Hints on using Online Armor FW-a Learning Thread 4

See my post in this thread ( https://www.wilderssecurity.com/showpost.php?p=1103261&postcount=14) about BlockListManager that may assist in creating a custom block list.

 

See

RFC - Path MTU Discovery
http://tools.ietf.org/rfc/rfc1191.txt

Google
http://www.google.co.uk/search?q= 'Path MTU Discovery' ICMP 'Destination Unreachable'

about enabling 'Destination Unreachable' in ICMP

 

TY. I had some thinking work to do. I use PG 2 which is using the same source of blocklists as OA 2 and does the autoupdating for me.

The list I downloaded using your method was a list of possible hackers that didn't clash based on a sampling I did with what I have already blocked via PG 2. ( see attached jpg)

So, for purposes of this thread you have helped prove the OA blacklist to feature works and shown how to use it We can say testing is done here and those who want to block in OA 2 can do so by following the steps in the thread.

The fact that I have PG 2 as well is not important for other users.
I don't want duplicate blocking myself as it is a waste of CPU cycles.

The thing I like about PG 2 is it is NOT embedded with any other security tool on my set up thus maintains more of my layered defense approach.

So "IF" I dropped OA and replaced by another FW/HIPS I would not have to redo all my blocking sites. Which is a fair effort to redo to say the least.

The other option is the hosts file, but PG 2 provides way more ip's and ranges of ip by ip number than you would ever put there. I'm only describing this as an example of how easy it is to duplicate function by changing / adding tools.

So for now for me, I'm limiting the use of OA 2's blacklist to PG 2 exceptions and using OA's, MyWebb sites for control of suspect sites.

In hosts I use Spybot S and Destroys latest and greatest bad sites to load it. Around 7000 entries I think.

Error on the side of restraining sites and see if any function you really need complains before easing the restraints.

Security is NB and trumps functionality the more you use your PC for private $ transactions or sensitive work and surfing.

I apologize for the "rant"

 

Did you all go on vacation?
If yes then bring me a present when you get back.

 

Hi Hugger:

Nope still here! What present would you like

If you have a question or some concern go ahead and post it, who knows I may be able to help you or someone else as well!

I am waiting for Stem and or Mike to reply to my post 19 and 36 which I fear are lost in the thread. They have been very busy with work as I understand it.

So we have to be patient.

However I have now a question to put about the OA 2's use of their Hosts feature.

I have loaded my hosts file with all Spybots S & D banned sites. They all point these Bad sites by pointing via loopback to my own computer 127.0.0.1 not a "real" ip address. Thus I will never connect to any of those 7000 or so sites. Nothing to block. Neat eh a good security measure.

There is a help file from OA 2 on their Hosts feature. Their example shows a blocked web site in the hosts file. But if I do that, my bad sites and loop backs it seems to me will lose their value by blocking the safety feature.

I am confused by this and may be wrong since the documentation says these are rules about the host file entries not the entries themselves.

Currently I have all 7000 127.0.0.1 "allowed" in the OA rule list on host file.

So, Mike if you are here please give this a look for us. jpg attached

Thanks

 

FYI, Here is the Spybot S and D jpg I refered to in the previous post.

 

"Allowed" in Online Armor means that the hosts entry is "Allowed to exist" - that is, it is permitted to have the entry there at all.

So, you are setup right. It is probably easier to describe the inverse case:

Suppose malware tried to write:

<theirIP> www.yourbank.com

If you did "Deny" - then there would be deny rule. This entry is not allowed to exist in your hosts file - you would never be asked again.


Suppose SWB did put in:

<localhost> <adserver>

If you choose allow - then you say that this entry may exist in the hostfile. You will not be prompted about it.

 

Hi Escalader,

Maybe a small digression back to the firewall basics? I have been looking in this thread and in the "help file" produced by "Mike" for information about configuration of DHCP and DNS rules, but I haven't found anything.

So you just allow svchost to do anything it pleases, right, or is there any intelligent way to restrict Windows to these 2 functions only?

Cheers

 

Just a reminder, to all posters.

On our hints on learning on OA 2, I am deliberately leaving the rules til the end. Why? so we all can learn about OA's Host use, My web sites, keyloggers etc. As well, the FW tab has Restrictions on Local Host, Intranet and Satelite under country. See this link over at OA forum:

http://support.tallemu.com/forums/viewtopic.php?p=15189#15189


Under ICMP OA has an options table regarding Echo, Redirect and Masks, on restricted Ports it has an options table for things including NetBios and Router. Now I guessing but I think OA 2 must use all these user options to generate some "real" rules for the FW. the rest comes the use of the www as we reply to pops.

Hi Lundolm:

I have an even more basic question for you. I'm suffering again, seems my lot in forum life to suffer for learning. Where is Mike's help file? I must have missed it? Is it separate or inside OA somewhere?

On your DHCP and DNS rules question there is normally a way in a FW for advanced users (not Mom or Aunty) to set rules for them.

So far I haven't even looked for them in OA 2.

So in OA 2 I can't answer this question yet but I like your question!

It lies in the hands of OA experts to answer your question.

In our Kerio 2 thread, experts showed us how to restrict them and bind.

There were many jpg's showing these rules.

Have a look at your administrative services for DNS and DHCP Client

Herbalist was working on my DHCP under Kerio when this thread came up.
I intend to go back to that, but I will have to refresh where that stood.
Static ip settings inside the router. My router does the DNS work.

 

Hi Escalader,
You're too busy to read your own thread! Take a look at post #22.

I'm looking forward to the heavy FW stuff. By that time I hope that "Mike" has completed the "help file"

 

Help files can be found here http://support.tallemu.com/forums/viewtopic.php?t=1822
"That's now been fixed and can be downloaded (for now) from:

http://dl1.online-armor.com/downloads/oa_ena.chm

Note: Please right click and "Save As" or your browser will try to open this."

 

You are right again, I missed it! I see it now! New glasses wouldn't help with that problem! Who would think to read their own thread!

I will slow down based on this advice.

Yes, the guts of this thread the FW rules lie ahead. Once we get into that detail we may never come back to these option tabs, which also need to be correct since they clearly impact FW.

Take care.

 

Mike:

Yes, TY. I think I know this guy SWB! His real name is parasite malware !

Finally solved this on my own after 3 reads and a reference book on host files

The goal of my post here at Wilder's was to ensure that posters and learner thread watchers understood and didn't get their inverses mixed up.

IMHO, u r on possible changes to the description/documentation that the OA hosts file entries are NOT the Host file itself in GIANT letters.

It is true though, is it not, that an advanced user should realize that OA 's table of rules holds a sort of veto power over what can and cannot exist in the "real" host file?

I respectfully suggest that OA's name for the tab/feature be changed to Host File RULES otherwise many will miss it. I did at first.

Sorry but I will not post these over at OA forum as it is just too time consuming.

 

Intraetians and the Satellitians

FWIW:

In my list of allowed countries I 1st blocked countries Local Host and the Intraetians.

Now I left the Satellitians blocked and they have yet to complain.

When those 2 where blocked, (as they were not NATO members) , my Windows XP sp2 would boot up a little differently.

It would boot never quite finish and log off and was in an up off loop.

Don't try this at home, it is bad enough that I suffer first.

IMHO this "glitch" was avoidable. It seems that OA missed this during testing this version.

Mike, can we have your fix status on this? Wait for V3 or will U issue a fix in OA 2?

 

Re: Intraetians and the Satellitians

Hi Escalader,

This is the reason why Online Armor ships in standard mode out of the box - it did (in advanced mode) exactly what you told it to do.

What we've done to fix this is automatically add the Intranet IANA assigned range when you create a rule involving countries (you can remove it) - this exists in beta build 22 and higher of Online Armor.

We're also updating the helpfile.


Mike

 

Re: Intraetians and the Satellitians

Hi Mike:

Good you are here.

Yes, it did exactly what I asked plus the 3 "odds" which was reported. That is good the fix done.

I will have a look again at my own set up. I'm assuming ( never good) that us guys with licenses for OA 2 get that fix.

I like the power of country blocking you have given the users. If they choose to use it well, that's up to each

More later

 

Anyone tried the OA security suite? I see it uses Kaspersky engine?

 

It is time to get back to work

Here are some technical questions on the OA 2 ICMP.

I posted the jpg in post # 36, earlier in the thread but they got lost in the static.

I modified the settings I currently have in use

The defaults I changed from allow are:

echo request, rationale was I don't want to signal my pc exists
time stamp request, rationale my time is correct
address mask request, rationale I don't need masks

All seems to be working, but at the lower level of security do these settings seem correct? They appear to me to be choices that feed the real FW rules?

But again I'm not sure.

Anybody?

 

PS...

@Escalader - we're about to upload a beta that fixes the issue you reported with blocking programs that were trusted.

 

Thanks, Mike:

It's good the reported problem is being fixed.

Thing is I don't have that version and use OA 2 in this learning thread. So can't report one way or the other for Wilder's.

Others at your end will test it I'm sure.

Ease up if you can it's only life and death!

 

So many Threads hope I'm in the right one.

Just switch over from comodo to OLA Free. NoD 2.7 won't 'kick in'.


The pop up reads:

error occured during communication with NoD 32 Kernel service

How can i add NoD to FW's programs - its not listed?

 

Right click OA icon, select learning mode, reboot, and nod should be "picked-up" then. Once all apps are recognized, go back to standard mode...

 

Now that we're back to the learning-thread, where are we at Escalader

 

Did you follow 19monty64's advice? What happened? In the learning thread in this case OA 2 paid please post the results!

For free OA their is a separate thread from Mike Nash.

Take it easy