LnS Log Entry Question

Hi all -

Like a few of the many posts that I have read during the past two days, I am a 1st time LnS user as well. Perhaps one of you can assist me with an Internet Filtering setting that will remove a specific log entry. A clip of the screen that is the basis of my question is attached.

I have a trial version of LnS installed on a Dell Latitude D/600 XP SP2. The log entry involves a Win95 Dell Latitude w/Cisco NIC (Mac: 00:07:50:CA:97:BC) used as a print server. Although print service is working properly, my interest is authorizing communication from this computer to prevent log file bloat. Enhanced rules set is enabled, Allow an IP address (AutoriseAddressIP.rie) & File sharing on a local network (sharing.rie) filtering rules were experimented with, as was the ARP rule without any success. I am sure that there is simple solution but if so it eludes me at the moment. Hopefully, someone has a suggestion other than simply ignoring these ever expanding log entries. Any thoughts would be appreciated.

Me

 

Hi,

If 00:07:50:CA:97:BC is really the MAC address of the user computer then you can create a rule to allow all the traffic with this MAC address.

But one question though: how is your main PC connected to internet ?
If you are using a router and the other PC is also connected to that router, probably 00:07:50:CA:97:BC is more the MAC address of the router, and in that case the above method won't work.
If you are using two network interfaces, one ethernet board for the other PC and another adapter for internet, then the problem is the network interface is not properly selected in the options (it should be the adapter for internet, and in that case you won't have alerts from the other PC).
If you are using a HUB between both PC, the above method will work.

Regards,

Frederic

 

Frederic -

First, thanks so much for the expeditious reply. I did not expect hearing so soon and from LnS Support to boot. My Internet service is via a WAP w/ all computers, including the print server, connected via wireless. The WAP functions as a router to provide DHCP based IP addresses. However, 00:07:50:CA:97:BC is indeed the MAC address of the NIC in the PC acting as a print server. I attempted to create a rule using the IP address assigned to the print server; however, that solution did not seem to work at the time it was tried. The same was true when I tried the MAC address. I suspect that one of these methods may mirror the solution that you refer to but suspect that the entries I am making in the rules editor are incorrect.

Although the IP addresses supplied to the three computers on my network are DHCP, I can lock down a specific IP address to an individual system if needed. I rechecked and found that the network interface in the configuration is the wireless one. Also, the NIC card in the print server is the only one showing up in the log as a catch all rule. Does this help clarify?

Thanks again for responding!

Me

 

Hi,

It's normal that an IP address based rule doesn't work for the packets you highlighted just above.

However creating a MAC address rule should work. Did you enter the MAC address on the right side of the rule edition dialog box (Destination (PC>>Net) / Source (Net>>PC) group) ?
Also nothing else has to be specified in the rule edition, and especially Ethernet Type should be set on "Any".

Frederic

 

Frederic -

Interesting, I was experimenting again this morning and added, what I believe to be an exclusion in the "all other packets" rule block (that elimated the log entries for this MAC address). I've attached my solution. At first, I placed the MAC address on the left side, which did not work, then on the right as you suggested in the most recent note, which apparently did work. Hopefully, I have not inadvertantly defeted the all other packets rule. Were you suggesting that a new rule with just the MAC address be created as opposed to the apparent exclusion?

Also, the other computer on my wireless network has been blocked once, i.e. not at the same frequency as the print server. I will attempt to create another rule as you suggested to authorize that MAC address as well.

LnS is a most interesting FW and I am pleased with the performance. Following several weeks of extensive research, LnS was the product I chose. I'm sold and a purchase will be forthcoming. Thanks again for your support and assistance!

Ernie

 

Hi,

Yes, I suggested to create a new rule to allow the MAC address.
The rule you created is anyway Ok and it doing the same.

It is preferable to not change the existing rules from the standard rulesets, because people looking at rulesets are familiar with the default content & behavior of the standard rulesets.
Anyway if you have to add another MAC address you won't have the choice, another rule will be required.

Frederic

 

Frederic -

Thanks again! I've move the exception to a separate rule along with the MAC address of the other computer and the log files are clear of the previous blocks.

Thanks for the support and assistance that you provided. Your help was sincerely appreciated.

Ernie