Looknstop blocks all traffic - more info in thread

Discussion in 'LnS English Forum' started by LNSFWUser, Mar 4, 2011.

Thread Status:
Not open for further replies.
  1. LNSFWUser

    LNSFWUser Registered Member

    Joined:
    Mar 4, 2011
    Posts:
    6
    SOLVED Looknstop blocks all traffic - more info in thread

    New here...

    i've always used lns 2.06 with no problems, now i decided to update it to 2.07. it installed fine with no errors, after restart tho all traffic was blocked (nothing in the logs tho...that means it's not caused by some rule). no matter if i disabled app protection and internet protection. i figured it's probably the new lnsfw driver.

    after uninstalling the lnsdriver/lns itself and rebooting, all was back to normal.

    i then decided to try out older versions of lns (lns 2.06p3 and p4.....was unable to test 2.06p2 or 2.07b1 since it is not available for download anymore :'( )

    same problem. for now i put the regular 2.06 back on (May 2007).
    any help would be nice.
    i'm on XP SP2
     
    Last edited: Mar 4, 2011
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    Possibly you need SP3 installed?

    TH
     
  3. LNSFWUser

    LNSFWUser Registered Member

    Joined:
    Mar 4, 2011
    Posts:
    6
    thanks for the quick reply.

    so lns 2.07 is not compatible with sp2? what about 2.06p2......i'd like to try that one too. is there still a location to get it?
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    I'm not sure it's been awhile since I used SP2 but have no problem on XP Pro SP3! :doubt:

    TH
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have 2.07 running on XP sp2 without issue.


    @LNSFWUser

    When you installed 2.07, was the correct network interface selected(options tab) and your correct IP showing(welcome tab)?


    - Stem
     
  6. LNSFWUser

    LNSFWUser Registered Member

    Joined:
    Mar 4, 2011
    Posts:
    6
    yes it was.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Could be a driver conflict from a previous firewall/security app installation.

    Have you had (or do you have) other firewall/security apps installed?

    Have a look in "device manager" View- "Hidden devices" and look in the "non-plug and play" list for any drivers that relate to other firewalls/security apps.


    - Stem
     
  8. LNSFWUser

    LNSFWUser Registered Member

    Joined:
    Mar 4, 2011
    Posts:
    6
    this is what's in there:

    1394 arp client protocol
    afd
    amdide
    aspi32
    atm arp client protocol
    awecho
    awlegacy
    beep
    dmboot
    dmload
    fips
    http
    ip network adress translator
    ipsec driver
    ipv6 windows firewall driver (tho i'm not using win fw)
    ksecdd
    lnsfw
    5 mcafee inc. drivers (i have mcafee antivirus)
    microsoft ipv6 protocol driver
    mnmdd
    mountmgr
    ndis system driver
    ndis usermode i/o protocol
    ndproxy
    netbios over tcp/ip
    nsndiss ndis protocol diver
    null
    nvatabus
    nvr0dev
    partmgr
    parvdm
    pclndiss protocol driver
    rdpcdd
    remote access auto connection
    remote access ip arp driver
    tcp/ip protocol driver
    vgasave
    volsnap
    windows socket 2.0 no-ifs service provider support enviroment

    if it is a driver conflict, shouldn't there be that yellow exclamation mark somewhere?
     
    Last edited: Mar 4, 2011
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK

    Now that would be nice. Unfortunately not necessarily.

    There are some drivers I do not recognize in the list.

    Examples:-

    pclndiss protocol driver
    nsndiss ndis protocol diver

    are those part of mcafee? Right click the drivers-> properties and check to see if it shows you any info on the drivers.

    I dont know if there are any possible conflicts directly with mcafee. You should send LnS support an e-mail to see if anything is known.

    - Stem
     
  10. LNSFWUser

    LNSFWUser Registered Member

    Joined:
    Mar 4, 2011
    Posts:
    6
    i figured what was wrong. at one point back in november i had fortknox firewall running side by side with lns 2.06 without any problems (i wanted to combine lns with the anti ip, dns and mac address spoofing as well as the ability of fortknox fw to masquerade the os fingerpint)

    however, i uninstalled fortknox in december and apparently the ndis filter driver from that fw got stuck on my network adapter.

    now i removed it, and lns 2.07 works.

    -solved
     
    Last edited: Mar 4, 2011
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Although problems may not be apparent, such as BSOD, low level network driver conflicts can cause issues, and can actually cause less security.


    Not sure as to what Fort_knox firewall filters for anti-spoofing. LnS can have some filters in place to block such as gateway mac spoofing, have filters to check DNS replies for ID etc, but not sure what it is you are looking for. There are limitations on what can be done on a host.
    You mention "masquerade the OS fingerprint". Are you referring to filtering the HTTP outbound header to change the "user agent"?


    - Stem
     
  12. LNSFWUser

    LNSFWUser Registered Member

    Joined:
    Mar 4, 2011
    Posts:
    6
    IP spoofing means creating packets with a forged source IP address (well, spoofing) in order to hide the sender's identity or pretending to be some other computer, it can be used to bypass security measures.

    MAC address spoofing (changing the mac address of your network device) could allow the attacker to bypass access control lists or any other security measures, by pretending to be another computer.

    and here's something about dns spoofing (for the lack of words i'll just post this link) http://talideon.com/weblog/2007/03/dns-spoofing.cfm

    and os fingerprinting is simply finding out what operating system the remote ip is running. it can be done by IP TTL values, IP ID values, TCP Window size, TCP Options, DHCP requests, ICMP requests, HTTP packets, Running services, Open ports

    it can? where? i didn't see them.
     
    Last edited: Mar 4, 2011
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I know the various techniques for spoofing, I use them(or should I say, I do when time available) to test firewalls packet filtering, however, as to the descriptions you see on the internet concerning the spoofing types, they are not always what some firewalls anti-spoofing actually intercept, it is not always possible on a host. It is why I was asking what fort-knox intercepts, not an actual description of spoofing that the firewall probably does not (not possible to) intercept.


    For example:-
    IP spoofed (crafted) packets are normally use for DOS/DDOS and are untraceable and cannot be distinguished as spoofed packets.
    DNS spoofing is usually made against a DNS server, for server DNS poisoning, you on an host cannot stop that, you could only make a check on the reply with a secondary DNS server. Actual DNS cache poisoning on the host, that is possible, and usually best(well, easiest) to disable the DNS client on the host to block that.
    MAC address spoofing is made on local LAN, easy way to achieve that is by ARP requests with spoofed MAC, which is usually for man-in-middle, to redirect you through spoofed gateway.

    As for rules/filters to place in LnS for ARP-Anti-spoof (to bind gateway IP to its MAC) and DHCP/(UDP)DNS rules to check ID numbers: There is a description on this thread:- https://www.wilderssecurity.com/showthread.php?t=270592 (please read for description/use)

    Have attached the rulesets. (you will need to remove the "txt" extension so you can load then into LnS)

    - Stem
     

    Attached Files:

  14. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Hi Stem

    thanks for the rules :thumb:
    could u please check if I do it wrong?
    this is my first time for messing around with ruleset :)

    posted the screen shot
     

    Attached Files:

  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi blasev,

    You would be better to move the newly imported rules to just above the defaults that they are replacing, then either disable the default rules, or set them to block with logging. I can see you have done that with the ARP rules, but not with some of the others.

    Please check (examples):-

    The DNS rules.

    The 2 imported SPF rules have been move to just above the 2 default DNS rules. I have set the defaults to block(the no-entry sign). It can be helpful to set those defaults to block with logging, just in case there is a problem with the imported rules you are now using.

    01.jpg

    DHCP:-

    Again, I have moved the 2 new imported rules to just above the default. Then set the default rule to block.

    [Note: the DHCP V6 rule, that I have not tested to see if the SPF rules can replace it, as my ISP as still not moved over to IPV6. So that rule is dependent on your setup.)

    02.jpg

    ICMP:-

    Same again with the moving of the new rules, and blocking of the old.

    03.jpg


    The IPV6 ICMP rules, will depend on your setup, you may want to block them with logging to see if they are actually needed in your setup.


    Once you know the new rules are working, then you can (if you want to) disable or delete the default rules they have replaced.


    - Stem
     
  16. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Thx a lot. I'll fix it as per your explanation.
    And will report the result, messing around will ruleset is fun, but I haven't had enough knowledge to do it.
    So that's again for pre-made rule
     
Thread Status:
Not open for further replies.