One Simple Question: Ghostwall Freeware

all right look, i've read through and through here. yet, few people really understand this program and most just post to put their two cents in. if you don't know the answer, don't reply. that's what's wrong with the internet now is that everyone with an opinion posts everywhere and the people with the answers are muffled. the light finally came on in my head about ghostwall. it took me awhile because i'm dumb. just being honest people. here's the thing. i get it that when i choose the "block all / any / any" that i am locking it down tight as a drum. i want to do that. the only thing i need to do is right in an allow for my internet connection and i've got EXACTLY what i want in a firewall. Are you getting it? This is what everybody who is not a techno geek is looking for... the only thing is... we don't know how to write in the allow for our own internet connection. that's all we need. please help me and i'll promote ghostwall from here to hell and back. when i realized that block all really meant block all and i couldn't load a web page i was at first frustrated, but as i realized what was really happening, i smiled. because i knew, that this is indeed what i want. i want to look out at the internet, (take incoming from a single port / my phone co.) and if i want to send out (outbound) i'll do it myself manually. and i want everything else locked down tight as fort knox. if i have this figured wrong, let me know, but i think that is it. it is so perfect for me. i've only now realized how naked i've been merely using the windows xp firewall. (that piece of junk)

so please, tell me, how do i write a rule to allow my own internet connection. it's dial up. just give me that one thing. if you don't know, don't post. i know it can be done.

thank you so much!

in fact, email me the answer! greenzooey at yahoo.com anybody who doesn't like ghostwall for what it is , doesn't get it. i've read, over and over, about people going on about zone alarm and all that. it's because they don't know what is going on and they don't care to find out. if they did, they'd want the control that ghost wall gives you. they want to click a miracle button and have their problems solved. it's just not that simple. ghost wall is the future of firewalls. if you don't learn to handle your own security now, you will be dead meat in the very very near future. suck it up people. if you're like me, you've had to format your machine about 3 or 4 times already. for clicking on an attachment, downloading the junk from a p2p (klez), or some silly crap like that. This is what i want right here. i know it right now. just tell me how to allow my internet connection. that's all i want. c'mon God! gimme just one thing ~! LOL! (praying to heaven)

 

Hello Greenzooey,

You seem to be a bit fed up with these people on the forum but this is what it is all about. Anyone can tell their opinions and not everyone's views are appealing to all of us. If you want to get an answer to your question take 3 people and you will have 4 different answers. However, I think we should welcome this diversity even if it is not always easy to find the answer that suits you best. One thing is for sure: most of these people either want to get help (like you now) or want to help. Take it as a free choice and use it if you wish - it is up to you.

You say you want to use only the WWW. But one day you may also want to run a stand-alone email client or update your op system or simply use your file sharing prog.

Anyway, the concept is the same in all cases. Either you create a rule one by one for all your apps using different ports and protocols or create one/some general rule/s for all.

The simplest - the most permissive:
To create one rule for all your apps use the default settings of GW. You will get it as soon as you have it installed on your system. Leave it as it is and add just one extra rule (port 0&1) find it here: https://www.wilderssecurity.com/showthread.php?t=157111

If your present config is messed up for some reason (testing) you can do the following to get it back to normal:
To restore default settings go to windows\system32 directory and delete ghstwall.fir file. Then restart GW. It will apply the default settings immediately. You can always make a backup of this file for case of emergency.
However you must keep it in mind that in the above case you have a firewall preventing you from unsolicited inbound connections only - similar to XP firewall and allowing all outbound connections. Ghostwall is a substitute for XP firewall as a base with extra features.

IMPORTANT: All rules above BLOCK ALL... line are applied while all rules below that are dead for GW. It also means that all your newly created rules should be moved up above BLOCK ALL - as you can see it in case of ALLOW ALL... line. It also gives you flexibility - by moving a rule up and down. You can easily switch it ON/OFF allowing/restricting that particular outbound connection to your taste.

Adding a rule:
For ports and protocols to be used by most common apps find here, take your choice:
https://www.wilderssecurity.com/showthread.php?t=142036

For example for WWW : TCP outgoing, remote port 80. All other lines can be set to any.
You must move all your applicable rules below the first line! (0&1) and so on......
If you do not need a rule anymore you can move it below BLOCK ALL and that is it. No need for delete. Maybe you will want to use it again sometime.

GW is not a firewall with application control like ZA, COMODO ...etc . If you create a rule for your browser (TCP, 80) it means it will constanly be open for all your apps using port 80 and all these apps will be able to connect to the net anytime without your prior acceptance (for example most update progs use that port - no need to create separate rules for them).
If you are worried about it you can try Appdefend or a firewall with application control like above or temporarily disable the particular rule by moving it downwards.

Try it and you will see how easy it is. Good luck. Xtree

 

To add a few things to Xtree's excellent explanation.
If you want to control which applications run and use network resources you should install Ghost Security suite (Beta). There is a learning curve but you will greatly improve your odds of not repeating your previous experiences...
A hIPS is better protection than any firewall can provide by itself. This includes anti viruses has well as antispyware technologies since they more or less require the bugs to be known to it to be effective. HIPS (When working and properly implemented) allow you to decide which process or even services you chose to allow to activate or to open other programs or components of the OS as well as network resources...

So... if you are really that excited about security this is where I would begin in my attempt to "Harden" you system against hackers as well as viruses and spyware. Also I would consider a tool to monitor the "Network" ports like an end Point viewer (PortExplorer) or TCPView from www.sysinternals.com

Simply put dude... there is no easy button in security!!!

 

so what do i put into the rule? i don't know what port or anything like that... how do i find out. lead me through writing only the "allow" www browser app. that's all i want. see that Y messenger button up there? tick on it and tell me please... anybody.

 

Well... Only "Open" ports you need. If you have a Web Server running on your PC then "Open" local port 80 or for FTP server open port 21. If you don't have servers running you dont need to open any ports. Keep in mind you only need to open ports to applications running local server services to which you want to allow a computer from the Internet to connect to your pc and use its resources so use this wisely...

I would recommend you use the "Default rule for "outbound" traffic. You can tighten things up quite a bit if you don't use it and program it yourself but it requires you to program rules for every outbound applications you use. You obviously lack the expertise to do this properly so stick to the default rule of "Allow all protocol outgoing" until you are knowledgeable enough to risk a manual configuration. Instead consider my suggestion of using a HIPS to control outbound traffic.

As for the ports you need to open for "Inbound" traffic Look at the Ghostwall logs to find out which local ports are getting blocked unnecessarily from your local address. If you see a lot of "local Ports" being blocked and some programs dont work online then check to match the port to the application that may need it. I.e. Azeureus or utorrent or bittorrent for example. (These are servers by the way). and open it if needed.

Here is a site with a list of common ports you may need to open for games and other programs...

http://www.portforward.com/cports.htm

and please do yourself a favour and test your firewall after you modified it with an online Firewall test like
http://www.grc.com/x/ne.dll?rh1dkyd2
or www.auditmypc.com

Good luck!

For a working and secure but basic rules sets, just re do the rules you see in this picture:

 

Well.. you want to use your browser only.

1. Step: Create the default ruleset.

To restore default settings go to windows\system32 directory and delete ghstwall.fir file. Then restart GW. It will apply the default settings immediately.

2. Step: Creating ANY rules goes like this only the content differs:

http://www.ghostsecurity.com/help/ghostwall/index.php?page=rules

Now for your browser you have to use the following input data:

Description: HTTP
Protocol: TCP
Local IP: Any
Local Port: Any
Action: Allow
Direction: Outgoing
Remote IP: Any
RemotePort:80

Finally click on ADD RULE button.
Your new rule will appear in the list of rules immediately. Move it up to the top using the arrow buttons.

3. Step: Create the rule Block Port 0&1 and move it up the the top to be the first line.
You can also use the same technique only the content is differnet. For input data see the picture above sent by Hermes.

4. Step: Move your existing Allow all outgoing... rule in your list down to the bottom to deactivate it.
Later you might need it.

That is it. Now ONLY your browsers (PLUS all other apps - friendly and malicious on your machine - using port 80!) can communicate with the net.

 

o.k. i get it. why allow udp incoming from remote port 53? i looked it up and it is DNS which is Domain Name System. I don't need this do i?


thank you sooooooo much!

check out this page: it's wild and crazy and i'm beginning to understand a little bit more what's going on here.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

 

Working?

You can find useful things at
https://www.wilderssecurity.com/showthread.php?t=142036

Read it thru especially the second half by STEM.

 

the light came on in my head. i get it. yeah, it's working great. so what i've decided to do is this...

i wanted to only allow remote ports 80 and 53, and that works fine for google... but, other pages are being blocked because they want access to other ports. so I am allowing all remote ports. Yet, i'm only giving them about 200 local ports to come in through. the other thing i did was killed some of the rules. i understand what is happening now. when i try to open a page through my browser, it sends a packet to them saying "info request" , then it needs to be able to send the info requested back to me. this is inbound and outbound and without one or the other the process of browsing can't work.

so what i've done is limited the ways it can come back to me by blocking most of my local ports. I am locked down so tight it's crazy. i'm only allowing tcp/udp through 200 local ports. this is adequate to browse so far. i had it down to 100 until i hit this page up and it was just outside the range. i can trim it down to 100 again, but i really have to write the specific rule. the link you sent me where he told me how to write the tcp port rules turned on the light. special thanks also to hermes for opening my mind with all that useful information. see, i didn't understand the process of browsing at all. when hermes told me to look at the log files and see what was being blocked, i then realized that i knew how and where to look to see what was trying to get in and where. from there i can dictate what i want to allow in/out and how. MY GOD! THANK YOU SO MUCH!

thank you tree for showing me how to write these rules and being patient. i feel like i'm in control of it now. i need more than just port 80 and 53 to browse though. the thing is though, i've got it down to like 200 local ports that tcp / udp packets can come in through. i can narrow that down more, or i may have to increase this number... i won't know until i go to other websites. what i love about it too is that all other protocals are blocked except tcp / udp. and they are all blocked except for like 200 local ports.

so basically, any remote i.p. address through any of its remote ports can contact me with tcp/udp packets, but if it doesn't find the open ports, it can't get in. is it possible to configure the open local ports so that unless i send for information i don't recieve any?

I AM LOVING THIS NOW. I was ready to cuss everybody out and everything, but see, i didn't get it. Let's write a tutorial for ghostwall. That's what is missing. I feel better now. cuz i know where to look and what is going and coming from my machine. it takes a while for all that to sink in, but if you really want to use this product you must learn how the browser works. so basically, i have everything blocked except for tcp/udp packets through 200 local ports (all i need, so far, to browse). i can open up what i need to by looking at my log when i try to open something and it doesn't work to let it happen. I am loving this!!!

Thanks again, hermes and tree.
Hermes: checked out auditmypc.com. ran the basic scan. i'm good! thank you so much!

P.S. thanks also for the link to microsoft system internals to get tcp view. i'm unsure how to use it. also downloaded "whois" , but it won't start up. have noticed this when i tried to run ip(something) through start>run>ip(whatever that command was) it flashes, then just goes away. peculiar. so, i look up i.p.'s with http://www.arin.net/whois/

i'm going to tinker with this more, then i'm going to write the damn step by step, couldn't stick a pin up your back orifice , noob how to guide to locking down all this stupid traffic except for browsing. Then, i'm going to show them how to open up only what they need when they need it. So see, if i want to open up a game like world of warcraft, all i have to do is look up where it's been denied, write the rule, and then turn it off and on by modifying between allow (when i'm playing the game) and block (when i'm not)!!! Oh the Control Freak gods have blessed me!

what is a router? how does having a router make some of this unnecessary?
MORE... MORE... MORE...
I AM YOUR SPONGE, YOU ARE THE WATER.
I AM TRANSFORMING INTO FULL ON GEEK!

anybody that wants to talk about this mess, email me greenzooey@yahoo.com , or hit me up on Yahoo messenger : greenzooey

 

What-choo talking about willis? "HIPS" I knew you Canadians were good at something besides hockey... now let's go, get that big brain out and teach me more of this "HIPS" business.

 

May be you can be interested in this stuff at http://gentlesecurity.com/.
A fine protection against threats while being on the web and even afterwards.
Remember to try Ghost Security Suite at http://www.ghostsecurity.com/index.php?page=regdefend suggested by Hermes. Also excellent.

 

The (IP something) may be "Ipconfig" command used in XP to enumerate NIC's protocol mapping. (Renew/Release IP's) is a DOS program

The Whois program is also a dos thing. Open a DOS Window to use it. (Type CMD @ Run Prompt) to open a Dos window then navigate to that location and run the Whois.

As for TCPView it is designed to allow you to "View" all Connected endpoints on your pc. Basically it shows the process, it's protocol and its local and Remote port and IP address Used. I created a graphic to explain it a bit. Basically what you are looking for is processes or Services "Listening" for "Incoming" connection requests as well as those already "Established" (Connected to a server somewhere on the Internet). Once Armed with this information you can then scope the PID (Process Identification Number) in another program (ProcessXPlorer) to trace its associated DLL's and other components. You can also scope the resources used by it and its impact on your system. It also provides things like PID/Process based Google searches to assist you in assessing the legitimacy of the program running. You can Terminate a Rogue process Internet connection or "Kill" the process right in TCPView as you are watching it.... Nice feature.

Here is the Pic:

 

I am so digging tcpview! Thank you for the image that you posted hermes! I don't understand the loop? why would a computer talk to its self? does this mean it's going on the internet and recieving it's own echoe? cuz that's what someone said. if so, why is that happening? also, noticed that the loop arrow pointing to 2 of the "listening" processes has a slightly different i.p. than the local i.p.? is the last few numbers the local port? I will look up on the internet. i wonder if it breaks down to identify not only location of machine's isp, but also, specific port of transmission. if so, when i am attacked and identify my attacker, i may be able to "hit back".

I will try to go through dos to use whois. I tried to run it from the desktop. See, i don't know what i'm doing. O.k. let me get this all together here...

1. with my wall up and the one rule i wrote to allow 1000-5000 local ports to send/recieve tcp / udp packets and everything else blocked... i am locked down pretty tight? ( i had to open up that many from the 200 i started with. that guy was right from the thread that tree sent me to)

2. most invasions (virus/trojan/etc.) occur through my opening something bad (malicious download via p2p/suspicous link in messenger or email/malicious email attachment).

3. once inside, the malicious logic attacks the registry. (regedit) they may even hide themselves within, lock me out of regedit, msconfig, etc. i.e. (super klez / b&f variation)

4. in the event of the attack i can use tcp view to monitor processes. offline these malicious processes will be "listening" for their home server so they can open a back orifice (i.e. calypso) within my computer to transmit data. (key logging files/ passwords / etc.) i can kill the processes offline / stop them / unless they respawn themselves. (i.e. sasser was it?)

5. identify "hidden" root keys within the registry with mcaffe "rootkit". use hijack this! to attempt to strip the startup command. use anti virus. i like housecall on-line. may have to go to safe mode to dig them out of the registry? if someone installed commands within the registry to prevent the manual opening of regedit, msconfig, etc. where would they be in my registry? i found one in an administrative feature. how to disable administrative features? how would i get into my registry if locked out? registry viewer tool? The locking of registry, msconfig, etc. was written into super klez to render the removal tools useless. have you seen majorgeeks.com? good stuff there.

what i am missing is... how would someone from a remote machine dial me up and gain access if not through a process like the one above? i've turned off remote assistance and all that stuff. also, if the government wanted to observe your machine, wouldn't they do it at the ptsn (switch)... or is computer communication unlike telecommunication? have you heard of "magic lantern"? how would magic lantern work? would it not be a massive web miner?

also, and most importantly, i've been dying to know this for about seven years now... what is "cloaker"? how does it work? if i found it on my machine, who would have put it there and why? i found it on my machine about 7 years ago. haven't seen or heard from it since. it was the only thing i could find that i thought would have been how someone compromised my machine. i was severely compromised about 7 years ago. some nut even scrambled my keyboard keys. imagine sitting at your computer and watching helplessly as someone just ran wild as hell. i finally pulled the phone chord out of the wall. oh the horror! I think it was someone i cussed out from the phone company. There's nothing more dangerous in cyberspace than a geek with a grudge!!!

Once again, tree and hermes, THANK YOU SO MUCH, for taking the time to help me!!!
I owe you one. You know how to find me if I can return the favor somehow.

 

Hello Greenzooey,

You don't have Remote 43 open, do you?
Probably that is the reason why you cannot run Whois properly. At least on my system it seeks for remote 43.
Try creating a rule like this: Allow TCP outgoing, Remote port:43

Check it in your Blocked column in GW Statistics.
Good Luck.

PS: You can also try ID serve at http://www.grc.com/id/idserve.htm if you don't want to bother with new rules.
It uses Remote 80 which is already open.

If you feel like checking your ports thoroughly again run ShieldsUp test at http://www.grc.com

 

Here if you need more explanation you can read this post I wrote before:

I provide a fairly good intro into what you need to do and learn:

https://www.wilderssecurity.com/showpost.php?p=917434&postcount=14

https://www.wilderssecurity.com/showpost.php?p=917656&postcount=16