New user - some questions

Discussion in 'LnS English Forum' started by Gez, Mar 23, 2008.

Thread Status:
Not open for further replies.
  1. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    (I am posting the same message to Phant0m's forum and the LnS forum - my apologies if this causes offence but I'm not sure whether some questions apply to LnS or the Phant0m ruleset.)

    Hi

    Just this evening I bought the Phant0m ruleset. I am on a trial of Look n Stop and so far I am very impressed with both LnS and the ruleset. I administer several networks and I intend to buy a number of licences once I get all the newbie issues sorted out!
    :)
    (I was prompted to try LnS by the good advice of Stem, local firewall mod!)

    I have some questions.
    First of all my network is as follows:

    1) I am using a Vodafone Mobile Broadband USB modem (Huawei 220), which appears as a WAN (PPP/SLIP) adapter, and appears to LooknStop as a WAN Miniport adapter, with a dynamic MAC address, different from the physical MAC address of the USB modem.

    2) The modem gets a non-routable dynamic IP address of 10.xxx.xxx.xxx from the ISP, a subnet mask of 255.255.255.255, and two DNS servers also in the private IP address space - 172.30.xxx.xxx and 172.31.xxx.xxx. (This means that many different users near the mobile cell actually share one public IP address, which has caused problems with Spam database blacklisting and suchlike).

    3) For some reason we also get two WINS servers addresses - 10.11.xxx.xxx and 10.11.xxx.xxx.

    4) When I install LnS I have to disable the 10.xxx.xxx.xxx network in Advanced Options so that the firewall is correctly bound to my USB modem.

    5) I use the ad-blocking software proxy Privoxy for my web HTTP and HTTPS browsing. All my browsers are configured to go through this local proxy at 127.0.0.1, port xxxx.

    6) I use the local mail server Hamster Classic for my POP3 email, and also the local software proxy POPfile. This means my mail client goes to the local Hamster mail server at 127.0.0.1, and the local mail server goes to the local proxy POPfile, also at 127.0.0.1 (but bound to a different port), and finally POPfile goes to my ISP servers for mail collection. Sorry if this sounds complicated but it gives me great filtering control over my email and web browsing!

    7) When I install Phant0m's ruleset v8.003 I immediately have problems connecting to the internet. In order to connect I need to disable the second rule - "+Ingress Filters - Internal host Loopback addresses,
    They should never appear from outside a host."

    :cool: The logfile shows that the problem is a DNS problem - source port on the internet is 53, but presumably the Privoxy proxy is causing LnS to see this as an internet packet coming from localhost?

    How do I deal with this problem? Obviously my software setup needs localhost working properly but I also want LnS filtering properly at 127.0.0.1, especially because I have a local mail server on localhost.

    I would also like advice on excluding all traffic coming from the 10.xxx.xxx.xxx and 172.xxx.xxx.xxx subnets, except of course that which I require from my ISP.

    And finally I have a private LAN at 192.168.xxx.xxx, with a Unix file and print server providing DHCP and other services to my small local network. Again, advice on tightening the ruleset for this LAN segment is welcome.

    Many thanks. I'm sorry it is long-winded but I think I need to explain in detail what is going on, in order to get precise and relevant help.

    Happy Easter.

    Gerard.
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Gerard,

    Usually packets with IP address 127.0.0.1 are not seen by the packet filter at the NDIS level. These packets remain in the upper layers (Winsock / TDI).
    Could you copy/paste an extract of the log for your point #7 ?

    When you disable the rule does it finally work ? or do you have additional issue with port 53 ?
    If this is an additional issue, could you also copy/paste an extract of the log for it ?

    One instance of Look 'n' Stop can filter only one network interface at a time. Usually you have only one interface really connected to internet, so only one interface to protect at a time.
    If you absolutely want to filter the other interface (on 192.168.x.y), then you have to start a second instance of Look 'n' Stop, and in the option select manually the interface (it is also recommended you force the selection for the 1st instance, to avoid Look 'n' Stop guessing the right interface in automatic mode). Each instance has its own settings.
    To start a second instance, you have to create a shortcut to looknstop.exe and add "-mult1" on the command line.

    Regards,

    Frederic
     
  3. Gez

    Gez Registered Member

    Joined:
    Jan 15, 2006
    Posts:
    65
    Location:
    Ireland
    Hi Frederic,
    thanks for your time and patience. I should say first that I am having no problems at all with the Standard and Enhanced rulesets. The problem occurs when I enable the second rule in Phant0m's ruleset, which relates to packets appearing on the external interface which look as though they come from the lopback address. Phant0m has told me this issue will be fixed in the next release.
    Here is an extract from the log when I have the rule enabled:

    03-23-08,20:48:20 D-0 '+Ingress Filters ' 172.30.140.69 UDP Ports Dest:2859 Src:53
    03-23-08,20:48:21 D-1 '+Ingress Filters ' 172.30.140.69 UDP Ports Dest:2859 Src:53
    03-23-08,20:48:21 D-2 '+Ingress Filters ' 172.31.140.69 UDP Ports Dest:2859 Src:53

    The non-routable addresses here are my DNS servers - this is how my ISP sets this up. It is similar to Vodafone Mobile Broadband, using their E220 USB modem. I'm not sure if Privoxy on localhost has its own proxy DNS running.

    No - when I disable the rule everything works perfectly. I really am impressed with the level of detail and configurability in this firewall.

    Yes, unfortunately my broadband comes in through a USB modem and my own personal LAN is through an ethernet NIC. I allow others certain access to a Samba server I have on my LAN so I want to protect the LAN interface as well as the USB internet connection, but in most situations I only need to firewall on one interface. I have a number of customers with mixed XP and Vista environments and this firewall is going to be a godsend for me, especially the password protection!
    :)
    Many thanks,
    Gerard
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Gerard,

    I'm not sure what this rule: '+Ingress Filters ' is for.
    If it is blocking the response coming from your DNS (because of the IP address I guess), then for sure it is not correct.

    If you want to keep the rule enabled anyway, you can add a new rule allowing specifically DNS packets (port 53) from and to the IP of your DNS servers, and put this rule just before this '+Ingress Filters' one.

    Regards,

    Frederic
     
Thread Status:
Not open for further replies.