Masking Subnets (prevent hacks).. ARP rule

Discussion in 'LnS English Forum' started by needtoknowinfo, Aug 8, 2005.

Thread Status:
Not open for further replies.
  1. Does anyone know if LnS is capable of blocking any attempt from
    intruders attempting to reach the same subnet as "my @" (my IP at my ISP)?
    How should I configure such a rule?
    For instance: My IP (my @) is 192.168.0.1 and the intruder is attempting to
    access my IP via the subnet such as 192.168.xxx.xxx, how can I block all
    access from any IP on my current subnet (my @)?
    I'm not sure how the "mask" function works in LnS, and am curious if the
    "mask" function in the "IP" dropdown menu would allow me to accomplish the
    above.

    Also, i've noticed that 'allowing all' ARP packets is not necessary for
    proper internet connection and use, however, i'm not sure what is considered a safe configuration. Does anyone have any guidelines to follow which allows a more secure "ARP" rule without degradation of security in F/W?
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Are you behind a router as the 192.168.*.* is a private IP range?
    Your router will be blocking unsolicited inbound packets from the Internet and LnS will also block unsolicited inbound. Are you seeing log entries from other LAN systems?

    If you are behind a router you can allow it for the LAN subnet only if you want to restrict it, but you should be fine with the default permit all.

    Regards,

    CrazyM
     
  3. No router.

    I'm using that IP as an example only.
    Although LnS will block inbound packets, there still seems
    to be determined efforts to reach IPs on the same subnet as
    "My @" (My IP at my ISP). This tells me that there may
    be some benefit to the intruder to reach such an IP.
    Therefore i'm very interested in a way to "mask" (hope i'm
    using this correctly) or capture any IP range that is on my subnet
    incoming or ougoing in order to block the packets.

    To be on the safe side, i'd like to not "Permit All", but control
    what enters or leaves the PC in case there's a hole somewhere or
    just inconsistancies in the rule configuration.

    Does anyone know how the "Masking" option works? What does each
    setting do?

    Thanks
     
  4. Guess no one knows much about this. I'd like to tighten up my rules a bit more.

    Frederic, or anyone.. can you help in regards to my questions?
     
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    A couple things come to mind here.. First, have you checked out Phant0m's ruleset? I'm no expert on rule editing, but from what I gather, I think what you're looking for is already in his ruleset.

    Next, have you looked much at the rule editing screen? There's actually options to set "Equal to my @" and "Diff. to my @"

    Last, rather than making one entry with a mask (such as 192.168.*.*) what you would want to do is actually set an IP range. Under the IP Address sections at the bottom of a rule editing screen, you will have a drop down box with many options, incluing "In Range A : B" (as well as the above mentioned "Equals my @" etc), so then you could put 192.168.0.0 in the first and 192.168.255.255 in the second, and it would filter out everything in between the two. If your ISP has a specific limited range for their servers, you could also use "Out Range A : B" and put the servers IP range in there, so it would filter anything outside of that. After creating that rule, just put it right above the 'allow all' rule.

    Hopefully that makes sense, once you look at it, I'm sure it will make more sense :)
     
  6. Notok,

    Your post makes good sense, and it was very helpful.
    In my original post, I didn't mention that I have a dynamic IP
    which changes upon each connection to my provider. This makes
    it difficult to use (effectively) rules similar to what you
    have suggested once an attacker reaches the subnet of my current
    connection. This is due to the fact that the ranges i'd need to
    enter would change contantly, rotating through thousands of
    possibilities. If LnS has a method to use the "My @" option
    along with an option that blocks IPs attempting a connection
    within the users current IP subnet range, it may allow a higher
    state of security. I understand that "Block Incoming Connections"
    and "Block all other packets" would block many connections, but
    if an attacker were to reach (or resides) just a hop or two from
    your connection would it be so easy to evade attacks?

    The above is said due to my belief that a single attacker who is
    persistant is somehow getting past the firewall with my current
    setup. I have ALL ports shutdown except www, which is for surfing
    only. In addition, services, fragmentation, rule placement etc.
    etc. have been secured. This is on my most secure ruleset.
    For many, a router does a great job, but i've tried that and have
    found that LnS is a better solution from where I stand. I
    understand that others would disagree, but it's my particular
    setup that makes this so.

    In closing, does anyone know the proper use (LnS usage) of the
    masking function in Look'n'Stop? Is it effective or buggy?
    In any case, could I get a few ideas to develope a more secure
    system//
     
Thread Status:
Not open for further replies.