How to configure LnS to pass PCFlank Referrer test with MyIE2

Discussion in 'LnS English Forum' started by Defenestration, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Hi,

    I'm using LooknStop v2.05 Trial coupled with Firefox and MyIE2 (for when Firefox doesn't work properly).

    I have successfully got Firefox to pass the PCFlank Referrer test, but not MyIE2.

    How do I configure LooknStop so that MyIE2 (and all other IE variants) passes the Referrer test ?

    I haven't tried Opera, but have heard it's good so I might try it in the future. For future info, what do you need to set-up to make Opera pass the Referrer test.

    Every other PCFlank test has been passed successfully so I'm happy:eek:)

    Thanks in advance!
     
  2. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I forgot to mention that my ISP is AOL and when I enabled all the LnS Miscellaneous Advanced options the AOL connection is dropped after approx. 20 mins. I have noticed similar behaviour when using Kaspersky Anti-Hacker 1.5 with Stealth mode enabled.

    Which option is causing this problem and why does it happen ? I want the most secure settings for the firewall (without the connection being dropped).

    Laste but not least, has the LnS problem with changed programs not being detected (as reported on this forum) been fixed ? If not when will it be ?

    Thanks
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    Look'n'Stop is a firewall only, it does not have proxy features such as Referer blocking. May be FireFox natively allows direct control on the HTTP fields and MyIE2 not (I know you can change the User-Agent with a plugin on FireFox for instance).

    If you are concerned about browsing privacy, you may be interested by "Proxomitron".

    About your connection dropped, try these rules :
    http://www.looknstop.com/Fr/rules/downloader.php?file=club_internet_adsl.rie

    import them and place them first and Apply the change, it will allow the fragmented packets which may cause your disconnection usually.

    Finally, about the executable modification not change, I am not aware that anyone has sent them two executable before and after update for analyse, and personally I have never seen that (when I program a network program, that I modified it, and compiled it again, LNS detects it).
    I don't say the problem doesn't exist, but then post here ths link of two different executables (such as Opera or WinMX) for which the modification is not seen, or send them to LNS directly at lnssupport@soft4ever.com

    regards,

    gkweb.
     
  4. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Message understood ;)
    I just sent the two Opera files to the address suggested by gkweb.

    Hope this helps,
    Thomas :)
     
  5. Martin Aston

    Martin Aston Guest

  6. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    good :)
    I hope now Frederic can analyse them and come here with answers.

    regards,

    gkweb.
     
  7. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    gkweb - Applied your rule, but the connection is still being dropped (Edit: It's an AOL 9 dial-up connection, *NOT* an ADSL connection). BTW, it's the TCP Stateful Packet Inspection Advanced option that's causing the problem. When enabled it causes the connection to be dropped. When disabled, the connection stays alive until I end it.

    Re. the browser referrer problem - This thread (http://www.pcflank.com/forums/showthread.php?threadid=817) at PCFlank suggests that a firewall can block the referrer. Failing that is there a registry setting for IE that will stop the referrer ?

    This link (http://www.pcflank.com/forums/showthread.php?threadid=821)
    on the PCFlank forums tells you how to stop referrer with Firefox/Mozilla browser.
     
    Last edited: Jul 20, 2004
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    about the SPI, it has a limit of handling 128 connections maximum, and starts blocking them above this limit.
    Generally the SPI is not compatible whith applications using a lot of connections, such as P2P softwares. May be you have an app too that creates many connections at a time.

    A workaround as you have guessed is to disable the SPI, until a solution or a fix is added on a next LNS version.

    They suggest, but the referer field is an HTTP field, which means that it is a packet _content_, and a firewall does not check inside packets contents, only the IDS and proxy for instance.
    Nevertheless, more and more "firewall" include plugins (this way is ok) to handle such a thing, and others include this feature into the firewall, which I don't really like, because it is not anymore a firewall only, but that's my personal opinion.

    regards,

    gkweb.
     
  9. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I don't think that's the reason but thanks for the info. I'm guessing some acknowledgement is not being sent to AOL and because of that AOL thinks the connection has gone dead and so drops the connection. As mentioned previously, I've had the same problem with Kaspersky Anti-Hacker when Stealth mode is enabled.

    BTW, Do you know what type(s) of attack SPI protects you from ?

    I always thought that firewalls did look inside packets to determine some types of attack, but I could be wrong.

    I agree that a firewall should be a firewall without a lot of bell's & whistle's (ie. BLOAT). Products that try to be everything, often end up being average at most things.
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey :)

    Defenestration; if there’s SPI Alerts that applies to Outgoing TCP packets being logged around the time you experiencing Connection issues then gkweb is right, you using Application that uses a lot of simultaneous TCP connections. Try using SPIInOnly Feature.

    Also verify that Look ‘n’ Stop has been configured for use of all DNS servers your Internet uses.

    A full TCP SPI rejects any “unsolicited” TCP Packets, TCP SPI “should” deal with;
    1. "Out of connection"
    2. "Invalid Flags"
    3. "Invalid Sequence Number"
    4. "Invalid Acknowledge Number"

    IDS base Firewalls do look in the packets content for “known” malicious threats.
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    basically SPI does not protect against a particular kind of attack, but virtually against most of the attacks, since only existing connection flows are allowed to come back (anything else is dropped).
    But the Look'n'Stop SPI is just about the TCP connections as far as I know, not about UDP or ICMP (harder since they are connection less).

    A software looking inside packets content to check for particulars attacks is called an IDS (Intrusion Detection System), I am talking about the data field.
    A firewall just looks at the header of the packet to check IP address and port source/destination.
    So, a firewall will allow for instance a connection to your web server because the dest port is 80, whereas an IDS will be able to parse the HTTP command and to detect a bogus request inside the TCP data field (possibly an exploit).
    All of that is network speaking, because as you know the personal firewalls now include a check for application outbound connections.

    regards,

    gkweb.
     
Thread Status:
Not open for further replies.