LNS from Outpost

Discussion in 'LnS English Forum' started by starfish_001, Feb 17, 2006.

Thread Status:
Not open for further replies.
  1. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    I'm an outpost / Zonelabs user thought I'd give LNS a try.

    I have loaded it - seems light and functional.

    I haveloaded the enhanced rules and turned on Stateful inspection, Advanced mode - didn't notice a change, DNS watch and THread injection.

    A number of applications have now asked for access - they appear to be able to do anything that the global rules allow.


    In the application window I can select app and then edit it appears to allow pos to add restriction to particular apps - the dialogue is not very informative? Do people add extra per app restriction or rely on the packet rules. I noticed some rules for apps like p2p not svchost etc.



    I did load Phant0m's v6 rules but they blocked Proxitron and Firefox? not sure why.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i personally just rely on packet rules. also for phant0ms ruleset make sure u correctly set the dns and dhcp rules. i have hardened my windows xp and i have nod32, ewido and regrun so i doubt id get easily infected or hacked.
     
  3. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    THanks - I see my error no name or ip resolution

    Your config sound very like mine - adding Proxitron + PG

    I'm gonna try some leak test a bit later
     
  4. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Not sure how good these test are
    http://www.atelierweb.com/awft/
    From Site
    One: Attempts to load a copy of the default browser and patch it in memory before it executes. Defeats the weakest PFs.
    Two: Creates a thread on a loaded copy of the default browser. Old trick, but most firewalls still fail.
    Three: Creates a thread on Windows Explorer. Another old trick, but almost every firewall still fail.
    Four: Attempts to load a copy of the default browser from within Windows Explorer and patch it in memory before execution. Defeats PFs which require authorization for an application to load another one (succeeding on Technique 1) - Windows Explorer is normally authorized. This test usually succeeds, unless the default browser is blocked from accessing the Internet.
    Five: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, loads a copy and patches it in memory before execution from within a thread on Windows Explorer. Very difficult test for PFWs!
    Six: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, requests the user to select one of them, then creates a thread on the select process. Another difficult nut to crack for PFWs!


    But with Phant0m's v6 rules - Stateful inspection on - DNS watch on and Injection on LNS passed all

    Outpost did not pass test 5 on my system - component contro lset to Normal - I guess it would pass on Max. Not tried as Process Guard or Appdefend block this test


    Quite a few of Phant0m's v6 rules are not active by default any guidance on which to turn on or I guess not - would be appreciated .......they are quite difficult to understand
     
  5. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Another problem with Internet filtering enabled with any rules set I cannot post at Wilders - the submit button does not complete

    Any Ideas what this could be - seems to happen with direct or proxy based connections
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Perhaps an issue with fragmented packet which are blocked.
    Is there any information in the log about the packets that are blocked ?

    Frederic
     
  7. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Yeh - a reboot fixed the problem drove me mad for about 30 mins
     
  8. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    I don't think that I have the DNS and DCHP rules correct yet and help with the above would also be apreciated.
     
  9. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    the way i set those rules is this: i go to the start menu, click on run, and type "cmd" and press enter. at the prompt i type "ipconfig /all". DHCP Servers are for the BOOTP/DHCP rule (i only have one rule enabled), DNS servers are for the DNS-Allowed rule, and Physical Address is for the Anti-Mac spoofing rule. also remember to enable the rules (green checkmark)
     
  10. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Thanks I followed these instructions - works well now

    https://www.wilderssecurity.com/showthread.php?t=115785
     
Thread Status:
Not open for further replies.