Hints on using Online Armor FW-a Learning Thread 4

Okay, thanks. Must be me! Maybe my monitor is sqeezing OA's windows.

If they could be expanded as per normal that would help me anyway.

 

You are very welcome, my hope is it helps members and OA where I have a vested interest in their success.

In my screens, THEY are NOT recommendations.
So if I were you I would leave it in standard mode for now since it works for you in that mode. We are learning advanced mode.

Don't think you did anything "wrong". Maybe Mike or Stem could comment on any "fighting" between your Network Magic and OA. I can't comment my self.

 

I wanted to allow my security products to update "pop up free" and TESTthe FW country blocker feature ( IF I untrusted your country, don't get at me) and take it personally, this is just a drill)

I find this list works for me anyway. Your symptoms may vary!

What happened to me is when I used the denied list and put in a bunch of countries to deny, some of them must have blocked Nod32 from updating. Nod 32 has a whole bunch of servers they use on automatic pick a server thing y so this way of allow except worked for me. I went through the massive list Mike gave me and asked this question:

"do I have any software needing this country?", like PC tools needs Australia so I did not say except for it, and so on.

Again this has zip to do with you! So don't get mad. Make your own list.
If you trust all countries fine, leave the list blank. But if you don't trust any except your own try it! See what happens.

When Nod 32 got blocked from updating I knew the except list worked!

 

Thanks Mike and Escalader.
If nothing else, I've just learned something.

 

Hi Hugger,

Right, then the thread has value! Learning is the thread purpose.

 

Hi Escalader.

Didn't spot the difference earlier, but per your settings CCleaner will only give pop-up if it changes as it is set to trusted.

To get the pop-up each time you need to set CCleaner to untrusted and set to ask. I had done it this way to block some stuff and it was blocked. It needs to be set the same as your "age of empire" settings. I realized and checked your settings after seeing this thread... http://support.tallemu.com/forums/viewtopic.php?t=1843

 

Hi Monty:

Yes, I'll try again but I did that as well and what happened was I get the block on CCleaner then it craps out on a C++ source code error.

Let me try it again now and I'll attach whatever jpg image applies.

Test 1 Result was:

1) followed Mikes 3 rules plus my extra 1 not remember one
2) CCleaner took 30 seconds to start up
3) Got CC dangerous program block as I did before
4) CCleaner went in a loop and displayed C++ error message

What were your 1 set of advanced settings? allow or ask?

Test 2 results are:

1) Followed Mike's rules but changed allow to ask as a test

Result was see second identical(?) jpg

I just had a blinding flash of insight I'm going to assume that something on my PC is fouling up OA's handling of my CCleaner.

My mini plan:

1) Remove and Reinstall CCleaner
2) Uninstall PC Tools ThreatFire another HIPS that maybe conflicting
3) Change my services back to automatic for Machine Debug.

then I will try again and report findings.

Did you see my "good news" post over at OA forum?

See you later

 

The CCleaner problem has been eliminated, but which of my changes fixed it?

1) Put service machine debug back to disable and test.

Result: CCLeaner was given the dangerous program pop up by OA and then ran fine.

Observation: Machine Debug wasn't the issue.

2) Reinstall ThreatFire (TF) and if possible it's settings.

Results: During install of TF, OA gave pop ups as it should and I accepted the program as I know it came from a solid vendor. I also had to install a TF update since I used an "old" installer

I ran CCleaner and I got the same C++ pop up and CC loop.

Observation: The realtime actions of 2 these two HIPS causes issues with CC.

3) Suspend TF and try again.

Result: same got CC's looping and the C++ error

4) Remove TF for learning and testing OA. TF offered to let me keep my TF settings and logs and I accepted that. It is my current HIPS fall back exe.

Result: CCleaner ran fine

Observations: Don't try to have OA and TF installed at the same time, suspending TF is not good enough to avoid interference, you have to remove the program. You can save the TF settings for possible fall back if OA fails at some point.

Cavet: This OA/TF clash cannot be assumed to be generalized to all OA /Other HIPS combos. Each would need testing.

To Mike Nash: Feel free to add this test result to a conflict list at your firm, I give it to you gratis! Hey, it seems I'm working for you as an unintended consequence!

See you guys later


PS: I changed all CCleaner's advanced options to block, see no reasons to allow it to start other programs etc. Ran CCleaner with these restrictions and it works fine. So we can tweak 3rd party programs as per need. This IMHO is a good thing. We need to manage our own PC's.

 

Perhaps once OA is completely set-up, you'll be able to reinstall TF to test for various overlaps.
Without testing, but just observing OA, I think CBoC may have less conflicts than TF (overlaps) with OA.
I had removed TF (and PCT-FW) because of excessive shut-down times.

 

Don't know Monty, you may be right. I know PCT-FW but what is CBoC, if I knew once it's gone now Is it a HIPS?

It funny you mentioned shut down times, mine have gone way up since NOD 32 and OA have been put in play. But at the moment I'm not going to worry about that.

 

Stem:

Attached jpg shows the ICMP default settings for OA FW.

What changes if any would you suggest and if you have time, give a brief reason for your changes. TY

 

ComodoBoClean...memory scanner.

I had 35-40 sec. boot-up, add TF or PCT-FW = 75-90 sec. boot-up. I use PageDefrag now (which defrags during reboot) and still reboot in under 50 sec.

 

Okay, thanks. That's good to know. I will time my bootup and report back, but it is not that big a deal for me as it only happens 1/day!

I want to find out something about Nod 32 if it does a memory scan, it has Amon .exe which heuristically scan all files as they are opened/read etc but that is not the same thing.

 

Yes, that's what CBoC does, so that would be unnecessary. Since you're using Nod32, you should be well covered with OA for the duration of the learning thread.
Have you done any tweaking of fw-rules yet?

 

Okay, great, NOD 32 is a good tool. My hope is with it and OA HIPS and OA FW I can stabilize my setup for a while.

Plan B is "IF" OA FW did fail me ( I don't know this!) I could uninstall the OA FW, keep it's HIPS and revert to my Kerio Settings.

Now your question on tweaking the FW rules, the short answer is a small yes.

I did combine a TCP/UDP rule just to see how OA rule tweaking worked.

On the FW tab there are a series of tabs/tables that I want to get out of the way 1st as they should be shorter work. They are:

Restrictions
Blacklists
ICMP
Restricted Ports

then of course the applications rules which will take longer.

I'm waiting for (Stem and/or Mike) comment on my jpg's 1st so I can tweak those and then last move to rules.

On ICMP I tweaked my defaults which allowed echo,timestamp and address mask all to NOT allowed.

How does your ICMP table compare?

Some functions skip numbers on mine so I suspect the services I have disabled impact what shows here, but this needs to be confirmed.

 

I allow 'Destination Unreachable' so that 'MTU Discovery' works correctly on my system.

 

What direction is allowed in the ICMP rules?

As example, to ping another PC, you would have: Allow out request, allow in reply, (unless there is a state table to allow replies from an outbound request)

 

Yep there is a state table

 

How do you then distinguish between allowing an outbound request, to allowing an inbound request?
Yes, I know that an outbound reply can be blocked, but there are other considerations (example: smurf~ ICMP flood)

 

Hi Stem - I don't believe you can in the current iteration of OAFW. I'm not the firewall subject matter expert - so I will come back with more details later tonight (have a day full of meetings today).

 

Hi Mike,

No Problem, when you have time. I cannot be around much myself at the moment,.. too much work on.

 

Okay, as is the rule here on these learning threads I wait for Stem amd Mike as well in this case to contribute.

This doesn't mean I disagree with your MTU which at this point I can't remember what it is. Good grief a thread guy with a poor memory to boot!

 

Stem:

Yes, i see the point, this ICMP table appears to be sort of global policies list.

Since I don't ping in or out etc and believe in restricting all PC functions I don't need I unticked every single item in the allowed in this table.

So far no obvious ill effects.

 

OA Forum Posted: Tue Oct 30, 2007 10:19 pm

Post subject: Re: Firewall Blacklist Option

 

and another OA feature works as described!

http://support.tallemu.com/forums/viewtopic.php?p=14973#14973