LnS understanding rules

Discussion in 'LnS English Forum' started by Bovisa, Sep 7, 2008.

Thread Status:
Not open for further replies.
  1. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Hi Frederic/others,
    I used LnS before but I always couldn't fully understand how the writing of rules works and understanding what they do.
    Now, before I buy LnS I want to fully understand the rules.
    Is there some guide that deeply explains?

    regards
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa

    I have 6 pages about Internet Protocols and LnS.
    The site is in french but you can used the Google Translate (with Google Toolbar for example...)
    to have these pages in english.

    http://climenole.wordpress.com/

    Hope this help. Let us know.

    Further questions welcome!

    :)
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Bovisa,

    If you want to "fully understand" the rules, then you would need first to understand internet protocols (ports, address,...).
    Of course this is not required to use Look 'n' Stop, and even to create simple rules you don't need to understand that "fully".
    For instance, you can create rule directly with a right click on a log entry, and there are also generic rules (to open a particular port/address for instance) here:
    http://www.looknstop.com/En/rules/rules.htm#serverFTP
    Looking at this kind of generic rule may also help you.

    Regards,

    Frederic
     
  4. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Hi Climenole,

    I read your articles, but how do I make a rule for this ''TCP without any flag, with all the flags or absurd combinations such as SYN-FIN, PSH-URG-FIN, etc''
    I want to make an incoming TCP rule for browser/port 80, prohibit TCP packets send by servers that are send directly, so without the flags. because those are the trojans mostly. I also want the rule for the prohibit incorrect order of the flags on port 80.

    regards,
     
    Last edited: Sep 7, 2008
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa


    There is an "experimental" rules set posted by me last year...

    (They are not perfects, not pretending to be "ultimate" [this do not exist except for Fools'n'Suckers]
    and they are published under a Common Creative licence [which is not respected by crooks...], etc.)

    https://www.wilderssecurity.com/showthread.php?p=1032531#post1032531

    Check the thread, check the rules and be inspired by this strange "poem"...

    Then create your own Bovisa RulZ!

    Have fun.

    :D
     
    Last edited: Sep 8, 2008
  6. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    What are the 'Frag. Offset' and 'Frag. Flags'?
     
  7. ktango

    ktango Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    39
  8. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    What does the 'masking' of flags: URG, ACK, PSH etc. mean?

    Thanks in advance.
     
  9. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
  10. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Ok tell me if I'm correct.

    flag with 'mask' unchecked means that the flag doesn't get used by your pc?

    So if you want to make a rule to block TCP packets without flags, it's safest to do: All flags MASK unchecked and SET/CLEAR unchecked, instead of all flags MASK checked and SET/CLEAR unchecked, which is done standard by Frederic in the EnhancedRulesSet, to block all TCP packets without flags.

    Thanks for your help Climenole.
     
    Last edited: Sep 12, 2008
  11. ktango

    ktango Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    39
    Hi Bovisa
    The mentioned rule blocks all TCP packets with or without flags.
     
  12. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Bovisa,
    Not by the pc, but by Look 'n' Stop when the considered flag is verified in the packet under analyzis.
    The "Mask" column simply indicates which flags to consider when analyzing the packet. If it is checked the flag is compared to the Set/Cleared information, if it is not, the flag is not examined (and thus any value is accepted for that flag).

    No, if you want to verify all flags are cleared, you need to indicate all flags have to be examined and therefore you have to check all the masks.

    Regards,

    Frederic
     
  13. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Ok I understand; thanks for the explanation Frederic. But however, I find the description 'mask' a bit obscure, why not name 'examine' or 'analyse'.
     
    Last edited: Sep 13, 2008
  14. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa :)

    Masking is a computer science concept widely used in programming.

    Check this:
    Wikipedia: Mask

    (But I'm not sure it's less obscure... :doubt: )

    :)
     
  15. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Hey Climenole :D ,
    In your extended ruleset do you incorporate also the default rules?
    Like the 'Block Land Attack', 'Block WinNuke' and the like?

    Ah, I see, in your ´experimental´ ruleset: ''[G/Recommended] Looping on @ IP:
    "Land attack"!''

    But where is the 'Block WinNuke'?
     
    Last edited: Sep 19, 2008
  16. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa

    WinNuke is blocked by this rule:

    {Q. 999}; [TCP] << SYN ! >

    All default rules was added or included in this experimental rule set...

    :)
     
  17. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    So the WinNuke rule blocks access to files that are shared on your PC?

    But how to prevent/block this one: reverse DNS/machine name? This mostly includes your ISP name, and also allows someone to get someone's geographic location.
     
  18. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa :)

    I think it's impossible IMHO. Internet can't exist without Ip addresses which, I presume, include the possibility of reverse DNS requests...

    wikipedia: Reverse DNS lookup

    If you want absolutly to hide your Ip address the only way I know is to used an "Anonymity" Network such as Tor (The onion router).

    Tor: anonymity online

    This is quite simple (except if you want to relay traffic or used Tor as a server. Not really recommended with Windows. This works at best on Unix/Linux and alike O.S.):

    1- Download the latest release of the stable Tor bundle
    This bundle comes with Tor, Privoxy, the Firefox extension "Tor button"
    and the Vidalia GUI.

    2- Create a new profile with Firefox (you may name it "Tor" if you wish)
    kb mozillazine: Command line arguments

    3- Install the Tor bundle.

    4- Start Tor and use Firefox with your special profile for Tor
    (don't forget to enable the web access of Ff via Tor with the Tor button in status bar...)
    Do not install any other Ff extensions for this Ff profile because some of them generates DNS leaks...

    5- check which IP address is now seeing by the sites you're visiting there (for example) :

    Tor check 1

    Tor check 2

    Tor status

    Last but not least: what you have to do with LnS in order to run Tor as client? Few things indeed: authorised Tor, Privoxy and Vidalia in Applications tab of LnS (or when LnS ask for your authorisation...).

    That's all.

    One important things to know is your communications over the Internet are crypted (except at the exit node where you're appear to be...)

    Read the Tor documentation on their web site for more details.

    Hope this help. Let us know.

    :)
     
  19. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Thanks for the above message Climenole. Really appreciate your help. :)

    I made a rule for uTorrent.
    But I was thinking, is there something to be added for more security, like certain addresses that cannot be used by the Net (using ''Outside A:B'').
    Maybe certain addresses (e.g. private network or other reserved) shouldn't be tolerated. Although I don't know if it is possible for hackers to use such addresses as external address?

    As far as the rule, is it ok?

    Where should I place it? I placed it just above (Block)''All other packets''.
     

    Attached Files:

  20. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa :)

    No: this rule should be splitted in two rules.

    1- One rule for TCP only. Place it above "TCP: Block incoming connexions"

    This is a server rule. It allow other member of the network to be connected as client to your PC.

    2- One rule for UDP only . Place it after or under "TCP: Block incoming connexions".
    The best is to place it at the beginning of the UDP client rules such as NTP
    ...

    3- And you must create a third rule for the infoHASH of µTorrent:
    The infoHASH is used for local peer discovery.
    Place it with the other µTorrrent UDP rule...

    See the screen capture:


    Hope this help. Let us know.

    Toutes = Alle
    Tous = Alle
    Égale mon @ = Mijn gelijk @
    Égale = gelijk
     

    Attached Files:

    Last edited: Oct 8, 2008
  21. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Hi Climenole, I created the rules, but may I ask why inbounds & outbounds need to be splitted? Why is the other rule not possible with ''TCP or UDP'' selected? Is splitted better because of the placement of the rules?
     
    Last edited: Oct 11, 2008
  22. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bovisa :)

    Both rules are inbound and outbound. The rule in TCP is for the server side of the application. The rule in UDP is for the client side of the application.

    For sure you may used a combined rule with TCP and UDP but for a better control of what's happen in your system I suggest you to split that rule in two.

    Try both way and choose what's better for you.

    Remember: A server rule must be placed before the rule blocking the incomming connexions.

    Have a nice Week-End :)
     
  23. Bovisa

    Bovisa Registered Member

    Joined:
    Sep 7, 2008
    Posts:
    18
    Hi Climenole, (thanks for the above).

    I got some probs with LnS. I saved my (enhanced) ruleset, then I made some changes which I didn't want to save, so I shut down LnS and choose to not save. Then I restarted and the standard ruleset got loaded, application filtering tab was empty, so all the apps need to be added/authorized again.
    As you know (see image) I run Vista. Maybe this is a bug.

    I was busy with modifying my rules, and made a little fault, so didn't want to save changes.
    (I also made a rule for ''µTorrent Port Checker''.) here I also had a question about.

    The window name is now ''Look 'n' Stop #1'' normally showing ''Look 'n' Stop''.
     
    Last edited: Oct 14, 2008
  24. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Bovisa,

    It seems you have started a second instance of Look 'n' Stop.
    This is the only reason for having "Look 'n' Stop #1" in the title.
    The settings are saved per instance, that's why everything is reset the first time a second instance is launched.

    In the tray icon, you should have one Look 'n' Stop icon per instance.

    Now the question is to know how you started the second instance.

    Regards,

    Frederic
     
  25. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    If you have a #1 in the window title, this process was detected as the second instance.
    Maybe the second instance was closed in the meantime and you no longer see it.
    Anyway the fact there is a #1 in the title explains why the options are reset.
    What happens if you quit this instance and you restart it manually ?

    Some other questions:
    Did you try to change the start option ? (sometimes when selecting the service mode, it happens two instances was started)
    Are you running the 2.06p3 ?
    Also it could be related to the Fast User Switching feature. Are you using it ?

    Thanks,

    Frederic
     
Thread Status:
Not open for further replies.