Jetico-Avast proxy localhost affair

Discussion in 'other firewalls' started by poirot, Jul 31, 2006.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    I run
    an Ethernet BB router
    Jetico firewall
    Avast antivirus
    Firefox
    IE.

    I tried a few different Jetico configurations ,some harder on security than others,and finally adopted Ladidal method (http://www.geocities.com/ladidel_jetico/jeticoindex)
    of placing beforehand every relevant application working full time in the first and main Application Table, following the golden rule
    of giving each Application:

    1-Access
    2-generally detailed Outgoing permission/or what needed
    3-Rejecting anything else.

    My uncertainty regards the Avast WebShield proxy problem as -according to lukor,Avast rep at Avast Forum- this antivirus needs:

    1-browser to connect to localhost:12080
    2-webshield (ashWebSV.exe) to listen on localhost:12080
    3-webshield to accept the connections from localhost:anyport
    4-webshield to connect to webservers port 80

    what i did:
    1-is taken care of by FF,IE settings about local proxy for HTTP port 12080,
    2-3 by AshWebSV.exe inbound rule from Remote 127.0.0.1,port 12080;
    4-by establishing Remote port for outbound connections as 80)

    This is part of my App.Table (edit-due to problems uploading i'll continue with following posts):
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      88.3 KB
      Views:
      50
  2. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    The Browser section is the following- i used the standard rules,but detailed the Application
    working as Browser,in my case Avast local proxy ,Firefox and IE:

    accept disable 0 access to net

    accept disable tcp/ip outbound any any any 80

    accept ashWeb.exe dis tcp/ip outbound any any any any
    accept HTTP FF dis tcp/ip outbound any any any 80
    accept allow HTTPS dis tcp/ip outbound any any any 443
    accept HTTP IE dis tcp/ip outbound any any any 80
    accept Allow HTTPS dis tcp/ip outbound any any any 443
    continue default action

    (sorry, my .jpg was not accepted,continues next post)
     
  3. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    These settings make Jetico prompt for any new connection,which is what i wish.
    Jetico,when my Router is in DMZ,is perfectly stealthed anywhere.

    I hope i 'translated' these rules into good practice...........if anyone can spot a mistake please let me know.


    Now what i am asking here is: i gave Avast proxy the 'inbound' permission
    which they think is necessary, but i previously never gave Avast such a permission before with other firewalls and i found the system works fine in Jetico even without it (it seems to me),
    so is it REALLY necessary?

    Considering the 4 previously mentioned 'rules' for Avast,
    were i right in:
    leaving port 80 in Avast WebShield redirected HTTP port? (works fine with 12080 in the box as well,though).

    I tried to delete from the Configuration Wizard Trusted Zone the 127.0.0.0/8 ,which i take as authorizing loopback for any Application, in order to remove the implicit 'allow all' default traffic and to start giving permission to selected
    ones only, but when i remove it from the Wizard T.zone it comes back on reboot.
    Am i doing anything wrong or is it simply impossible?

    This is Jetico 'Applications' when Wilders Forum and Google are connected-
     

    Attached Files:

    • 4.jpg
      4.jpg
      File size:
      65 KB
      Views:
      18
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Not if you have localhost (127.0.0.1) within the trusted zone

    This is user config, this can be any within Avast.

    To remove the localhost from the "auto config (trusted zone)" you must block the "wizard"(fwsetup.exe) from "access to network" (then remove the localhost entry). The wizard then, on boot or execution, will only see the PC config (local Lan / DNS servers / local IP), and will not automatically add localhost. (This is how I have this set)
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The Avast proxy should be restricted to the remote ports required, the browsers will be accessing these ports via that proxy. Rules needed for the browsers should only be the need to access the network and the proxy (localhost). I will re-check.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    First of all, remove the localhost (127.0.0.1) from the trusted zone (as mentioned in post 4). There will then be a need to allow "ashwebsv.exe" outbound / inbound connections from remote host 127.0.0.1. Then allow "ashwebsv.exe" the browser rules (access to network, outbound connections to remote ports 80:443 (other ports can be added, as per your need))
    Then set up your browser to use the proxy. The browser will then require "access to network" and allow outbound connections to remote host 127.0.0.1, you can then block all other comms for the browser.

    (Note: I have not been able to find the Application you mention "ashWeb.exe", is this from an older version of Avast, or a miss-type)
     
  7. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    thanks a lot Stem!
    the more i read about localhost,sygate,Kerio and loopback and the more i became confused about what to really do with Jetico.
    I'll begin with your last comment: its really my fault as for brevity sake i wrote the name without an SV in Jetico description- it is really
    ashWebSV.exe
    and it is of course the WebShield engine of Avast. I couldnt upload the screen about
    WebBrowsers because i had used that one for a test the day before and now it wont be accepted anymore- i didnt know about such a thing at Wilders.
    I saw what you suggest and i will put myself down to remodelling according to your pertinent observations (another day needed).
    I'll begin with the localhost Trusted zone...
    Question: when proceeding with the TZ 127.0.0.0./8 removal can i leave my

    WebBrows ashWebSV inbound dis TCP/IP inbound any 127.0.0.1 12080 any

    rule in place (if the TZ removal is successfull i'll need this rule) or shall i delete all ashWebSV.exe,firefox and IE rules and start
    anew?Is such an inbound rule correct with
    'any 127.0.0.1 12080 any' for local adress,remoteadress,local port,remote port?

    edit- I blocked the fwsetup.exe and in this pc the 127.0.0.0./8 vanished even before i attempted a removal.
    Shall i keep fwsetup blocked? Or can i allow it again afterwards?
     
    Last edited: Jul 31, 2006
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Once you allow "access to network" for the "wizard(fwsetup)" the localhost (127.0.0.1) will be automatically put back into the trusted zone.

    You need to allow Avast "ashWeb.exe" access to outbound and inbound connections to the localhost for the proxy to work correctly (Leaving the localhost out of the trusted zone, can make your setup safer, but does mean some extra rules to place for programs that need loopback).
    You should be able to leave the proxy connection remote port specific, but did not test this while setup (I am going to re-install, to re-check again)
    I will post my rules for my seup with Avast web shield, and we can compare and decide on the best ruleset to create for this application.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi poirot,
    I currently (to confirm) have localhost removed from the trusted zone.

    The rules I have in place for Avast(ashWebsv.exe) are:- (these are based on local proxy default: 12080)

    Allow "access to network"
    accept disabled TCP/IP inbound connection (local address)any (remote address)127.0.0.1 (local port)12080 (Remote ports)1024-4999
    accept disabled TCP/IP outbound connection (local address)any (remote address)any (local ports) 1024-4999 (remote port)80
    accept disabled TCP/IP outbound connection (local address)any (remote address)any (local ports) 1024-4999 (remote port)443
    Reject notice any~

    For my browser (firefox)
    Allow "access to network"
    Allow disabled TCP/IP outbound connection (local address)any (remote address)127.0.0.1 (local ports)1024-4999 (remote port)12080
    Reject notice any~

    This is working correctly (well after the setup program stopped bugging me for updating)

    Stem

    EDIT:
    Have been running with these rules with no problem. I dont think the rules can be made any tighter.

    Of course, if a need for alternative remote connections, then these would need to be added to the "ashWebsv.exe" rules (example remote 81:8080)
     
    Last edited: Jul 31, 2006
  10. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Following your previous guidelines i had modified my settings almost the way you suggest- the only difference was i had not included the 1024-4999 ports limitation for ashWebSV.exe Remote ports.....it seems your efforts are paying out,albeit your pupil is still a bit clumsy.

    I have now modified along your guidelines in Application Table ,but experimentally leaving part of it as i modified yesterday,for instance,you begin all ashWebSV.exe rules with an 'accept' whereas i had chosen 'WebBrowser'... thinking that the latter would both 'accept' and send to the
    'WebBrowser' Table - i wait for a comment of yours here before changing.

    I guess you mean these rules are for the WebBrowser Table,as you're using
    'allow' and not 'accept'?

    So,now i'm running Jetico with all the rules you suggest in Application Table,but you need to have a look at my WebBrowsers Table,which i did yesterday (works fine with the App.Table modified with your rules),please
    let me know:
     

    Attached Files:

  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi poirot,
    Just wondering, what is the "Allow http" rule? Allow outbound connect to remote:80 (no application bound to rule)

    I was just placing a rule, was not sure as to how/where you where going to place these yourself, just wanted you to understand the rule(s).
     
  12. shaunwang

    shaunwang Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    94
    hey stem,

    how are you was reading the above quote that initate me to ask u a questions.

    Question 1
    by removing 127.0.0.1 what's the motive or setting behind this for ?

    Question 1.1
    By disabling fwsetup.exe from access networking means what??

    1. to prevent fwsetup for auto updating the latest trusted network o_O
    2. to prevent fwsetup for requesting every time user boots up his computer ??
    3. to only allow to use whatever settings set in the System Application Table o_O where the svchost.exe makes everythingo_O

    Question 2
    Where is this being used , routers , broadband,DSL , ADSL ?

    Question 2.1
    If its router how does this helps ?

    Question 3.
    About this website
    (http://www.geocities.com/ladidel_jetico/jeticoindex)

    Is the "System IPTable" rules like on ICMP the one below.....

    reject Deny ICMP information request(5) disabled ICMP incoming packet any any ICMP type: Redirect (5), code: any

    reject Deny ICMP information request(15) disabled ICMP incoming packet any any ICMP type: Information Request (15), code: any
    reject Deny ICMP information request(16) disabled ICMP outgoing packet any any ICMP type: Information Reply (16), code: any

    reject Deny other incoming ICMP disabled ICMP outgoing packet any any ICMP type: any, code: any

    reject Deny other incoming ICMP disabled ICMP incoming packet any any ICMP type: any, code: any

    .... counted as a good block rules ??

    Just need to clarify some information even better and understand jetico much more better. If its possible to answer my questions would be a great blessing for me.
     
  13. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Stem,the first and second rules are Jetico's original rules which were there at install.
    I just left it thinking they were needed for a general functioning of the connection, which was more defined with following rules and ,in my case, especially with the Application Table rules, which obey to the rules outlined by you.
    Should i get rid of it?
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The 2 top rules are open (can be used by any application). The first one "access to network" is o.k. if these rules are within a ruleset that is being called (and not open to all applications). The 2nd rule, allow http should be removed.
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In this setup, the localhost (127.0.0.1) is being used as proxy. If the localhost was left in the trusted zone in this setup, there is the possiblity that other application with "access to network" could gain access to the proxy

    This is to stop the localhost from being automatically placed back into the trusted zone


    With the proxy install, I would use this on any setup

    Did you not place a block all ICMP rule at the end of the table? That would cover these.
     
  16. shaunwang

    shaunwang Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    94
    Hmm this is weird I tried testing it by removing

    there's several things which I need to ask for more information.

    1. Previously I had 127.0.0.1/24 in the trusted Zone now it is removed is there any effects takes placing by removing thato_O I mean what will prompt access to 127.0.0.1 o_O

    2. 127.0.0.0/8 what is this, when I add this to trusted zone in fwsetup wizard, all 127.0.0.1 request for send datagrams and receive datagrams is gone. ( I removed 127.0.0.1/24 and this stills works why o_O)

    3. When both 127.0.0.0/8 & 127.0.0.1/24 removed, executing Internet Explorer will continueously prompt for sending and receiving datagrams o_O

    4. Is this possible to remove both 127.0.0.0/8 and 127.0.0.1/24 from the trusted zone at fwsetup ( which is now in reject from access network ) without a prompts o_O I am using broadband whether or not is a proxy I feel that its a proxy. But this proxy doesn't me to set since its a plug and play and connect.

    5. What you mean by proxy install ?? On which part of view does your proxy install concern the users side or ISP side ?? If my ISP using s shared proxy server, and I do not need to set any proxy. Can I still do this method of removing localhost o_O

    6. If I am on shared proxy server, by leaving 127.0.0.0/8 inside of (fwsetup) wizard as trusted zone and remove 127.0.0.1/24 from the trusted zone am I still safe from application gaining access to my shared proxy server o_O
     
    Last edited: Aug 1, 2006
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    127.0.0.1/24 cover the IPs of 127.0.0.1 to 127.0.0.255
    127.0.0.0/8 covers the IPs of 127.0.0.0 to 127.255.255.255

    They both cover the localhost IP.

    Removing this from the trusted zone, will mean popups from applications that need to use the localhost.
     
  18. shaunwang

    shaunwang Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    94
    So basically if I want to be safer, I will remove both 127.0.0.0/8 and 127.0.0.1/24 in the trusted zone and then set web browser with a rule that allows

    If I set a rule like this in web browser table

    accept disabled TCP/IP send datagrams any 127.0.0.1 any any
    accept disabled TCP/IP receive datagrams any 127.0.0.1 any any

    Will this prevent the popups from internet explorer o_O
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, you would need to:
    Allow send datagrams to remote host 127.0.0.1
    Allow Receive datagrams from remote host 127.0.0.1
     
  20. shaunwang

    shaunwang Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    94
    but in web browser

    this already exist
    accept disabled TCP/IP send datagrams any 127.0.0.1 any any
    accept disabled TCP/IP receive datagrams any 127.0.0.1 any any


    Where else should I put the quoted rules to also o_O
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Not in the default Jetico browser ruleset, have you added these?
    What is the popup for the localhost access from IE?
     
  22. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    stem, i'd like to show you how i arranged both Application Table and WebBrowser Table to deal with the proxy-localhost intricacies-hopefully after this post i think i'll give you some well deserved rest about this matter,
    as i think all Jetico 1.0 users will be very very eager to find out about the new 2.0 version....:

    Application Table-
     

    Attached Files:

  23. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    And this is the Web Browser Table:
     

    Attached Files:

  24. shaunwang

    shaunwang Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    94
    I can surf IE now after putting this

    accept disabled TCP/IP send datagrams any 127.0.0.1 any any
    accept disabled TCP/IP receive datagrams any 127.0.0.1 any any

    in jetico browser ruleset.

    So I was wondering which other ruleset requires this o_O

    Btw Firefox now have a serious problem it request for this rule below

    accept disabled TCP/IP inbound connection C:\Program Files\Mozilla Firefox\firefox.exe any 127.0.0.1 2171 any Hash 3FCDADC0 10FDA069 7D0C1BBB E64F5868 C7311FDC
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi poirot,
    In the application table, there should only be 1 rule for ashwebsv:
    =>Browser any event
    Then any event for that application will cause the jump to the browser ruleset.
    The same for firefox / IE
     
Thread Status:
Not open for further replies.