thread... http://support.tallemu.com/forums/viewtopic.php?t=1843 :thumb:
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Monty:

    Yes, I'll try again but I did that as well and what happened was I get the block on CCleaner then it craps out on a C++ source code error.

    Let me try it again now and I'll attach whatever jpg image applies.

    Test 1 Result was:

    1) followed Mikes 3 rules plus my extra 1 not remember one
    2) CCleaner took 30 seconds to start up
    3) Got CC dangerous program block as I did before
    4) CCleaner went in a loop and displayed C++ error message

    What were your 1 set of advanced settings? allow or ask?

    Test 2 results are:

    1) Followed Mike's rules but changed allow to ask as a test

    Result was see second identical(?) jpg

    I just had a blinding flash of insight:D I'm going to assume:eek: that something on my PC is fouling up OA's handling of my CCleaner.

    My mini plan:

    1) Remove and Reinstall CCleaner
    2) Uninstall PC Tools ThreatFire another HIPS that maybe conflicting
    3) Change my services back to automatic for Machine Debug.

    then I will try again and report findings.

    Did you see my "good news" post over at OA forum?

    See you later
     

    Attached Files:

  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    The CCleaner problem has been eliminated, but which of my changes fixed it?

    1) Put service machine debug back to disable and test.

    Result: CCLeaner was given the dangerous program pop up by OA and then ran fine.

    Observation: Machine Debug wasn't the issue.

    2) Reinstall ThreatFire (TF) and if possible it's settings.

    Results: During install of TF, OA gave pop ups as it should and I accepted the program as I know it came from a solid vendor. I also had to install a TF update since I used an "old" installer

    I ran CCleaner and I got the same C++ pop up and CC loop.

    Observation: The realtime actions of 2 these two HIPS causes issues with CC.

    3) Suspend TF and try again.

    Result: same got CC's looping and the C++ error

    4) Remove TF for learning and testing OA. TF offered to let me keep my TF settings and logs and I accepted that. It is my current HIPS fall back exe.

    Result: CCleaner ran fine

    Observations: Don't try to have OA and TF installed at the same time, suspending TF is not good enough to avoid interference, you have to remove the program. You can save the TF settings for possible fall back if OA fails at some point.

    Cavet: This OA/TF clash cannot be assumed to be generalized to all OA /Other HIPS combos. Each would need testing.

    To Mike Nash: Feel free to add this test result to a conflict list at your firm, I give it to you gratis! Hey, it seems I'm working for you as an unintended consequence!:cool:

    See you guys later


    PS: I changed all CCleaner's advanced options to block, see no reasons to allow it to start other programs etc. Ran CCleaner with these restrictions and it works fine. So we can tweak 3rd party programs as per need. This IMHO is a good thing. We need to manage our own PC's.
     
    Last edited: Oct 29, 2007
  9. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Perhaps once OA is completely set-up, you'll be able to reinstall TF to test for various overlaps.
    Without testing, but just observing OA, I think CBoC may have less conflicts than TF (overlaps) with OA.
    I had removed TF (and PCT-FW) because of excessive shut-down times.
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Don't know Monty, you may be right. I know PCT-FW but what is CBoC, if I knew once it's gone now:oops: Is it a HIPS?

    It funny you mentioned shut down times, mine have gone way up since NOD 32 and OA have been put in play. But at the moment I'm not going to worry about that.
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem:

    Attached jpg shows the ICMP default settings for OA FW.

    What changes if any would you suggest and if you have time, give a brief reason for your changes. TY
     

    Attached Files:

  12. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    ComodoBoClean...memory scanner.
    I had 35-40 sec. boot-up, add TF or PCT-FW = 75-90 sec. boot-up. I use PageDefrag now (which defrags during reboot) and still reboot in under 50 sec.
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Okay, thanks. That's good to know. I will time my bootup and report back, but it is not that big a deal for me as it only happens 1/day!

    I want to find out something about Nod 32 if it does a memory scan, it has Amon .exe which heuristically scan all files as they are opened/read etc but that is not the same thing.
     
  14. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Yes, that's what CBoC does, so that would be unnecessary. Since you're using Nod32, you should be well covered with OA for the duration of the learning thread.
    Have you done any tweaking of fw-rules yet?
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Okay, great, NOD 32 is a good tool. My hope is with it and OA HIPS and OA FW I can stabilize my setup for a while.

    Plan B is "IF" OA FW did fail me ( I don't know this!) I could uninstall the OA FW, keep it's HIPS and revert to my Kerio Settings.

    Now your question on tweaking the FW rules, the short answer is a small yes.

    I did combine a TCP/UDP rule just to see how OA rule tweaking worked.

    On the FW tab there are a series of tabs/tables that I want to get out of the way 1st as they should be shorter work. They are:

    Restrictions
    Blacklists
    ICMP
    Restricted Ports

    then of course the applications rules which will take longer.

    I'm waiting for (Stem and/or Mike) comment on my jpg's 1st so I can tweak those and then last move to rules.

    On ICMP I tweaked my defaults which allowed echo,timestamp and address mask all to NOT allowed.

    How does your ICMP table compare?

    Some functions skip numbers on mine so I suspect the services I have disabled impact what shows here, but this needs to be confirmed.
     
  16. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
    I allow 'Destination Unreachable' so that 'MTU Discovery' works correctly on my system.
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What direction is allowed in the ICMP rules?

    As example, to ping another PC, you would have: Allow out request, allow in reply, (unless there is a state table to allow replies from an outbound request)
     
  18. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,656
    Location:
    Sydney, Australia
    Yep there is a state table
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    How do you then distinguish between allowing an outbound request, to allowing an inbound request?
    Yes, I know that an outbound reply can be blocked, but there are other considerations (example: smurf~ ICMP flood)
     
  20. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,656
    Location:
    Sydney, Australia
    Hi Stem - I don't believe you can in the current iteration of OAFW. I'm not the firewall subject matter expert - so I will come back with more details later tonight (have a day full of meetings today).
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Mike,
    No Problem, when you have time. I cannot be around much myself at the moment,.. too much work on.
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Okay, as is the rule here on these learning threads I wait for Stem amd Mike as well in this case to contribute.

    This doesn't mean I disagree with your MTU which at this point I can't remember what it is. Good grief a thread guy with a poor memory to boot!:D
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem:

    Yes, i see the point, this ICMP table appears to be sort of global policies list.

    Since I don't ping in or out etc and believe in restricting all PC functions I don't need I unticked every single item in the allowed in this table.

    So far no obvious ill effects.
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    OA Forum Posted: Tue Oct 30, 2007 10:19 pm

    Post subject: Re: Firewall Blacklist Option



     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.