Phant0m's ruleset

Discussion in 'LnS English Forum' started by Mark Klomp, Nov 14, 2005.

Thread Status:
Not open for further replies.
  1. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    Can someone tell me if Phant0m's ruleset is better than the rulesets Standard and Enhanced which are included with the application? And if so, why it's better?

    Best regards
     
  2. lookcity

    lookcity Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    46
    Location:
    China
    Yes ,it is .It's more restrictive which lead more safe.
     
  3. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    On my 2nd computer I have Phant0m's ruleset but when it's loaded I can't access the internet. I'm using v6 of Phant0m's ruleset, and I'm behind a router.
     
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    It also provides more detailed logging info.

    Re. not being able to access the Internet, have you set up the DNS-Allowed-1 rule ?
     
  5. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    No I haven't set it up, but it's standard also not activated.
     
  6. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Mark, please go here for information about Phant0m``'s ruleset.
     
  7. lookcity

    lookcity Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    46
    Location:
    China
    The DNS -allowed-1 should be modified by your own and be enabled.
    Take a try.
     
  8. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    Hi,
    I did modification of the rules as Phant0m describes on his site.
    Now I see after following his instructions that still not all rules are activated.
    Like ''?NetBIOS'', ''+Anti-MAC Spoofing'' and a few others.
    Do I need to activate those too?
     
  9. lookcity

    lookcity Registered Member

    Joined:
    Oct 22, 2005
    Posts:
    46
    Location:
    China
    Hi,
    It depends on what you need . Not all the rules need to be actived.Most action of these rules is "allow",which will allow something special.If you need ,active what you want.
    Regards.
     
  10. agustan

    agustan Registered Member

    Joined:
    Nov 11, 2005
    Posts:
    23
    can anyone tell me what do i need to activate some of the rules in phantom like:
    1. anti-mac spoofing
    2. DNS- allowed 1
    3. BOOTP/DHCP --> there are 2 of them
    it said that they are needed to modify to be activated
    I'm sorry..I'm new to this firewall and phantom's ruleset. Thanks for the help.
     
  11. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Agustan, same for you... :)
     
  12. lnsuser2004

    lnsuser2004 Guest

    I have put together a ruleset that is in my opinion very restrictive for web browsing only. If someone would like to test it against various exploits you are welcome.

    I welcome Phant0m to test it's integrity, as I do not have the capacity to run exploit test in a lab environment.

    This is not a challenge! It's only an invitation for someone that knows how to test, and I welcome all advice of any flaws discovered. I simply would like to help develop a simple ruleset for those that would like a great ruleset for surfing only.

    BTW, the ruleset is based on Phant0m's ruleset v6. I simply have made it extremely restrictive for DNS, DHCP and all port including 80, 443 and 53.

    If someone (including Frederic and Phant0m) are willing to test the ruleset and/or improve upon it, that may help many who may want a very restrictive ruleset for browsing only.
     
  13. RenAndStimpy

    RenAndStimpy Guest

    Hi,

    Does it matter in which order the rules are applied? And if so, how do I know which rules have to be on top and which at the bottom?
     
  14. RenAndStimpy

    RenAndStimpy Guest

    And can someone tell me why many .ini system files are displayed? also in Program Files? Are they changed by malware?
     
  15. lnsuser2004

    lnsuser2004 Guest


    Yes, it matters. Set the block rules in a higher position than the allow rules you'd like to protect. Set the allow rules high enough to prevent blocking by rules that does not protect that rule.
    Not sure if that makes sense, but that's what i've come up with.
     
  16. Ren

    Ren Guest

    Don't fully understand what your saying.
    Can you pls explain more clear?
     
  17. lnsuser2004

    lnsuser2004 Guest

    OK, what it generally boils down to is that if you're:

    1. Blocking something.. ensure that all rules that you want your block rule to affect are placed BELOW (after) the created rule.

    2. Allowing something.. ensure that no rule is placed ABOVE (before) the allowed rule that would block what you are trying to allow.

    There are some variations, but that's the general guideline that i've learned. There are others here that are much better with rules than I. Maybe Frederic, Phant0m or a few others could offer more.
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Let’s say I wanted to host BitTorrent share, I would not put a server-rule at the very top of a beautiful rule-set, simply so I know I have it in the correct spot and not be bothered.

    For instance, I would like my Fragmented-Deny rule(s) be before server-rules, think of IDS… ;)
     
  19. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    Hello Phant0m,

    I using your ruleset, and I have added some extra rules, for example for BitTorrent, DC++, MSN Messenger, etc. But I really don't know where they should be placed, I now have them just placed all on top of the rules.
    Can I send my ruleset to you so you can make the modification?

    Thanks,
    Mark Klomp
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Mark Klomp

    All server-rules (like for TCP connections initiation from remote systems), gets placed between +TCP : Block incoming connections and +ACK-URG rules, and for restrictive rule-set aka paranoid rule-sets that you create client rule per service that you use (like … http, POP3) you place JUST below +TCP : Block incoming connections.


    k ;)
     
  21. RenAndStimpy

    RenAndStimpy Guest

    And how about the UDP server-rules? Where should these placed?

    I also see that your ruleset has standard some rules not activated like ''?NetBIOS'', ''+Anti-MAC Spoofing'' etc. So, which do I need to activate?

    And what can I do to allow Pinging? I saw these rules: ''ICMP : Ping other (Req)'' and ''ICMP : Ping other (Rsp)'' which are also standard not activated.
     
  22. damoisture

    damoisture Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    11
    Thanks for those notes, Phant0m. I never thought to ask where new rules should be placed. Awesome!
     
  23. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
  24. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    But you have to pay $9 before you can use this special installer for Phantom's Rule-set v.7!

    Would be better if you could try it out first. Simply to make sure it works before paying.

    I think I will stay with the enhanced rule-set ;) :p
     
    Last edited: Dec 11, 2005
  25. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    :eek: :eek: :eek: :eek: :eek: :eek: :eek:

    And I was thinking why reading PhantOm's forum requires a registration! Now I Know

    Thomas :(
     
Thread Status:
Not open for further replies.