Phant0m: Lots of logs.

Discussion in 'LnS English Forum' started by Ronn, Sep 26, 2003.

Thread Status:
Not open for further replies.
  1. Ronn

    Ronn Guest

    Hi Phantom, hoping you can help. I keep getting lots of entries in my log for the following rules.

    Rule: Block all other packets, Type ICMP, Additional Type:8 Code:0.

    and

    Rule: +Loopback, Type TCP,

    Is this normal to have so many? Is it stopping or slowing down my internet access? Can I just change the rule so the *hits* aren't logged and forget about them?

    Sorry for so many questions btw. Using your latest ruleset with WinXP on dial-up.

    Thank-you.
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    You should never make modifications to the “Block : All other packets” rule, but In a case such like yours I would recommend making a rule specifically for those annoying ICMP packets and configured to block_without-warning. Are those ICMP packets Inbounds or Outbound?

    As for the ”+Loopback” rule, I suggest making a specific rule with the specifications of IP-Protocol (TCP) and configure it up to block-without-warning if necessary.
     
  3. Ronn

    Ronn Guest

    Wow, so quick :). Thanks.

    All the ICMP hits are inbound Phant0m. Am I still ok to block these without warning?

    Also, If I leave the +Loopback rule as it is and just lchange it so that this rule is not logged, will that be OK? I was worried that doing either of the above may have an effect on my surfing...

    Have you any idea why I should have so many hits on those rules from just surfing?

    Thanks Phant0m.
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn


    E-mail me the raw-log file and I’ll make you two importable rules with specifications required & recommended… :)
     
  5. Ronn

    Ronn Guest

    Hey, wow, thanks. I'll do it now. Gimme 5...

    Thank-you.

    This is so fast I thought I was chatting on my IM client ;)
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    LOL; Not-a-prob! ;)
     
  7. Ronn

    Ronn Guest

    Sorry I haven't got that mail straight to you. I was called for my dinner :rolleyes:. I have just come back, ready to send the mail, when I noticed I didn't have the raw log option enabled :doubt:. Gimme 10 minutes to get some *hits* in the log, and I'll send it over.

    Thanks for all this Phant0m.
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    No problem! Take as long as you need… :D
     
  9. Ronn

    Ronn Guest

    OK, mail awaay :)
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    http://www.wilderssecurity.info/images/rl6.PNG
    http://www.wilderssecurity.info/pg22.shtml

    Make this rule with additional modifications to the packet “Direction” from “PC >> Internet” to “Internet >> PC” and make modifications to the Source-“IP : address” Drop-list, in drop-list change from “Equal my @” to “ALL” and for the Destination-“IP : address” Drop-list change from “ALL” to “Equal my @”. And click OK, and configure a warning Flag for that rule and keep it in the current position in the rule-set where it been created at by default and do some surfing.

    You may be required to Authorize those ICMP Packets which are ICMP Echo Requests in-order to surf flawlessly, you must also need to make additional rule to authorize ICMP Echo Reply. Let’s see if you still encounter surfing slow-downs when Authorizing this particular packet. ;)
     
  11. Ronn

    Ronn Guest

    Many thanks Phant0m. I DO have a confession to make though :doubt:. I've just noticed at the bottom of my rulesets (your ruleset) rules which I haven't enabled which I think I SHOULD have enabled. Namely being:

    //http://www.wilderssecurity.info/rl45.shtml
    and
    //http://www.wilderssecurity.info/rl46.shtml

    If I just enable the rl46 rule, will this have the same effect as what you are telling me to do, or should I enable rl45 too?

    Thanks agin, and sorry for putting you to all this trouble...
     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    Don’t Enable anything unless you know what its purposes and that you know be required.

    I’m sort-of interested in knowing if that problem with your surfing-slowdowns still exists? ;)
     
  13. Ronn

    Ronn Guest

    Ok, thanks Phant0m. I have just enabled the rule I ahve modified as per your instructions. The rule I modified was //http://www.wilderssecurity.info/rl45.shtml. I have just rebooted and will surf for 15 minutes or so and report back toyou.

    Thanks Phant0m.
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    All you do is create a New rule and change the packet “Direction” to “Internet >> PC” and select “IP” for “Ethernet : type” in the Drop-list and then make the specifications shown for the below image;

    http://www.wilderssecurity.info/images/Alternative/ICMPEcho.PNG

    Then click OK button and remove the Block Flag and configure Warning Flag for that rule, keep it as the default rule-set position (Top) and do a bit of surfing and see if that fixes your surfing issue.
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    As for Enabling that rule labelled “TCP : Allow” it should be already Enabled by Default, what rule-set version you using?
     
  16. Ronn

    Ronn Guest

    well, where to start.

    Firstly, I'm using Phant0m`s-September-7.rls rulset. The rule I changed was the "ICMP : Ping other (Req)" with the rule description "//http://www.wilderssecurity.info/rl45.shtml". I have changed this rule to how you have said, and it has stopped all of my ICMP logs :).

    The only log I am getting quite a lot of now is the +Loopback rule.

    This any good to you? It seems to have sorted a few problems my end... :)
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    This explains it; you aren’t using the newest version dated Sept-9 [Phant0m``s Rule-set v5.0] which is available at http://www.wilderssecurity.info/Phant0m.shtml.

    As for that rule you modified, you shouldn’t have. That rule may be needed whenever you desire it and making modifications will cause that rule to malfunction for the required tasks.

    I recommend downloading the newest version of that rule-set and make the rule as I mentioned previously…
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    As for the “+Loopback” rule, don’t make modifications to that rule. If you want export/import that rule and re-label rule-name and configure specifications such as IP-Protocol: TCP, and direction of the Packet (Inbounds? Outbounds?). However don’t use “Internet >> PC && PC >> Internet” directions. And if that’s to much than just de-activate that +Loopback rule altogether…
     
  19. Ronn

    Ronn Guest

    Well, downloading the latest ruleset and putting that ICMP rule at the top of my rules as instructed seems to have done the job. Many thanks for spending the time to sort this out and making this thread a lot longer than needed ;).

    Am I ok to leave this rule sitting on top of all my other rules?

    I know...another question...hehe. :D
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    For ICMP; yea it’s good currently where it’s at…

    If you have further Questions don’t hesitate to poster em!

    :)
     
  21. Ronn

    Ronn Guest

    Ok.

    Again, many thanks for all your help Phant0m. This is indeed a great rulset you have given us; but you said it would be the last? :|

    I for one hope not. Let's hope that Frederic isn't too far away with a beta version of his latest/greatest firewall at least ;)

    Thank-you.
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Ronn

    :)
     
Thread Status:
Not open for further replies.