Discussion in 'LnS English Forum' started by Verdumt, Jul 12, 2003.
What advantages does LooknStop have compared to the free Kerio PF
From what I gathered they both have advantages and disadvantages over one and other, if you’re interested in determining the results properly you should try both for yourself.
The biggest advantage i see is that Frédéric has been the first one to issue a patch to every firewall vulnerability that has been discovered ever since LNS exists ( usually within 24-48 hours) while some other firewalls are still working on some of them.
I'm a Kerio user, and I'm currently trying out the Pro version to check out its application filtering.
Overall, while LnS's options might not all be up front as you have to enable the advanced configurations, and advanced options. Its got a couple things that Kerio can't compete with as its application filtering is better in the sense that if tooleaky.exe tries to use IE for a connection, you can be prompted instead of it passing through your rules.
Right now I'm trying to adjust to their rules, I liked the fact that I could rely on Kerio with the rules with local and remote addresses so you could make two LnS rules only one rule in Kerio. At least that is the way it seems right now.
Maybe I have not seen it yet, but other than the block all rule, what you don't block in your rules is allowed. I've only been playing around for less than an hour so far so I can be wrong, and I'm just missing something.
I don't trust firewalls unless I have tested them out so I'm still running Kerio right behind it, and that is exactly right. I did a port scan, and LnS blocked every packet. Kerio didn't get a chance to block any packets.
Edit: One of my concerns is Kerio is a system service so it loads with all your other drivers, and LnS is started by a simple registry entry which starts with the user profile.
I really don’t see any error in Look ‘n’ Stop being Operated in Basic Mode when pre-installed, if one is an experienced user or an explorer then they can quickly Enable Advanced Mode and not feel Look ‘n’ Stop isn’t being upfront.
I don’t quite follow.
Hmmm interesting, but I do believe it’s the other-way around with Look ‘n’ Stop’s EnhancedRulesSet.rls. What you don’t authorize is blocked by the rule-set; at least this is how I see it…
Well I believe anyone who does trust Firewalls without experiencing it 1st hand are crazy.
I wouldn’t recommend installing two or more Software Firewalls on the same System; even if it’s not noticeable there are definitely Non-Noticeable conflicts.
Look ‘n’ Stop’s EnhancedRulesSet.rls is extremely securer by Default compared to other rule-base Software Firewall’s default rule-sets.
Yes Look ‘n’ Stop’s Application and Internet Filtering Drivers are configured up in specific loading order which is extremely earlier in the process compared to most Software Firewall’s Drivers.
There is quite a difference between the Kerio / Look ‘n’ Stop GUI and the Kerio / Look ‘n’ Stop Drivers, whether or not the GUI gets loaded in an early state or a much later state the Drivers will become loaded in the order it’s been giving like how Look ‘n’ Stop works, but most Software Firewalls depends on the order it’s installed and don’t rely on specific Driver Loading order.
Look ‘n’ Stop’s GUI does not need to be running in order for Protection by it’s Drivers to be in process, "Persistent Internet Filtering" http://www.wilderssecurity.info/Advanced_Options.shtml.
Also visit http://www.wilderssecurity.info/pg8.shtml, if you haven’t already seen you may find it useful…
Keep in mind I have only had real time to play with it for an hour.
I'm still adjusting to the rules since Kerio is what I call 'simple complexity', and LnS just gives you the raw information. Kerio always kept the the local range static in the sense you could make a bi-directional rule without having to worry about the ports you assign for the remote. I need to test making some bi-directional rules, and build my own ruleset from scratch to really understand a rule based firewall.
I started working from the enhanced ruleset, and found that I had to disable two block all rules, including the last blocking rule to allow the communication. However it let it through, or let the application through as it was a permitted application. I know you can make rules from the logs, but it was a test.
LnS, and Kerio are playing fine together even though LnS is stealing all of the blocked traffic. I simply do not trust protecting my system to something that I don't know what its fully going to do. With Kerio I always configure basic, and system rules before I go on the internet, even if its as simple as importing an exported ruleset, then modifying it.
Yeah, I caught the persistant filtering in the advanced area after I posted that.
I just need to sit down, start converting my system rules, and go from there. This is a good program, and the default rulesets are better than any other defaults I have seen, but I'm the kind of person who has to figure out all the options to make my own ruleset. I don't trust default rulesets.
Disabling “TCP : Block incoming connections“ rule is crippling your Software Security largely, and Disabling “Block : All other packets” may not effect the Software Firewall from Blocking all un-configured traffic however it will prevent you from being notified of Hacks/Scan/Nuke or just plain unauthorized Connection attempts
What you need to-do is “create” rules to Authorize; Take a quick look at http://www.wilderssecurity.com/showthread.php?t=8806
And like you I prefer not to use Default or other people’s rule-sets; from the beginning I always used my own, from scratch. I’ve got a very specific rule-style that can be applied to ALL rule-base Software Firewalls to get the Maximum Level Software Security the Software Firewall is capable of offering.
And again like you I love learning the In-Outs of everything I use especially anything in Reference to Software Security…
This page http://itsec.commontology.de/firewalls/lns/lns-rules.html helped me quite a bit when I first started with LnS. Though I believe you(BlitzenZeus) are well beyond where I was/am in your understanding of things overall so it may all be old news to you
I'm used to programs that will prompt for communications not in your rules, but I will just have to watch my logs to allow communications I wanted to allow. I'm just used to software firewalls like AtGuard, and Tiny/Kerio 2x which are a little more newbie friendly. Although not by much
Thanks for the link, I will have to take a look over it. One thing about rule based firewalls there are many ways to configure one thing, and everybody has their own style. I have to take all that information with my own, and form it into my own custom ruleset. Its one thing to just copy somebody else's rules, and not understand them. However if you understand exactly what your doing, you might find a different way you like better of doing the same job.
@ JPM and BlitzenZeus,
actually that page JPM mentioned is mine and is quite old. I have since started to put together another one with more generic information - but have stopped developing it due to lack of feedback. I have set up my current LnS ruleset following this page and had to adapt only very few things - but have forgotten to include these on the site yet .
If any on you would be so kind as to look also at
http://itsec.commontology.de/firewalls/fire0.html and tell me what you think is wrong or what could be improved.
(In the table describing the actual rules, there a columns for screenshots of some popular firewalls - but no screenshots yet. If you happen to have a rule as described, I would be grateful to get a corresponding screenshot for your fw...)
Maybe there are a few (probably very few, if any, considering your "advances") things which you can benefit yourselves from.
(you can also contact me by mail via A.Wagner at stud.uni-frankfurt.de)
ConSeal PC Firewall had "Automatic Rule Learning" Feature; any Packets which don’t match any rules in the rule-set the user gets prompt with number of options like “Ignore, Block, Allow and so forth. This Feature can be very useful for newbie’s but can be quite annoying; I personally believe it to be an indication the user’s rule-set was improperly designed. If the user’s rule-set was properly designed there should not be any Dialog prompts.
I actually took advantage of them, and I didn't see them unless I was setting up a new program communication. I have strict rules so lets say I was setting up a new pop3 server in my mail program, I would get the prompt to permit the outbound on tcp 110 to pop3.whatever.com, I would customize the rule right there, and afterwards I would simply reorder my rules to be organized. I also haven't been using block all for a long time as Kerio will block packets to non-listeing ports by default which was a nice feature, and could partially be considered SPI...
So yes, if you didn't know what you were doing they could be annoying, but there is always an option to turn it off. I find its easier than digging through your logs, and making rules from those since some of the attempts after the first might be looking for alterantive sites/ports if the main site/port failed. The prompt also allows for a first time connection if your rules, or settings permit.
There are always differences in Software Firewall designs; unless you used ConSeal PC Firewall you cannot say the “Automatic Rule Learning” Feature couldn’t be of annoyance. Unlike many of today’s Software Firewalls ConSeal PC Firewall “Automatic Rule Learning” Feature triggered whenever “unknown” traffic which doesn’t match any rules in a rule-set, whether it was Outbounds or Inbounds.
Now if I’m not mistaking number of todays Software Firewalls gives you Controls one prompting you on an Applications Outgoings which being generated by the Application Filtering Layer…
All that I learned about configuring rule-base Software Firewalls was from my experiences with ConSeal PC Firewall; I’m using basically the same rule-style now as I had then.
1. Block ALL
2. Allow Primary and Secondary DNS servers
3. Allow DHCP (depending on your Connection type)
4. Allow Only Outgoings of UDP
5. Allow Only Outgoings of ICMP
6. Allow TCP Connections with Block Incoming Connections (TCP SYN) setup.
7. And whatever afterwards can be applied to Authorize specific types of Inbound Connections which would be affected by High Level Software Security such as Identd Requests.
Now if anyone takes the time to comprehend this style you’d see why it’s extremely effective in Blocking Hacks/Scans/Nuke Attempts Stone-Cold.
And if you don’t like Total Freedom to the Outside all you can do is Disable or Remove the #4 and #5 and make modifications to #6 to allow certain type of Outgoing Connection and repeat the giving for paranoid style.
I understand your style, but I actually restrict most applications to certain ports and addresses so that would put me more on the paranoid side. The rule assistants do help with these tight configurations.
The main difference I can see from your style is the order I put my rules to keep them organized, and in my firewalls I never had a chance to pick blocking of tcp packets with the syn flag set.
System Blocking Rules
Block all Inbound
Block all Outbound
I have the block all rules, but they are usually never enabled as Kerio's actions to block non-listening ports is quite effective along with not having any unwanted prompts for outbound connections unless I'm setting up something new.
Separate names with a comma.