How to add rules for P2P apps to the Phant0m's Ruleset?

Discussion in 'LnS English Forum' started by concerned807, Jun 15, 2007.

Thread Status:
Not open for further replies.
  1. concerned807

    concerned807 Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    68
    Hi there!

    I just started using LnS 2.06, and I am planning on using the Phant0m's Ruleset.

    Based on my reading, the majority (only?) rules I need to create myself in addition to the Phant0m's Ruleset are those for the below P2P and Usenet apps.

    Question 1:
    I need your kind help here....
    Where should I, in the Phant0m's, position rules for these apps?
    I'd appreciate greatly your advice that comes with relevant screenshots.

    Since a few days ago I started using LnS, I have at last set working rules for the above apps using LnS Enhanced Ruleset. Thanks to Climenole's great helpful replies on this forum. I attached a screenshot of my Internet Filtering rules.

    Question 2:
    My Internet connection type is ADSL PPPoE. I use cFos 7.xx to dial up and connect. Using the Phant0m's, do I need to create specific rule under Internet Filtering for this program?

    Question 3:
    In addition to the above program-specific rules, are there any other rules I have to make myself and add them to the Phant0m's? I am concerned I may not be skilled in making rules....

    Complete list of Internet-Active apps I use:
    Thanks for your kind advice and patience.
    I hope this will be a good start of learning...
     

    Attached Files:

  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    1. I add p2p rules just above "+TCP: Block incoming connection" (your screenshot shows teh enhanced ruleset btw).

    2. I use cFosSpeed and iirc I needed to allow ICMP type 3.
     
  3. concerned807

    concerned807 Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    68
    Hi again WSFuser:)

    Is there anything else you needed to do yourself after implemented the Phat0m's Ruleset?

    Guess I need to find out how to make the rule for it...Searching the forum now...
     
    Last edited: Jun 15, 2007
  4. concerned807

    concerned807 Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    68
    This time I loaded Phat0m's Ruleset 7.71e, and tentatively made rules for eMule and uTorrent. They both connected wonderfully.

    Here are more questions from me:

    1. To achive the most optimal download/upload speeds, I want to know where exactly I should position P2P rules in the Phant0m's Ruleset.
    Is it the best that I just place P2P rules anywhere above "+TCP: Block Incoming Connections"? Or otherwise?

    2. Is there an order in which I should position P2P rules among themselves?
    For example, eMule above BitTorrent or vice versa...

    Thanks for advising!!!:)
     

    Attached Files:

  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    I just put the p2p rules in alphabetical order :p so for me bittorrent first then emule.
     
  6. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi concerned807

    :rolleyes:

    Server rules before the rule blocking TCP + SYN inbound...
    Client rules after ...
    Check the picture:
     

    Attached Files:

  7. concerned807

    concerned807 Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    68
    Hi Climenole,

    Could you confirm this is the order you are suggesting?

    The order you suggested:
    BitTorrent - Server rule
    {P. 4661.50}; [AA]; [TCP] {eDonkey + alt.} [SERVEUR] {eDonkey + alt.} eMule, Shareaza
    + TCP: Block incomding connections
    BitTorrent - Client rule
    {S. 4672.11}; [AA]; [TCP/UDP] {eDonkey - KAD} [eDonkey] KAD
    {T. 4672.10}; [AA]; [UDP] {eDonkey - liste srvr} [eDonkey] Liste serveurs

    Please also advise if server rules and client rules have to be immediately before after or just plain before and after?

    Can you explain the logic in the above suggested ordering? I have read only part of your LnS tutorial at the below link. I will keep and finish reading however.
    http://climenole.wordpress.com/
     
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi concerned807 :)

    That's it ! Now you have the right place for the rules... :thumb:
    You'll be an LNS expert very soon concerned807 :)

    The logic here is quite simple. It's about the client / server relations in a connection...

    In any network, a server is any computer with a service listening on at least one port for incoming connections requests. A client is any computer in a network able to initiate or begin a connection to a server.

    When you're using your PC for browsing, emailing, chatting and so on, your PC is a client. You begin the connection to a server by sending it a TCP packet with the flag SYN like this: (an example for web site connection)

    Client (your PC) =============== Server listening on port 80

    -------------------- SYN ----------->>>

    <<<--------------- ACK -SYN --------

    ------------------- ACK ------------->>>

    The connection is now in "established state".

    Normaly you firewall must block all incoming TCP packets with the flag SYN.
    This block attemps to connect to your PC as a server.
    This protect also your PC against connections attemps to the port 135 (blaster worm), port 445 (sasser worm) etc.

    In the LNS enhanced rules set this rule is:
    TCP: Block incoming connections

    In Phant0m rules set:
    +TCP : Block incoming connections

    In Climenoles rules set:
    {Q. 999}; [TCP] << SYN ! >

    This is the same rule. (Just double click on the rule and check what's "inside"...)

    When you run a server application like p2p you have to place the server functions rule before this incoming TCP + syn rule.

    All incoming TCP + syn (and the correct data and format) are managed by the server rule and the application, All the other incoming TCP + syn with the wrong data or format or port are rejected by the server rules and application and blocked by the following incoming TCP + syn blocking rule...

    For the client application like a web browser, an emailer or the client part of a p2p application, the rules must be after that "central" rule.

    Hope it's more clear for you.

    :)
     
    Last edited: Jun 15, 2007
  9. concerned807

    concerned807 Registered Member

    Joined:
    Dec 2, 2004
    Posts:
    68
    It can't be clearer.
    I am blushing...I feel like pupil walked through it by the teacher.
    But it is a good feel:D
     
  10. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    Hello Climenole, I just got Phant0m's ruleset and I wonder why do I have to place the BitTorrent rule below +TCP : Block incoming connections ?

    If the BT rule is on the top the ruleset list and I perform the Nat/Firewall test (via Azureus>tools) the test is successful.

    On the other hand if its placed below +TCP : Block incoming connections rule, the Azureus' Nat/FW test fails.

    Can you enlighten me, thanks.
     
  11. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi mike21 :)


    BELOW! :eek:

    The Az NAT test should check only the outgoing not the incoming packets...

    Look the LnS log...

    BiTTorrent is a p2p program: so the rule corresponding to the server part of Azureus
    must be placed BEFORE the rule +TCP : Block incoming connections.

    This server rule for Az looks like this:

    Protocol: TCP
    Packets: in and out
    Address: equal MY@
    Local port : the same you choose in the Az parameters
    Address: all (no entry)
    Remote ports: all (no entry)
    application: Azureus <<== mandatory to add Azureus in that rule!

    ...

    here the "+TCP : Block incoming connections."

    ...

    The DHT rule for Az:

    Protocol: UDP
    Packets: in and out
    Address: equal MY@
    Local port: the same you choose in AZ for DHT
    Address: all
    Remote ports: all
    Application: Azureaus (mandatory to put the Az executable in this rule)


    So the incoming TCP packets with the flag SYN will be checked if the are sent to the AZ server port else they are rejected by the rule "+TCP : Block incoming connections."

    wrong port = blocked by LnS!

    If these packets are sent to the AZ server port with the wrong data or format they are rejected by AZ and the subsequent packets like this one will from the same source will be rejected by the rule "+TCP : Block incoming connections."

    wrong data or format: rejected by Az = no connection with this source
    all subsequents: blocked by LnS and the Statefull packet inspection because it's not an established connection ...


    If the TCP packets + syn are sent to your AZ server port AND they have the correct data and format then they are accepted by AZ, that's create a new connection and all the other packets created by THIS connection are watched by AZ AND LnS with the Stareful Packet Inspection...

    Is this okay now ?

    :)

    Like the pictures below...

    1 = server port for AZ (the same than TCP listening port in AZ parameters)
    2= the rule to block incoming TCP + SYN (same than +TCP : Block incoming connections.")
    3 = DHT rule: the same port choosed in AZ parameters...
     

    Attached Files:

    • az1.jpg
      az1.jpg
      File size:
      9.4 KB
      Views:
      676
    • az2.jpg
      az2.jpg
      File size:
      111.3 KB
      Views:
      5
    Last edited: Jun 17, 2007
  12. mike21

    mike21 Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    416
    Thanks for your thorough explanation. It is like this and my setup now, the tcp rule of the AZ just above the +TCP : Block incoming connectionsrule (I hope I do not have to put it on the top of all other rules, just above this rule) and then the udp rule below the +TCP : Block incoming connections
     
Thread Status:
Not open for further replies.