Hints on using Online Armor FW-a Learning Thread 4

Discussion in 'other firewalls' started by Escalader, Oct 26, 2007.

Thread Status:
Not open for further replies.
  1. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
  2. Mapson

    Mapson Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    54
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    TY. I had some thinking work to do. I use PG 2 which is using the same source of blocklists as OA 2 and does the autoupdating for me.

    The list I downloaded using your method was a list of possible hackers that didn't clash based on a sampling I did with what I have already blocked via PG 2. ( see attached jpg)

    So, for purposes of this thread you have helped prove the OA blacklist to feature works and shown how to use it We can say testing is done here and those who want to block in OA 2 can do so by following the steps in the thread.

    The fact that I have PG 2 as well is not important for other users.
    I don't want duplicate blocking myself as it is a waste of CPU cycles.

    The thing I like about PG 2 is it is NOT embedded with any other security tool on my set up thus maintains more of my layered defense approach.

    So "IF" I dropped OA and replaced by another FW/HIPS I would not have to redo all my blocking sites. Which is a fair effort to redo to say the least.

    The other option is the hosts file, but PG 2 provides way more ip's and ranges of ip by ip number than you would ever put there. I'm only describing this as an example of how easy it is to duplicate function by changing / adding tools.

    So for now for me, I'm limiting the use of OA 2's blacklist to PG 2 exceptions and using OA's, MyWebb sites for control of suspect sites.

    In hosts I use Spybot S and Destroys latest and greatest bad sites to load it. Around 7000 entries I think.

    Error on the side of restraining sites and see if any function you really need complains before easing the restraints.

    Security is NB and trumps functionality the more you use your PC for private $ transactions or sensitive work and surfing.

    I apologize for the "rant"
     

    Attached Files:

  4. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Did you all go on vacation?
    If yes then bring me a present when you get back.
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Hugger:

    Nope still here! What present would you like:D

    If you have a question or some concern go ahead and post it, who knows I may be able to help you or someone else as well!

    I am waiting for Stem and or Mike to reply to my post 19 and 36 which I fear are lost in the thread. They have been very busy with work as I understand it.

    So we have to be patient.

    However I have now a question to put about the OA 2's use of their Hosts feature.

    I have loaded my hosts file with all Spybots S & D banned sites. They all point these Bad sites by pointing via loopback to my own computer 127.0.0.1 not a "real" ip address. Thus I will never connect to any of those 7000 or so sites. Nothing to block. Neat eh a good security measure.

    There is a help file from OA 2 on their Hosts feature. Their example shows a blocked web site in the hosts file. But if I do that, my bad sites and loop backs it seems to me will lose their value by blocking the safety feature.

    I am confused by this and may be wrong since the documentation says these are rules about the host file entries not the entries themselves. :doubt:

    Currently I have all 7000 127.0.0.1 "allowed" in the OA rule list on host file.

    So, Mike if you are here please give this a look for us. jpg attached

    Thanks
     

    Attached Files:

  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    FYI, Here is the Spybot S and D jpg I refered to in the previous post.
     

    Attached Files:

  7. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,656
    Location:
    Sydney, Australia
    "Allowed" in Online Armor means that the hosts entry is "Allowed to exist" - that is, it is permitted to have the entry there at all.

    So, you are setup right. It is probably easier to describe the inverse case:

    Suppose malware tried to write:

    <theirIP> www.yourbank.com

    If you did "Deny" - then there would be deny rule. This entry is not allowed to exist in your hosts file - you would never be asked again.


    Suppose SWB did put in:

    <localhost> <adserver>

    If you choose allow - then you say that this entry may exist in the hostfile. You will not be prompted about it.
     
  8. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Hi Escalader,

    Maybe a small digression back to the firewall basics? I have been looking in this thread and in the "help file" produced by "Mike" ;) for information about configuration of DHCP and DNS rules, but I haven't found anything.

    So you just allow svchost to do anything it pleases, right, or is there any intelligent way to restrict Windows to these 2 functions only?

    Cheers
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Just a reminder, to all posters.

    On our hints on learning on OA 2, I am deliberately leaving the rules til the end. Why? so we all can learn about OA's Host use, My web sites, keyloggers etc. As well, the FW tab has Restrictions on Local Host, Intranet and Satelite under country. See this link over at OA forum:

    http://support.tallemu.com/forums/viewtopic.php?p=15189#15189


    Under ICMP OA has an options table regarding Echo, Redirect and Masks, on restricted Ports it has an options table for things including NetBios and Router. Now I guessing but I think OA 2 must use all these user options to generate some "real" rules for the FW. the rest comes the use of the www as we reply to pops.


    Hi Lundolm:

    I have an even more basic question for you. I'm suffering:oops: again, seems my lot in forum life to suffer for learning. Where is Mike's help file? I must have missed it? Is it separate or inside OA somewhere?

    On your DHCP and DNS rules question there is normally a way in a FW for advanced users (not Mom or Aunty) to set rules for them.

    So far I haven't even looked for them in OA 2.

    So in OA 2 I can't answer this question yet but I like your question!

    It lies in the hands of OA experts to answer your question.

    In our Kerio 2 thread, experts showed us how to restrict them and bind.

    There were many jpg's showing these rules.

    Have a look at your administrative services for DNS and DHCP Client

    Herbalist was working on my DHCP under Kerio when this thread came up.
    I intend to go back to that, but I will have to refresh where that stood.
    Static ip settings inside the router. My router does the DNS work.
     
  10. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Hi Escalader,
    You're too busy to read your own thread! Take a look at post #22. ;)

    I'm looking forward to the heavy FW stuff. By that time I hope that "Mike" has completed the "help file" :)
     
  11. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    You are right again, I missed it! I see it now! New glasses wouldn't help with that problem! Who would think to read their own thread! :D

    I will slow down based on this advice.

    Yes, the guts of this thread the FW rules lie ahead. Once we get into that detail we may never come back to these option tabs, which also need to be correct since they clearly impact FW.

    Take care.
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Mike:

    Yes, TY. I think I know this guy SWB! His real name is parasite malware !

    Finally solved this on my own after 3 reads and a reference book on host files:oops:

    The goal of my post here at Wilder's was to ensure that posters and learner thread watchers understood and didn't get their inverses mixed up. :eek:

    IMHO, u r :thumb: on possible changes to the description/documentation that the OA hosts file entries are NOT the Host file itself in GIANT letters.

    It is true though, is it not, that an advanced user should realize that OA 's table of rules holds a sort of veto power over what can and cannot exist in the "real" host file?

    I respectfully suggest that OA's name for the tab/feature be changed to Host File RULES otherwise many will miss it. I did at first.

    Sorry but I will not post these over at OA forum as it is just too time consuming.
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Intraetians and the Satellitians

    FWIW:

    In my list of allowed countries I 1st blocked countries Local Host and the Intraetians.

    Now I left the Satellitians blocked and they have yet to complain.

    When those 2 where blocked, (as they were not NATO members:D) , my Windows XP sp2 would boot up a little differently.

    It would boot never quite finish and log off and was in an up off loop.

    Don't try this at home, it is bad enough that I suffer first.

    IMHO this "glitch" was avoidable. It seems that OA missed this during testing this version.

    Mike, can we have your fix status on this? Wait for V3 or will U issue a fix in OA 2?
     
  15. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,656
    Location:
    Sydney, Australia
    Re: Intraetians and the Satellitians

    Hi Escalader,

    This is the reason why Online Armor ships in standard mode out of the box - it did (in advanced mode) exactly what you told it to do.

    What we've done to fix this is automatically add the Intranet IANA assigned range when you create a rule involving countries (you can remove it) - this exists in beta build 22 and higher of Online Armor.

    We're also updating the helpfile.


    Mike
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: Intraetians and the Satellitians

    Hi Mike:

    Good you are here.

    Yes, it did exactly what I asked plus the 3 "odds" which was reported. That is good the fix done.

    I will have a look again at my own set up. I'm assuming ( never good) that us guys with licenses for OA 2 get that fix.

    I like the power of country blocking you have given the users. If they choose to use it well, that's up to each:D

    More later
     
  17. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    Anyone tried the OA security suite? I see it uses Kaspersky engine?
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    It is time to get back to work:thumb:

    Here are some technical questions on the OA 2 ICMP.

    I posted the jpg in post # 36, earlier in the thread but they got lost in the static.

    I modified the settings I currently have in use

    The defaults I changed from allow are:

    echo request, rationale was I don't want to signal my pc exists
    time stamp request, rationale my time is correct
    address mask request, rationale I don't need masks

    All seems to be working, but at the lower level of security do these settings seem correct? They appear to me to be choices that feed the real FW rules?

    But again I'm not sure.

    Anybody?
     
    Last edited: Nov 5, 2007
  19. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,656
    Location:
    Sydney, Australia
    PS...

    @Escalader - we're about to upload a beta that fixes the issue you reported with blocking programs that were trusted.
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks, Mike:

    It's good the reported problem is being fixed.

    Thing is I don't have that version and use OA 2 in this learning thread. So can't report one way or the other for Wilder's.

    Others at your end will test it I'm sure.

    Ease up if you can it's only life and death! :D
     
  21. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
  22. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    So many Threads hope I'm in the right one.

    Just switch over from comodo to OLA Free. NoD 2.7 won't 'kick in'.


    The pop up reads:

    error occured during communication with NoD 32 Kernel service

    How can i add NoD to FW's programs - its not listed?
     
  23. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Right click OA icon, select learning mode, reboot, and nod should be "picked-up" then. Once all apps are recognized, go back to standard mode...
     
  24. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Now that we're back to the learning-thread, where are we at Escaladero_O
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Did you follow 19monty64's advice? What happened? In the learning thread in this case OA 2 paid please post the results!

    For free OA their is a separate thread from Mike Nash.

    Take it easy
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.