Look 'n' DONT STop

I downloaded Look 'n' Stop from somewhere and installed it and set up a rule to block all traffic on a non-routed subnet here (10.x) Just basically selected All for everything except the src and dst IPs, which I selected as In range A:B and put 10.0.0.1 and 10.0.0.254 for the range on both, and selected the little "!" to log it.

Then I RDP'd to a VM on my PC that is in that subnet... And I get lots of entries in the Log about the 10.xxx traffic while my RDP session happily connects to the VM!

I realized I had an old version of Look 'n' Stop (1.x) so I uninstalled, and installed the latest one... Thinking maybe some bug had been fixed... However.. It still lets the traffic through.

I even created a specific rule for the 10.x IP of my PC and the 10.x IP of the VM as the dst. host and the dst. port to 3389, which is RDP... Same thing... Log spews entries for that rule ... while my RDP session still happily connects!

Then... I had previously registered here since I was having the trouble with the original 1.x version before I realized there was a v2.x ... So I went to log in to the forum and it told me my password was wrong! - I use the best password program - KeePass... So I *never* forget my passwords! So something is not right with the system... Either it didn't like the length of my password, or it didn't like some characters in my password, yet it silently accepted it and then accused me of forgetting it when I pasted it in to log in... Since the correct password that I pasted didn't match it's broken recollection of my password!

Things aren't looking too good for me and Look 'n' .....



Cheers

 

From where ? there are many sites with cracked versions which don't work properly (because exe is patched).

In the advanced options, you need to remove "10" in the IP exclusion list. This address is not usual, even if set by some routers.

So actually Look 'n' Stop stops packets...

You have only a configuration issue. This is not a bug.

There was not registration for version 1.x.

Are you talking about the forum password or Look 'n' Stop password ?

 

Thanks for the reply, and for the suggestion.

As it turns out.. I went back to look, and it was from a site called spywarewarrior, at:

http://www.spywarewarrior.com/uiuc/soft7.htm

Which links to www.soft4ever.com - so I guess I got it from soft4ever.com.

Interesting... I don't recall trying any other firewalls that ignored entire class A subnets by default before... (even if they are non-routable.. but not that I've tried -that- many..) But I'll tell you that I'd be very happy to see that this was just a little configuration issue, and not the firewall just letting traffic flow unintentionally!

I'm not sure if you're trying to imply that log entries plus my session connecting to the VM somehow means that Look 'n' Stop stops packets.. But if the packets really were stopped... I can assure you that the session would NOT connect.

Well.. As I say... This is good news! Or.. rather.. _was_ good news.. Until I went to the Options tab, Clicked on Advanced Options, and removed the 10 from the "Network interface autodetect, IP to exclude" list.. Then made sure that both my 10.x RDP (port 3389) blocking rule and a rule further down essentially blocking All 10.x traffic to and from 10.x

Then switched to the Log page, and tried to RDP to my VM again.. and once again as the log filled with 10.x RDP rule entries, and some others... While my session still connected!

I also tried quitting Look 'n' Stop, and then starting it again, but that didn't make any difference either.

Sorry... I just mean registered for the forums.

Ya... sorry about the confusion... It is the forum password.

As for Look 'n' Stop... Thanks for the suggestion... Unfortunately as I say, it seems to have not made any difference..

I even just now tried adding a new rule at the top - and all I entered was the rule name "All Test" and clicked Ok, then clicked "Apply" - and tried to RDP to my VM again... And again.. It connected!

It did take a little longer that time for whatever reason.. But it did connect.

If you have any other suggestions, I would be happy to try them.

Thanks again.

 

If the log shows packets, for sure the filtering is there and working.

Are you sure the right network interface is selected in the options ?
The IP address of the network interface you want to filter has to be displayed in the welcome page when everything is well configured, and the "connected to internet" automatically checked.

What are the protocols supposed to be used with these applications RDP & VM ?

Frederic

 

Hi Frederic,

Thanks for your reply, and for still trying to figure out what's going on with this!

The filter maybe there - but working it most definitely is not! -- That would be like putting a filter on outgoing TCP port 80, and then browsing to websites, bringing up Google, Microsoft.com, etc... But the log showing the packets, so you say since the log is showing the packets the filter is there and working!

The Network Interfaces - under Options... Has the correct network interface selected... Since there are only 3 listed, and the correct (checked) one is like "Intel(R) PRO/1000 MT Network Co..." and the other two - One is the "WAN Miniport (IP) - Look 'n' St..." and the other is "WAN Miniport (Network Monitor)..."

You mention the "Connected to internet" automatically checked... Which it hasn't been, most of the time. It's checked now, as I'm RDP'ing into my PC at work to look at the settings so I can write this message... But I think this is the first time I've seen it checked.

Also... The IP Address that is shown in the "Your PC status" on the Welcome tab, next to the "Connected" checkbox... Always shows the 10.x IP... Which is the 2nd IP of that PC.

In other words... If I go into the properties of my Local Area Connection, and then into the TCP/IP properties of that... The IP listed there is not the 10.x IP... And if I click on the "Advanced" button there, and look under the "IP Settings" tab of the Advanced TCP/IP Settings... The routable, Internet backbone (normal) IP is the top IP, and the 10.x (non-routable) IP is the bottom one... I'm not sure how much that matters... But it seems to affect a couple of minor things.

Also... You say that "The IP address of the network interface you want to filter has to be displayed in the welcome page when everything is well configured..." -- If this is true in a very strictly speaking manner... Then Look 'n' Stop may not even work for me at all anyway... Since it only ever shows one IP there... And not only does my PC have 2 IP's, but I want to filter both of them.

So is that really how it works? -- In other words... Are you saying that I can only filter one IP? (the one that shows on the welcome page)

Just to clarify... The VM is a Virtual Machine... Like VMware and VirtualPC. (and is in fact VMware) - and so I am running a Virtual Machine on my Windows XP SP2 machine. The VM is running Windows 2003 R2 Enterprise... So it could in theory use a vast number of protocols... But of course all I'm concerned about at the moment is the protocol I use to connect to it, which is the Remote Desktop Protocol (RDP) - Which is basically the same as the Remote Desktop Protocol you can use to connect to a Windows XP (Pro only) machine remotely... And also more or less the same (protocol) as Terminal Services.

Among lots of other documentation available for it, there's a Microsoft FAQ at:

http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx

About the 5th to last question indicates that the port used is 3389.


Anyway... Please let me know if you have any other thoughts or suggestions.

Thanks again!

Cheers,

- Andrew

 

Hi Andrew,

Look 'n' Stop can filter one network interface at a time. And this network interface is supposed to have a main IP address (the one displayed in the Welcome tab when you select the corresponding adapter in the options).

So, if you can connect to Web Sites using port 80, although you have set a rule to block port 80, options are:
- the network interface is not properly selected and the packets are going to another adapter than the one selected
- the rule is not correct
- an incompatibility with your configuration (call it a bug if you want, but affecting probably very few people, since we have no open case where the filtering is not working like that)

If you want to filter several adapters, you can start several instances of Look 'n' Stop, each one having its own options (ruleset, adapter...). However, this is rarely used (because most of the time the user want to protect only the interface used to connect to internet), so never seen problems can surface (especially if you have a non-usual configuration, VMWare...).

I suggest you succeed first to use Look 'n' Stop on one adapter only, before playing with two instances (if finally this is absolutely required for you).

Hope this helps.

Regards,

Frederic

 

There are only 3 Network Interfaces to choose from under options. The first one, which is selected.. Is my Ethernet Adapter: "Intel® PRO/1000 MT…" – The 2nd one seems to belong to Look 'n' Stop: "WAN Miniport (IP) – Look 'n' St" – And I'm guessing the 3rd one also belongs to Look 'n' Stop… Since it has the same MAC address as the 2nd one. It's called: "WAN Miniport (Network Monitor)"

Given that… I think I'd basically always want the Intel Ethernet adapter selected… And so packets should (in theory) never be "going to another adapter…"

I'm thinking that the rule is correct... Since that rule is the one that gets logged - that should mean that's the one that's matching… And, in the case of my little RDP test… The rule is very simple… And while I've messed up very simple things before… I think I have this one right… Though I'd be happy to go over it in detail with you if you think that might help.

It would seem that the network interface selected is indeed the 10.x Net one – at least according to Look 'n' Stop - since that is the IP that shows up on the Welcome tab when I select the adapter. (not that there's much room for error.. the one selected being fairly obviously my Ethernet connection… and the other 2 being… well.. Not my Ethernet connection)

So... I guess that leaves "incompatibility with my configuration" ... And I don't think it's so much that I "want" to call it a bug... I just think that if you tell a firewall to block specific packets on a specific interface, and it doesn't... Something's wrong, regardless of your configuration. Of course I won't dispute the point that it affects very few people, if it's related to my configuration… Which is to say that my configuration is relatively unusual.

Thanks for the suggestion... But I think there's 2 problems with that approach... First.. Since it seems to be configuring itself for the 10.x IP with that interface selected in the Options -> Network interfaces… Then accordingly… The 10.x rules *are* the ones that should be working... and they're not. (at the very least not consistently)

And… Second… That is the one and only physical Ethernet adapter I have in the machine… As I mentioned above… When I go into Options -> Network interfaces… There's only that one Network interface – the other two seem to be Look 'n' Stop's stuff… Which is to say… That there isn't really an "other" Network interface to select to get Look 'n' Stop to work with the other IP… If you know what I mean…?

In other words… It's not that I want to filter several adapters.. I only have one adapter… I just want to be able to filter both of the IPs that are on that adapter.

Anyway… It's probably best to just not waste any more of your time… It's really starting to look like Look 'n' Stop just isn't going to work with my relatively unusual setup… Unless you have any other ideas that might make a significant difference… Thank you very much though… For sticking with it and trying to help me resolve this!

Cheers

- Andrew

 

Hi,

Since you were talking about 2 different IP address I though there was two adapters. I didn't realize the same adapter had these two IP.
Maybe the problem is there. Normally everything on the adapter is supposed to be filtered, but perhaps there is something special when the adapter has two IP.
Not sure if someone tested that before. I will try to make some tests to verify that.

If you want to investigate further anyway what I would need:
- the content of the console windows after you asked for the driver logs (to be done just after Look 'n' Stop is started)
- the result of the following utility: http://looknstop.soft4ever.com/Tools/AdaptList.exe

You can send me the result to lnssupport@soft4ever.com or through a PM.

Thanks,

Frederic