Masking Subnets (prevent hacks).. ARP rule

Does anyone know if LnS is capable of blocking any attempt from
intruders attempting to reach the same subnet as "my @" (my IP at my ISP)?
How should I configure such a rule?
For instance: My IP (my @) is 192.168.0.1 and the intruder is attempting to
access my IP via the subnet such as 192.168.xxx.xxx, how can I block all
access from any IP on my current subnet (my @)?
I'm not sure how the "mask" function works in LnS, and am curious if the
"mask" function in the "IP" dropdown menu would allow me to accomplish the
above.

Also, i've noticed that 'allowing all' ARP packets is not necessary for
proper internet connection and use, however, i'm not sure what is considered a safe configuration. Does anyone have any guidelines to follow which allows a more secure "ARP" rule without degradation of security in F/W?

 

Are you behind a router as the 192.168.*.* is a private IP range?
Your router will be blocking unsolicited inbound packets from the Internet and LnS will also block unsolicited inbound. Are you seeing log entries from other LAN systems?

If you are behind a router you can allow it for the LAN subnet only if you want to restrict it, but you should be fine with the default permit all.

Regards,

CrazyM

 

No router.

I'm using that IP as an example only.
Although LnS will block inbound packets, there still seems
to be determined efforts to reach IPs on the same subnet as
"My @" (My IP at my ISP). This tells me that there may
be some benefit to the intruder to reach such an IP.
Therefore i'm very interested in a way to "mask" (hope i'm
using this correctly) or capture any IP range that is on my subnet
incoming or ougoing in order to block the packets.

To be on the safe side, i'd like to not "Permit All", but control
what enters or leaves the PC in case there's a hole somewhere or
just inconsistancies in the rule configuration.

Does anyone know how the "Masking" option works? What does each
setting do?

Thanks

 

Guess no one knows much about this. I'd like to tighten up my rules a bit more.

Frederic, or anyone.. can you help in regards to my questions?

 

A couple things come to mind here.. First, have you checked out Phant0m's ruleset? I'm no expert on rule editing, but from what I gather, I think what you're looking for is already in his ruleset.

Next, have you looked much at the rule editing screen? There's actually options to set "Equal to my @" and "Diff. to my @"

Last, rather than making one entry with a mask (such as 192.168.*.*) what you would want to do is actually set an IP range. Under the IP Address sections at the bottom of a rule editing screen, you will have a drop down box with many options, incluing "In Range A : B" (as well as the above mentioned "Equals my @" etc), so then you could put 192.168.0.0 in the first and 192.168.255.255 in the second, and it would filter out everything in between the two. If your ISP has a specific limited range for their servers, you could also use "Out Range A : B" and put the servers IP range in there, so it would filter anything outside of that. After creating that rule, just put it right above the 'allow all' rule.

Hopefully that makes sense, once you look at it, I'm sure it will make more sense

 

Notok,

Your post makes good sense, and it was very helpful.
In my original post, I didn't mention that I have a dynamic IP
which changes upon each connection to my provider. This makes
it difficult to use (effectively) rules similar to what you
have suggested once an attacker reaches the subnet of my current
connection. This is due to the fact that the ranges i'd need to
enter would change contantly, rotating through thousands of
possibilities. If LnS has a method to use the "My @" option
along with an option that blocks IPs attempting a connection
within the users current IP subnet range, it may allow a higher
state of security. I understand that "Block Incoming Connections"
and "Block all other packets" would block many connections, but
if an attacker were to reach (or resides) just a hop or two from
your connection would it be so easy to evade attacks?

The above is said due to my belief that a single attacker who is
persistant is somehow getting past the firewall with my current
setup. I have ALL ports shutdown except www, which is for surfing
only. In addition, services, fragmentation, rule placement etc.
etc. have been secured. This is on my most secure ruleset.
For many, a router does a great job, but i've tried that and have
found that LnS is a better solution from where I stand. I
understand that others would disagree, but it's my particular
setup that makes this so.

In closing, does anyone know the proper use (LnS usage) of the
masking function in Look'n'Stop? Is it effective or buggy?
In any case, could I get a few ideas to develope a more secure
system//