Need design help - What rule importing sequence is best, etc.

Discussion in 'LnS English Forum' started by act8192, Jul 18, 2011.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I think I'm going to like this firewall, but it's tough sledding up front.

    I collected few useful ruleset from the LnS site, as well as PhantOm's rules.
    The LnS rules are: enhanced, wireless, filesharing and tracert.
    I also got PluginEditRawRule.dll - I won't edit Raw rules, but this allowed me to look (sure is complicated, expert, stuff!).

    My questions, related to my first attempt which I didn't like:
    (1) Starting from scratch, what is the best sequence importing those rules in? I don't want to mess up too much by doing things in wrong order only to have to rearrange and mess up later.
    (2) Before installing Phantom's rules, the LnS firesharing rules were in place and I added few ICMPs. PhantOm's rules also seem to have NetBIOS rules as well as ICMP. Once again, do what? Ditch mine?
    (3) can you put NOT "!" in front of a port or is it just for IP on the application? I want to log a block on one or two ports when browser is used. Something on yahoo that I don't like.
    (4) I made rules for Outlook client (just DNS by UDP to ISP's in and out mailservers on the Applications tab).
    Since Outlook gets and sends mail provided by ISP and gmail, I ended up with 4 packet rules, all out by TCP. Two for ISP (ports 25 and 110) and two for gmail (995 and 465)
    Should I have bundled it all into one packet rule? or into application? Why or why not?
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    1: Importing what rules into what ruleset?
    2: I do not know what is in "Phantoms ruleset", so cannot comment
    3: Yes
    4: There are different ways to create a ruleset. Some like to create rules and add the application to the rule, so the rule is only active while the application is active. That can work to some extent. There can be problems, for example, if you are using a P2P program for long periods, that uses many/all remote ports, as then all applications (with Internet access allowed) will be allowed to access that rule. It can sometimes be better, to have an open rule, to allow all outbound TCP, then place port restrictions on the applications (in the applications filtering table).

    - Stem
     
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Stem,
    1 and 2. That's part of my question. I suppose it always starts with the Standard set. So now, do I load enhanced then Phantom's. Or do I load enhanced, add my rules, then add Phantom's? Let's hope Phant0m helps here then.
    It's a bit rough to figure out which rules to change and which to move up and down and which to get rid of, because the naming is so different from what I'm used to.
    3. Good, thanks.
    4. No P2P here. Ok, I'll think about what you just suggested.
    Just to clarify. In Kerio or Sunbelt or Outpost, I have Outlook rules
    - localhost all ports except Avira's proxy port for http (I know can't do that in LnS)
    - DNS to openDNS servers, by UDP in to any port, and out to 53
    - Incoming from ISP mail server from local ports 1029-5000, by TCP out to theirIP, ports 110
    - Outgoingto ISP mail server from local ports 1029-5000, by TCP out to their IP, ports 25 and 587
    - Incoming from gmail (IP varies), from local ports 1029-5000, by TCP out to 465 (secure smpt)
    - Outgoing to gmail (IP varies), from local ports 1029-5000, by TCP out to 995 (secure pop3)
    - Block everything else for Outlook (optional rule because outlook blocks all http links anyway)
    Suggest me, please, best, logical, efficient, strategy in LnS.

    Still looking forward to your guide promised in the epson printer thread :)
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi act8192,

    By default install of Look ‘n’ Stop, the standard ruleset is used, Enhanced ruleset is optional, switching between the two, doesn’t load one ontop of the other, only switching to different ruleset.

    When you install P. Ruleset, it automatically sets and loads P. Ruleset, there is no reason to switch back unless you needing to troubleshoot.

    I wouldn’t alter rules in the set unless you experience user with rule-based software firewalls, or you ask first for opinions. ;)

    As for rule positioning, please visit ‘Creating/Importing Rules’ topic over on the official P. product support forum - http://www.mntolympus.org/phpBB3/viewtopic.php?f=24&t=1856


    Regards,
    Phant0m``
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Thanks for the link. I missed it. It explains where to fit few of my potential rules into the Phant0m. Handy guide.

    I'll try not to mess with the rules, but I do have to add my printer rules, OpenDNS IPs, my own MAC for the router, and additional DHCP server (out of the house), and few port restrictions ... but ok, I'll ask where and how. There's a bunch of elaborate rules which I'm sure better not to touch.

    I wouldn't mind getting a more general design idea, using my Outlook with its >2 rules only as an example.
    What's the best way of doing it? Which parts into Outlook app, which into packet rules?
    I'll appreciate your thoughts. Thanks in advance.

    Oh, I'm on WinXP-SP3, laptop sometimes leaves the security of the router behind.
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If you currently using OpenDNS at the time of P. Ruleset Installation, it should have automatically retrieved this information and configured the DNS rule with the DNS server addresses, same goes for DHCP, except you’ll need to add the additional DHCP servers used outside of your home or use the P. Ruleset ForceConfig.ini Traveler flag for people always tapping in on other peoples and places Internet.

    And I don’t follow you in regards to allowing MAC.

    Outlook Application rules, specify the ports 25;110 in ‘Ports and IP address selection’ - ‘Ports:’ field, if your mail servers don’t randomly change, are static or rarely change, specify the server IPs (ex. 24.124.23.2;123.23.234.3). And for the UDP ‘Ports:’ field, you can block all the ports for this application by using ! in front of the range (like !0-65535), specific port blocking would be !<port number> (example: !80). Multiple IPs and Ports blocking you simply use ; between IPs and ports (like !24.124.23.2;!123.23.234.3 and IP ranges !24.124.23.2-24.124.23.100 and ports !80;!1080 and Port ranges !81-100).
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Thank you Phantom. So Outlook will go into apps and nothing special in the packet rules. I like the !80 idea, thanks. Your examples are good for me. My ISP mail servers haven't changed in >10 years. Like in the stock market lottery, I can't predict the future.

    MAC - nothing special. I thought it'll be good to enter MAC address of the router, as, for instance ellison was doing (I think) in the recent epson printer thread. No big deal, I think I'll muddle through it. But if there is any serious reason of why or why not mess with MAC addresses, please comment.

    DHCP - so you pick up DNS servers out of my TCP/IP properties?

    ForceConfig.ini Traveler flag - I saw that, wasn't sure if to change it. Also there's something about WPA. In my last trial wireless at home (WPA2) worked fine as is, so I probably don't need to change it. Correct?

    Let me throw in one more question which will complete my DHCP, DNS, ICMP important trio. P-set has few ICMP rules. But I don't understand them. So in trials I just made my own, the same as in Kerio which is exactly the same as in the CrazyM suggestions, which work fine for me to this day
    https://www.wilderssecurity.com/showthread.php?t=4413
    P-set includes stateful inspection. Should I use P-set rules? Why, why not? Do they say the same thing as CrazyM?
     
    Last edited: Jul 22, 2011
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    When Outlook sends and receives mail, it initiates the connection to the remote mail servers, so TDI level (Application filtering level) will first filter, anything allowed to pass will then be up against the packet filter.

    In Application filtering, when you supply specific port or ports and port ranges to permit, any communications attempts to the outside not using the specified destination port or outside of the destination port ranges are automatically blocked. These denied outward packets will never get processed by the packet filter.

    What you should know about Application filtering rules, when you supply port to be allowed, all the other ports are automatically denied. You cannot supply both allowed and blocked ports on the same ‘Ports:’ field. If you block specified port like 80 using ! in front of the port number, all the other ports are allowed through. This is the same behavior for ‘@ IP:’ field. So for me, It is better to allow specific ports and IPs and Port / IP ranges instead. When blocking ports I usually supply the range to block all ports 0-65535, normally on the starter applications for both TCP and UDP ‘Ports:’ fields, and deny UDP communications on other applications that shouldn’t use or are unwanted. And for blocking IPs and IP ranges, in a application rule for Internet Explorer or any browser, p2p and similar applications where just allowing specific IPs and IP ranges are unlikely, blocking specific IPs and IP ranges are okay.


    The MAC of the printer I thought, but I only had glanced through the other topic. It is better to be more specific by including Ethernet type, IP protocol and ports information eventually. You should anyways always include the Ethernet type as minimum matching.

    P. Ruleset Installer by default installation retrieves the used DNS server(s) and configures up the DNS rule, same goes for DHCP. If the Traveler flag was set, the DNS and DHCP rules for instance .. aren’t restrictive by servers, good for those who are always on the go and using other peoples and places connections. If you basically going to and back from family’s or any loved ones Internet, you leave the Traveler flag unset and rename the ruleset done for home to something like Home.rls and do the P. Ruleset installation again at the other Internet access and name that and manually switch back and forth. For instance when I’m about to go to my family’s place with my computer, before closing the laptop up, I simply switch over to the family’s Internet ruleset. At the family’s place, before I close up the laptop and return home, I simply switch back to the Home ruleset. Anyways just options to consider.

    Your wireless protected? using encrypted key to access Internet? or is it unprotected and is a hotspot for anyone to use while their over there visiting? Anyways, you’ll loose Internet connectivity, and a rule named ‘WiFi WPA: Auth.’ will appear on the Look ‘n’ Stop - ‘Log’ as blockings. Simply change the allow/block attribute over for that rule and disable logging attribute, and next time activate the ForceConfig.ini Wireless support.


    Regarding ICMP filtering, ICMP (a sub-IP protocol) error messages are used by routers and hosts to tell a device that sent a datagram about problems encountered in delivering it. In the original ICMP version 4, there’s five different error messages are defined, which are all described in the original ICMP standard, RFC 792. These are some of the most important ICMP messages, since they provide critical feedback about error conditions and may help a transmitting device take corrective action to ensure reliable and efficient datagram delivery. For lot of the juicy information about ICMP error messages, visit the RFC 792 article - http://tools.ietf.org/html/rfc792

    If you mostly browse, check and send e-mails, having permitting ICMP rules isn’t such a big deal, but if you a online multiplayer gamer, or you do p2p downloading, Voice or/and Video conferencing (to list just a few), then I feel you should have ICMP rules allowing the important ICMP error messages as listed on RFC 792. If you look through different posts regarding ICMPs and p2p software, you’ll see many say that their speeds are affected greatly.

    Currently with the official P. ruleset, we have some ICMP rules.

    -ICMP (on UDP) Error Message’ and ‘-ICMP (on TCP) Error Message’ rules at the bottom is to block ICMP error messages generated in responses to TCP and UDP communications. These rules are more for troubleshooting and getting an understanding than to stop, without these two rules, those ICMPs AND any ICMPs thats not specifically allowed through are blocked anyways.

    ICMP : Error Messages’ rule thats above the previously mentioned rules has a application associated by default, I associated the rule to uTorrent, and this rule will only be activated when uTorrent is being used. This rule permits (while uTorrent is running) the ICMP Destination-Unreachable [Type 3].

    ICMP : Frag needed and DF set’ rule above the rule that I had last mentioned, it is required on some setups to avoid connectivity issues.

    ICMP: SPF Echo-Req’ and ‘ICMP: SPF Echo-Rsp’ rules are to allow ICMP Echo requests out from your machine, and temporarily and stateful-like allow responses back. Same goes for Tracert rules just above.

    You can anyway stateful-like allow ICMP error messages on TCP and UDP communications with Look ‘n’ Stop.
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Thank you for those explanations. I'm absorbing them, and using, slowly. Great hints on the application filtering.
    Also you asked if I do p2p - no, and if wireless is protected - yes. WPA.
    You mentioned that "P. Ruleset Installer by default installation retrieves the used DNS server(s) and configures up the DNS rule, same goes for DHCP." - should I be seeing those IPs in the rules someplace and if so, where?

    In the meantime, this came up to bug me. I had both wired and wireless connections live (monitoring in LnS just wired at this time)
    After standby, packet 382, windows pings the router among other things. How come it hits Tracert rule and not echo request? Is it related to a gap in the little yellow down arrows on that rule?
    Is it normal for LnS to drop wireless IP after standby? ignore this question,see next post

    What is PNet?
    From the log file:
    WinXP-SP3, behind a 192.168.54.54 router. Now that I think of it, LnS is just watching the wired connection, so the above log probably applies to it and not wireless. But I still don't understand the log. I learn from logs.
     
    Last edited: Jul 25, 2011
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Regarding loss of IP above - My error :( :(
    I blocked svchost on the application tab. Both ipconfig/release-renew, and getting IP after standby are fine.
    But the tracert rule is still in the picture, I don't know why.
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Wasn’t asking if you do p2p, was explaining.

    The DNS servers are listed on request rule Field #6, you need the official Look ‘n’ Stop raw rule plugin to view these advanced rules. And the DHCP servers are listed on the request rule Field #7.


    The Echo requests you see there, was either a part of a Tracert process or the ICMP Echo request packet using TTL < 30, therefore because this Tracert-Req2 rule is without the yellow attribute, before allowing or skipping the packet, it has to look for another rule below that to see if there is any matching acceptance rule for this type of packet. In this case the primary ICMP Echo request rule below there that allows your PC to PING other computers exists, the Tracert-Req2 instead allow this packet.
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I have the raw rule plugin, v2.03 from LnS site.
    It is where LnS site says to be.
    It is enabled.
    I can't see any "fields".When on the log I press Raw Rule, it goes nowhere. When I press >> next to the Edit button for the internet rule, it goes nowhere. Both show something with 2048 or Equal value and other stuff, but no data that I can understand. Is there something special I'm to click there?

    One reason I want to look at things is because of that '-Ingress Filters_PNet ' rule. I have to have it enabled to talk to the router. I don't have to have it enabled for the web.
    Pinging Wilders works with that rule set to block incoming.
    Pinging my router times out because it blocks responses.
    IP release and renew attempt blocks the UDP incoming packets that svchost asked for.

    I think I understand this one. Would there be any harm in putting the yellow arrow on the rule? You said not to change things without asking and that arrow is an important attribute, so I'm asking.
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    RawRule.png

    Not recommended to be removing the block flag on rules that are suppose to be with block flag. When you say talk, do you mean accessing the Router configurations or you simply mean the mere ICMP Echo reply being denied?

    IPCONFIG releases and renews causes the firewall to block what types of packets? Look ‘n’ Stop Log file please?

    The ICMP rule without this yellow attribute, must be without this yellow attribute for things to work as designed to.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    1. Oh, so that's how to look :) DHCP and DNS fields: thanks, excel confirms that all are in, correct, including broadcast address in the DHCP field7.
    UDP: SPF DHCP-Rsp, inbound rule doesn't have any Field7 values. Right? Wrong? And if I go to outside of home, will the copies of these rules adjust themselves or do I need to do the hex conversions?

    2. Pinging Wilders (works), Ping router (fails, request times out)
    3. Release-renew is releated, replies to pings are blocked. First screen shot is when it fails, second, when it works
    ws-Release-Renew(ingress blocked-failed).png

    ws-Renew(ingress unblocked-works).png

    In this log extract I wrote up top what I did
    View attachment 07272011(release-renew).log
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    The SPF response rules don’t need that information, it is already being compared in the SPF state table.

    If you frequently leave your home with your computer, you could use the ForceConfig.ini Traveler flag.

    What application are you using to-do the pinging?

    Regarding adapter releasing and renewing, try the recent release, if it works, also pinging the Router shouldn’t be a problem either.
     
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    - ok about SPF values, thanks.
    - travelling not frequent, and I haven't had the nerve to try it yet since I don't yet understand what this firewall does considering that at this point I have to enable what should not be enabled to be able to function. I will use the traveller flag if needed.
    - pings: \system32\ping.exe called from \system32\cmd.exe - the only way I know :) I just type ping site in cmd window.
    - Adapter release-renew: get recent release of what please?

    BTW, unless I enable that ingressPNet thingie, I cannot get into my router's web interface. That is actually what started it all when I wanted to check its MAC address. Incoming packet from router's port 80 to me has, what I guess are legitimate, flags "A S" (acknowledge synch?), and I don't get in when the rule is enabled.
    It's strange to me to block responses, to my request, coming from my own router. If this was Kerio or similar, I'd have the DHCP and ICMP stuff above the blocks, but I don't dare to do that since it'll likely disturb the integrity of this ruleset.
    Can you explain, please?
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Talking about the update I put out today for P. Ruleset
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    The ForceConfig.ini Traveler flag when enabled simply avoids restricting rules (for instance DHCP and DNS rules) with server IPs for the specific connection your currently on. I already had giving some other options to consider, one being, if you were going to a specific place or places like to family and using their Internet, before shutting down and taking off to this other place, load up the pre-packaged Look 'n’ Stop Enhanced ruleset, rename the existing installed ruleset file to myHome.rls, and at the other place with connection, simply re-run the P. Ruleset Installer and label that ruleset filename to “myFamily.rls”. You could create several rulesets for several different places that you revisit, and simply switch over to the other ruleset file before shutting down the PC and taking off to this other place, and before shutting down to return home, simply change over to the myHome.rls ruleset file.

    Other option could be to export / import the normally .. restricted rules (like DHCP and DNS) while under Traveler support, to the existing home specific ruleset, and toggle manually these rules when moving about.


    If P. Ruleset was causing Internet connectivity loss or gain problem in case of the manual adapter releasing and renewing, I would prefer people to temporarily switch over to the pre-packaged Look ‘n’ Stop Enhanced ruleset file and seek support, instead of switching from block to allow attribute, or disabling rules.


    Reason why I asked about the application used to do the pinging, I see the Tracert rule kicking in on regular ICMP pinging, so the TTL (Time to Live) is =< 30. For Windows 7 Default TTL state (no registry change), it is 128, so regular locally initiated ICMP pinging uses the appropriate ICMP pinging rules. By the way, keep the same rule ordering as giving for the Tracert rules.


    Try the latest update I made available, It might address your problem, but if it doesn’t, I have an other idea why you observing this problem.


    It is better to block packets with bad criteria and such first before allowing.

    I hope that I’ve explained things clearly enough.
     
  19. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I prefer this option. The first, good option, might cause me problems because I might end up with two points of change. Also you mention enhanced ruleset - is that because not everybody uses Phant0m rules, so it's for this forum, or is there a technical reason?
    OK! Please rememeber, some of us like me just don't yet know the proper procedures and what relates to what. That's why we're here :) In any case, Wilders serves no crapware, and that's about the only place I had the guts to try since from your replies I figured not to mess with things too much.
    I read your earlier reply about <=30 and its relation to tracert. I understand the words. Not the implications. Partly because when pinging the router, cmd window says TTL=64 and it fails. Ping my printer is also 64 and that works. Ping Wilders TTL=250 and works. I sure wonder what it is LnS or P-rules has against my router, as it's a friendly beast.
    I will do that. Heading there tonight. Start of LnS adventure#2 :)
    Everything you write helps a lot. It's just that my brain isn't taking it all in. I'm learning more than I ever wanted/needed to know, but it's a sloooow process, So I thank you for your patience.
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    * Reason for mentioning the official pre-packaged Enhanced ruleset, is because when you run P. Installer, you have to be with a connection, and the Enhanced ruleset doesn’t restrict rules like DNS and DHCP with server IPs for the individual connection type. If you have installed P. Ruleset at home for that connection, and you visit another place with Internet, some stuff will be blocked and not allow P. Ruleset Installer to retrieve some of the information for that connection type. So when we want to create another P. Ruleset for another Internet, we need to switch over to the Enhanced ruleset file .. and then run P. Ruleset Installer.

    I know that you didn’t know the proper procedures, that is why I’ve simply stated that it is more appropriate to temporarily switch to the pre-packaged official Look ‘n’ Stop Enhanced ruleset file if connectivity problem exists, instead of simply toggling with the block / allow attribute on filtering rules, and seek technical assistance. I apologize if I had came off a little strong when I was trying to inform.

    Yes, the blocking of just the Router ICMP Echo replies is directly related to the problem with allowing adapter releasing and renewing, fix that and we fix the pinging of the router problem, and connectivity issue when trying to access the Router configurations. So it would be good to know if the updated P. Ruleset Installer corrects the problem you experiencing here, or if I need to address another aspect to allow properly your setup. However, regarding the TTL, if your ICMP Echo requests was with TTL > 30, the Tracert rules wouldn’t or shouldn’t be triggered.

    I don’t mind explaining things to people like you who has the patience in trying to understand what I’m trying to say. I make up these posts at all hours, sometimes heavily sleep deprived, or in a rush to go some place or do something else. So If I come off a little strong, or say something that isn’t clear or not make much since, just question me about it.
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Success!
    Just a quick feedback
    1. Pinging the router, printer, another box works fine. I forgot to log it to check which rules.
    2. Release/renew worked fine, though it was a strange little procedure. Also no log except svchost. See my note in the cmd section. Oh, and cmd window forgot to tell me usual IP message, just went into prompt. I don't know why. First for everything, I guess.
    Work(008-3)-04-release-renew.png

    Thank you Phant0m. Get some sleep, please :)
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You previously mentioned about having both Wireless and Ethernet Internet access at home, is the 192.168.54.54 used for both Wireless and Wired Internet?
     
  23. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Yes, it is. But at this point is not turned on. The only time I use it at home is in the backyard sometimes. And no NetBios filesharing allowed on it.
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    When you repeat the adapter releasing and renewing, do you always see the UDP 192.168.54.54 Ports Dest:68 Src:67 packet loggings?
     
  25. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I can't answer that since I'm totally new to LnS. I have a screen shot from few days back when I was logging everything I could think of to see release/renew process. I think it's related to that ingressPNet job I've been playing with.
    Confirmed-needAllowIngresPnet.png
    At the very bottom is (e)ingressPNet. (e) tells me I edited the rule, as you well know to allow, so this clearly was a renew experiment.

    What can I look at or submit to answer?
     
Thread Status:
Not open for further replies.