Hints on using Online Armor FW-a Learning Thread 4

As promised earlier,here with no claims of perfection, completness, accuracy, validity or usefullness is my first page of the ports I have restricted in OA.
I am responsible but not to blame if you try any or all of these and your PC blows up

Blast away, what's missing, what wrong, what is

For those who are interested here is OA's help information on what OA defines as a Restricted Port

 

I think actually you only need to restrict those ports that are opened for "listen". You can get this list by typing "netstat -a" in a command-line, for example.

 

Here is the bottom of my list for those interested. Again no promises for your set up!

Post any extras you think users should have please.

 

I have some more infernal questions. They deal

with OA's feature called restricted ports. Here is what the help currently says:

Q1 what does "programs on the internet" mean? Is that really saying incoming packets aiming at these ports will be rejected? In other words my program can send via this port on my PC but you can't send me an incoming?

Q2 do these ports override ports identified in rules I create or are created for me by OA's autoconfiguration?

Q3 My outlook uses 110 for in and 587, what would happen if I enter them in the restricted port list and then try to send receive email? I think it means those are available to me on my lan but not to my ISP? Has anybody tried that? If this is stupid I applogize for that but it is a question none the less ( no fear questions )

Q4 do these ports in the restricted list apply to only to TCP and UDP protocols or both and again in what directions in , out or both? What about the various layers, could certain ports I enter impact negativley on other protocols such as FTP and port 20?

Q5 Where can we find guidelines for using the restricted port tab?

Q6 Same question as Q3 only substitute FF for Outlook and 80 and 443 for 110 and 587.

 

I admit I do not now completely/fully understand the restricted port access(see below). I can only show/report my own findings.

Such as server ports for netBios, these are blocked to/ from the Internet. The restricted ports are set to be used only if the the interface is set as trusted, and then allowed only to/from the current LAN, OR, if the Interface is not set as trusted, then only the PC`s set as trusted on LAN can access the the restricted ports. Now, the outbound from these ports acts a little differently. From the point of netBios, then yes, if the Interface and PC`s on LAN or not set as trusted then outbound is blocked, but, I do see multicast broadcast being sent from the dcom ports (1024-1030) that are set as restricted, so I hope you can see why I am not completely sure on this point

User rules do not over_ride the restricted ports, but user rules must be in place to allow comms even on the restricted ports.(but it looks like system broadcasts are allowed)

Restricted ports are local and intended for server ports, so for example, you could place port 80 (HTTP) as restricted, but you would still be able to connect out to remote port 80. Remember that when an application connects out, it will use local ports > 1024 and/or ports available above that (XP)

The restricted ports allow you to set either TCP or UDP (or both). Look at the settings.

Ask OA.

Only the local ports are effected. So as your example, the problem would only arise if those local ports where used, which would be for a local server.


- Stem

 

Yes, I do see that. In the default case, all advanced users can see those same 7 dcom's as restricted in TCP with the interface set at "trusted" with no tick! So we face doubt on this.

Hmmm, what if every one was disabled in this table if that tick feature works. Then test what ports are impacted by user rules. Does the tick work?

Rats, I keep forgetting these things, but what this means to me is that as I have added ports of my own choice to the OA list I MUST remember it is a LOCAL port. But now I'm worrying that these entries may not be effective.

Yes, my question was poorly put ( again what I was wondering was about FTS port 20 would that be effective in preventing file transfer if everywhere else in the user's set up in windows xp the user had allowed FTS? In other words do these settings have any impact across the layers?

Good point I will, right now!

Mike Nash, where/when can the user find expanded guidlines and clarification on this port business?

Okay as above.

 

Just a brief update.

Currently running an OA Beta version with the FW piece disabled (not uninstalled). It is theoritically possible to uninstall the OA FW for whatever reasons you may have AND run a "pure" FW in lieu of. I know only one guy who has looked into that but it would be interesting to hear a report on his expereince. If I were to try that ( later) I would use Kerio 2.1.5 since all my settings, imbedded ip addresses and blocking rules are still available to me that way. I repeat I have NOT tried this myself and therefore am not saying it is good/ works or anything else. I like to experiement a bit! Let me go first I will report later but in a new thread probably called OA/Kerio Combo Hints!

I'm successfuly running the windows xp sp3 FW and OA HIPS at the same time so I'm okay in incoming to the extent win xp FW protects me from incoming (a bit redundant behind 2 H/W FW's)

On the OA 131 released version I suggest users leave the OA FW ON!


So here for the record is my real time/active setup as of now

AlphaShield HW FW
DSL Router
Nod 32
SAS Pro
OA Beta Mail shield ON
OA Beta Web shield ON
OA Beta Program Guard (HIPS) ON
OA Beta Firewall OFF
Windows FW sp3 ON
Loaded Host file
Spyblaster
Disabled uneeded windows services Netbios services etc

 

Hi Escalader,

If using a 3rd party firewall (not OA) then I would suggest uninstalling the OA firewall. There may not be direct problems with the windows firewall, but another 3rd party firewall could conflict with the OA network drivers (although I have not checked)

I know from uninstalling OA from the add/remove programs that the OA drivers are left behind, so I will need to check if uninstalling the firewall within OA actually removes the network drivers.

- Stem

 

On this subject, it will be better to wait for the next full release, as some changes have been made in the handling of the restricted ports.

 

Hello all,

Un-installing the OA 131 firewall caused no problems whatsoever for me. I do not know if it fully un-installed all the network drivers, but I was able to install the latest version of LnS with Phant0m ruleset without a problem. I do not have OA installed right now, but I do remember that I was getting less pop-ups when installing a program using the Standard mode without firewall. When I used Advanced mode without firewall I was bombarded with pop-ups. But it has been a while ago so I can not confirm this 100%.

 

Thanks Stem:

Right now I'm just coasting with windows xp FW with some of your settings from your thread on that one.

I see what you mean on the 3rd party FW's conflicting. So if I do that test I'll uninstall the OA FW using their feature for that. But I'm not quite ready for that yet.

 

Right! We are all waiting for those changes.

I invested a lot of effort adding some ports that were/are favorites of messaging and malwares but stopped due to the ongoing chages you refer to. More later this as well. Change is in the air these days!

Still waiting.

 

Hello:

Just to clarify, I have 3 of the 4 main functions of OA in action/working as I am posting this.

I'm referring to the attached tab. I'm sorry I must have made you think I had uninstalled the whole product. Thta is not the case I still have the OA web/mail and program shields in place.

Stem is saying (if I have it clear), that if I wanted to use say Kerio or another 3rd party FW with OA, it would be better to uninstall the OA FW component not the whole product.

This has probably made it murkier!


In the case of the free version of OA the choice is narrower, I can only choose two feature on my test PC I see Program guard and FW so that would mean only 1 feature from OA running if their FW was uninstalled.

Choice is a good thing in my view.

 

Hello Escalader,

I know that you meant the firewall component of OA. I too was referring to only the firewall component. I could have explained it a bit better
I also had the webshield, mailshield and program guard installed. I only un-installed the firewall component. I 'felt' that I was getting less pop-ups when having the firewall component un-installed and using the Standard mode compared to having the firewall component installed and using the Standard mode. And when I was using the Advanced mode with the firewall component un-installed I was getting a lot of pop-ups compared to having the firewall component installed and using the Advanced mode. But like I said I am not 100% sure of this.

So again, I was able to un-install the firewall component of OA 131(paid) whilst having the webshield, mailshield and program guard installed. I then used a 3rd party FW which was LnS with Phant0m ruleset.

 

Hello Murderlove:

Good then I didn't mispost or confuse, always a hazzard ! Your clarification is fine with me, clear and concise and very interesting.

My own status is the same, with the exception that I have brought PeerGuardian 2 back to life to compensate for my lost blacklists that I so carefully set up in the OA FW feature and I lost when I disabled OA FW.

We are all waiting for the next OA release and I'm no different on that point than anybody else out in user land.


See ya

 

My current situation has changed since last up date

Currently running current OA Beta version with it's FW piece Enabled.

I am holding off on trying a 3rd party FW with OA FW disabled.

I'm successfuly running the Oa beta version and tesing continues.

So here for the record is my real time/active setup as of now. All security SW set to exclude all others to mininimize conflict

AlphaShield HW FW
DSL Router
Nod 32 real time scanning
SAS Pro real time scanning
OA Beta Mail shield ON
OA Beta Web shield ON
OA Beta Program Guard (HIPS) ON
OA Beta Firewall ON
Windows FW sp3 OFF
Loaded Host file from B.I.S.S many 127's and a few ip's allowed.
Spyblaster
Disabled a number of uneeded windows services Netbios services etc

 

Problem: To set some rules that will ensure that my email client (in my case MS Outlook) is the only application that can send and receive email on my set up.

What I have done so far is Created some rules,

1) allowing outbound TCP for the ISP's ip for pop3 and put their single port in the port list and set the single application doing this to be Outlook.exe.

2) allows outbound TCP with the ISP's ip for smtp (which is different than the pop3 addy in my ISP's view of how to do this) and set that port in the list and set the single application to be Outlook.exe .

3) set the UDP outbound to port 53 for Outlook.exe to the ISP's DNS addy as my DNS is handled by DHCP not via DNS services. This rule is set for only the single application Outlook.exe

4) added an ALL rule ( meaning all applications) that denies outgoing TCP to the ports for pop3 and for smtp and this applies to all applications.

Question for Mike Nash/Stem:

Have I succeeded in solving the problem stated? yes or no!

If not why not? and how to do it right?

Supplementary Question:

Since Outlook is a trusted program could a another trusted application use Outlook (in spite of these restricted rules of mine) to send email when I don't want them to do that!


This is the best I can do now in formualting the problem, if it is confusing someone else will have to unconfuse me! ( again)

 

Hi Escalader,

As far as firewall rules, then yes,.. well apart from the fact I would add UDP to the outbound e-mail blocking rule.

It would be possible if the trusted program as enough rights to control the e-mail client.


- Stem

 

Hi Stem:

Like this? I changed my deny outbound ALL rule to 110, 587 my in/out email ports to be BOTH protocols TCP and UDP.

See attached:

On these other trusted exe's with rights to control my email cleint does OA manage that for the users OR do I have to check every darn exe rights and try to tinker with that? I have no clue how to do it? Or can I mess with Outlook rights to disalow these other exe's any exe from sending mail?

Convoulted wording I'm sorry a bit tired today...

 

Hi Escalader,

Remote port 110 is for retrieving mail on pop3, to send pop3 mail it is remote port 25. (I know some ISP`s have now changed that to remote port to 225). I presume you have remote port 587 for AOL e-mail sending.

I have not taken a look at protecting the e-mail client within OA, so cannot comment at the moment if there is a way to protect it from other trusted applications, I will have a look later. (I currently have 2 PCs in the middle of an upgrade, so will have to put them together before I re-start tests etc)


- Stem

 

Hi Stem:

Can't remove 110 or 587 since ( strange as it may seem) those are the ports forced on me by my ISP. It's right in their setup instructions as well I've watched the OA logs and FW status during send and receive and those are the ports. Standards are nor always followed and it seems in this case of the www they are not enforced.

Look forward to your trusted using trusted to prevent email usuage.

 

Hi Escalader,

Ah right. I did not realize some where moving (or had moved) to that port.
Most ISP(s) are now changing port usage for mail, probably they are tired of botted PC non-ISP customer mail

Will have to wait for a new beta, the current control of trusted windows applications is left to OA and not the user.

- Stem

 

Hi Stem:

Yes these ISP's do things that help them and hopefully us the guys who pay!

Okay by me to wait for a new beta, the problem of sneaking email from trusted to trusted is either an issue or it isn't in OA and as just one user I can wait to "know".

 

Hello:

Some of you already know that OA released V3 today with vista 32 support.

This thread can continue but I'm running OA Premium on xp sp3 so my posts are based on experience with that platform.

This is not a support thread it is a learning thread so if you need support go to the following link:

http://support.tallemu.com/vbforum/

For new users, I suggest you first study/read all the help documentation at:

http://www.tallemu.com/webhelp3/

So with that out of the way here are 2 hint/reminder

(1)In Firewall, Interfaces Untick trusted

(2) Run the filesystems scan before you do anything else with settings on the main screen it will say at bottom you have never scanned etc, so this scans your system with the OA white list.

See attached jpg for main screen as I have it.

 

Next Hint/ reminders

1) In programs tab un-tick hide trusted box, we want to see what OA has trusted so we can adjust according to your own security policy

2) In my case ( not to say I'm right for your set up) I want to identify all the programs that "face the internet" . Programs like browsers FF, IE x, Opera etc.

3) click on these "facers" and set them to run safer. This is equivalent to running them under a limited account.

4) I also set word, excel and my email client MS Outlook the same way.

5) I also BLOCK from running at all CTF loader since every time M$ updates it reinstalls it to run even if earlier you have changed windows setting to NOT start it at boot time.

6) I block Media Player Sharing service from running at all

7) Standard MS games are set to run safer


Now refresh and save your settings via options.

Enjoy.