PHANTOM 6 Ruleset Look n Stop

Discussion in 'LnS English Forum' started by TerryWood, Jan 14, 2006.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    I am new to Look n Stop and new to the arcane world of rules.

    But I do want to have the securest pc that is possible. I have downloaded Phantom 6 and want some kind of tutorial that is comprehensible to ordinary folks not experts.

    The French tutorial that is referred to on these pages (Unless I have downloaded the wrong one) even in its translated form is incomprehensible to me)

    So can anyone help a silver surfer with some clear simple guidelines on how to set up phantom 6 (if this is the latest version) I currently use the LnS enhanced ruleset on a single pc with a dial up broadband modem.

    Many thanks to all

    terry

    ps Where is phantoms latest website I cant find it?
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Although Phant0m's Rule-set is slightly more restrictive and provides more logging information, you should be more than adequately protected with the Enhanced rule-set ;)

    I could never get this ruleset working properly on dial-up when I tried to manually install it.

    I would either pay the $9 for the installer or pm some of the LNS posters here who have the rule-set up and running and who could offer you help.
    Here and I see the Installer is not available at present.
     
  3. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Thanks for your helpful reply
     
  4. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi Terry

    I am also probably best described as a novicey silver surfer :cool:

    My only previous firewall was ZA which I fell out with during issues with their security suite. I was a bit wary of a rules based firewall (knowing nothing about applying rules) but with the odd curious incident, well documented with others in this forum, I must say I am more than happy with LnS with just the enhanced rule set applied.

    Very lightweight and passes all the tests on GRC and PCFlank.

    Hope this helps :)

    Cheers

    Jon
     
  5. Ghost13

    Ghost13 Guest

    Hello,


    I have been using the Enhanced rule-set for the connections to Phant0m's ruleset so it auto detects my internet connection,just install Phant0m ruleset free version,then import the TCP/UPD/UDP : BOOTP / DHCP rules into Phant0m's free ruleset delete DNS1,DNS2 ETC,and import the connections rules from the enhanced rule-set and you have a auto detect Phant0m ruleset.


    I have using this for over 5 years and it alway's auto dectects any change and you don't have to do anything concerning auto detecting of changed severs,IP Address,DnS,TCP/UPD/UDP/BOOTP / DHCP the LnS enhanced rule-set(rie) imports does it all for you.And work's great on the XP2 Pack.

    Is it safe? Yes, if you know where to place the rules which is not hard if you compare the two rule-sets and if set up correctly you will pass every firewall test out there and almost every leak test except for 2, and not to make anybody mad I just call it a modified version of Pant0m's rule-set,good luck!
     
  6. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    You make it sound so easy. I am very interested in what you propose. but need a lot more hand holding:

    1) Where do you import the TCP/UPD/UDP : BOOTP / DHCP rules from?

    2) Which are the the connections rules in the enhanced rule-set and where are they placed (does it matter)

    3) The free version I have is 6 is this OK

    4) When I imported it before I tried to follow the french tutorial and did the ipconfig/all which was ok BUT when I tried to configure as per the diagrams I got as far as inputting the DNS server addresses. When I came to the boot/DHCP I noticed that my ipconfig/all screenshot said that DHCP was not enabled. It was therefore not possible to input the DHCP server address.

    I dont know what DHCP is what it does or how to enable if indeed I need to.

    So now you have set a rabbit away can you help me understand and configure LnS phantom?

    Many Many thanks

    Terry
     
  7. Ghost13

    Ghost13 Guest

    Hello Terry,


    Sorry you did say you are new to all of this! And it is very confusing at first ,but as soon as you get the concept which is not hard at all,but like anything new just ask and there is always somebody around to help.



    Important:Always save as before you make a change to your LNS rule-set or any other so you will always have a untouched copy.And disable your internet connection when you do this.
    example:EnhancedRulesSet2006.rls


    1; Go to the LnS panel called Internet filtering>then go to LOAD>open and find
    the EnhancedRulesSet.rls highlight it>hold down Ctrl+c on your keyboard>then just cancel out of
    this box.AND DON'T Save anything.


    2; Go to your desktop point mouse on desktop where you want it copied to >Ctrl+v
    and now you have EnhancedRulesSet2006.rls


    3; Rename this to EnhancedRulesSet2006.rie the [rie] at the end makes the importing of one
    rule at a time or many as possible from one rule-set to another.Very fast!


    4;Copy this again or drag and drop this file into c:/program files/Soft4ever>Look"n"Stop
    and paste it in,or drag it in there,and now you can start importing the EnhancedRulesSet auto detect rules for servers,dns for your computer
    if you don't understand Phant0m's manual settings which only takes,this will make things much easier
    the only thing you have to do is compare the two rules and start replacing some rules.


    5.Go to the Internet filtering tab>go to LOAD,But save as first it will cause you no pain if things don't work out,but like I said it been over 5 years and it still works,on Windows 95, 98,ME,and XP-XP2 pack I have used
    it on all of them.Call the rule-set anything you like except EnhancedRulesSet.rls.





    6.Click on the import box in Internet filtering and you will see the EnhancedRulesSet.rie file>highlight it and now you have the whole EnhancedRulesSet showing
    in the rules to import into Phant0ms rule-set,highlight EnhancedRulesSet.rie and check these off>
    starting at > IP : MF Flag Block and check everything below and replace the rules.

    7. Place the first rule under< +ACK-URG in phant0ms rule-set which would be
    IP : MF Flag Block from the EnhancedRulesSet.rls.


    8 you don't need them all since you will have double rules so compare the two rule-sets
    and its a matter of deleting,or leaving or adding the auto detect sever rules which start at>
    TCP : Authorize Identification and work your way down the list using the up and down buttons to place them.


    9. You really just need these rules from >TCP : Authorize Identification until
    UDP : Stop Broadcast rule,[Stops UDP broadcasts to *.*.*.255.] rule.

    the rest and more are already in Phant0ms rule-set,so you just have to delete any double rules you have showing in Phant0m's rule-set,you really just want to add the auto detect rules
    to Phant0ms rule-set.TCP : Authorize Identification - UDP : Stop Broadcast rule,[Stops UDP broadcasts to *.*.*.255.] rule.those are the ones that auto detect your internet connections.


    10.Test your rule-set go to grc.com or any fast scanner on-line,if you get all green ports showing and no purple or orange? You have set it up correctly,Hope this helps you out a bit and the rule-set
    you have for Phant0m is the good one and good luck!
     
  8. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Got to Paragaph 4 and copied the enhancedruleset2006.rie into Look n Stop folder.

    What I dont understand is when you say " You can start importing the enhancedruleset detect rules for servers, dns for your computer"

    Do I import these rules from enhancedruleset2006.rie into phantom?

    If so which are the specific detect rules that need importing (For servers, dns)?

    Also what do you mean in paragraph 9 (first sentence)

    Sorry for taking up your time BUT when its done its done and I will be a convert.

    Thanks

    Terry
     
  9. Ghost13

    Ghost13 Guest

    Hello Terry,

    I tried your rule set it works 100% I had to change it to an rls file so I could use it.


    Things to do:



    Activate: ?NetBIOS,JUST PUT A GREEN CHECK!

    Delete:DNS-Allowed-1

    Delete:All BOOTP / DHCP rules at the top,you have the rules already that auto-detect them.


    Things to do:



    Activate: ?NetBIOS,JUST PUT A GREEN CHECK!

    DeleteNS-Allowed-1

    Delete:All BOOTP / DHCP rules at the top by Phant0m,you have the rules already that auto-detect them,near the bottom the ones you imported are taking over and will auto-detect any sever changes and DnS,IP,etc by itself.

    Then save your changes.

    If you ever get can't connect to the internet?,just reboot and the changes will take effect and you will be able to access everything,it happens when I disable my internet connection from the control panel and then enable it I get this problem,and a reboot will fix this problem.


    As for the rest leave as is until you need the extra rules,but I tested it at GRC.COM and got these results:

    Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


    So your doing great Terry,its now ready to be loaded,if you can't find it? Make one a rls file and one and rie file and load it find your rls ruleset and load it,reboot just to make sure things are working at boot-up.

    Terry got to go to work,running late.....,but I will try answer all your questions tonight if nobody helps you before I get back,good job and you should have no problems,just delete the rules that I told you at the top and activate ?NetBIOS and your alll set! Is netbois needed ?I think there is a patch by Microsoft the blocks these ports 137,138,139,but just to be safe activate it,and if you don't want to see the ?NetBIOS alerts uncheck the logging on that rule,take care
     
  10. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi Terry.

    I wouldn't worry too much about having Phantom's rules-set,you'll do just fine with the default enhanced rules. Phantom's rules are only block rules which he probably created by logging a vulnerability scan from PC Flank or somewhere. To simplify it mate,if you have no rules to ALLOW something,a firewall will automatically block it ;) ,so your already safe from those vulnerabilities. I tried L'n'S not so long ago when trying to find a firewall for application control to go with my Packet Filter,i tried L'n'S against these scans with and without Phantom's rules,and passed on both occations :cool: .

    And now he's charging for them,it's even worse
     
  11. TBR

    TBR Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    59
    It depends on your perspective, i paid for the Ruleset, so i suppose im slightly biased, but the installer makes it easy to implement and the peace of mind to know that I have a solid set of rules in my Firewall, even if i dont know what half of them do, is for a relative newbie, a lot easier way of going about getting a secure sytem and its not as if it broke the bank to buy it either.
     
  12. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    I agree only problem is Phantom is surely that he doesnt seem to have a web site and the one that I think hosts his installer says its not available until Jan or Feb 2006

    Whats a man to do?

    Thanks for your interest

    ps I posted a new version ie integrated phantom & enhanced and checked it against all pc flank tests and grc shields up It passes with flying colours

    On the Hackerwatch site there are about 10 substantial tests including Yalta. I was able to do 7 and it passed for certain on 5 the other two I am not sure Three I could not get to work

    Terry
     
  13. Ghost13

    Ghost13 Guest

    Hello Terry,



    If you want to try a real good firewall test try this one:

    http://www.securityspace.com/smysecure/last30.html


    It takes 3-41/2 hours and LnS did very good they said "they could ping me and they know my IP address" that was it!,I do it once a month with the same results and I am sure it has to do with the fact I am connected to there sever! From Internet Explorer can't hide that information without a proxy and then your results would be flase if you used one.


    It will do many kinds of tests and your rule-set should give the same results,good luck and glad you got it working.It will auto-detect your sever connections forever!
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    TonyJL


    You are right about one thing, EnhancedRulesSet does provide good protection as-is, and far superior rule-set to ever have been offered/bundled with rule-based software firewall product by default.

    Interesting notion regarding "if you have no rules to ALLOW something,a firewall will automatically block it", well this not necessarily true, depends on the software firewall capabilities in the first place. Anyways, I don’t see anyone installing a software firewall and not creating rules to permit different habits. Like for browsing the web (www-http), this here permit rule to allow you to connect can be enough for permitting unwanted an unsolicited, malicious remote packets. See below;

    Rule Name: www-http=80
    Logging Flag: No
    Direction: Inbounds & Outbounds
    IP Protocol: TCP
    Source – IP : address: Equals my @
    Source – TCP/UDP: port | In range A:B | 1024-5000
    Destination – IP : address: All
    Destination - TCP/UDP: port | Equal | 80

    This rule looks pretty friendly, and leakfree yes? Wrong, I user remotely can craft easily a packet and send it in through the software firewall and without alerting the other, and this can be packet containing source port 80tcp and destination ports 1024-5000 (any port in a temp range) … Have you seen the rule ‘TCP : Authorize Internet services’? I bet you can more :)

    It is one thing to easily pass online leaktests, it is entirely different thing passing real deals.

    ... :)


     
  15. Queen Dyke

    Queen Dyke Guest


    Could that http rule be made to function Outbound only? How?
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    To make a connection you need to apply direction ‘Inbounds & Outbounds”, if just 'Outbounds' that been specified you can only send packets and never a hope for a connection to be made.
     
  17. Queen Dyke

    Queen Dyke Guest

    Thank you, Phant0m.
    My concern is that the inbound direction may allow a malicious packet through. A packet not requested.
     
  18. PasserBy

    PasserBy Guest

    2 Ways to accomplish...

    1) There should be a rule that block TCP syn in, before any client ports rule, i.e.

    anti-mac
    ...
    block invalid flags
    ...
    server ports rules (where you open ports to listen)
    ...
    * Block TCP syn in (Check inbound (in Direction), check Block incoming connections (in TCP flags)
    ...
    Normal client ports rules (where you allow 80,25,110& so on..)
    ....

    2) Just Check 'EVERY' Block incoming connections (in TCP flags) in 'EVERY' client ports rules.
     
  19. Queen Dyke

    Queen Dyke Guest

    Done it in the past, but with a different firewall. Guess it depends upon the firewall in use. I expect good results as long as i'm blocking incoming connections prior to allowing web browsing.
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Blocking of ‘Incoming Connections’ (TCP inbound packets with SYN flag set) is a standard procedure in rule-based software firewalls now days, should be enough to pass standard online webscans, but far from preventing different sorts of leaks.

    Take advantage of Look ‘n’ Stop TCPI SPI (Stateful Packet Inspection), make sure it is activated and left so.
     
  21. -=T=-

    -=T=- Guest

    Sorry for a dumb question but where can I find that?
     
  22. RedShark

    RedShark Guest



    Hello to turn on SPI go to the tab [options] on LnS>Click on advanced options box>another box pops up.


    Look at the Miscalleneous box in there you will see TCP Stateful Packet Inspection>put a check in this box and everything else unless
    you don't have a need for raw log.Also check Anti-Flood Protection.You may also want to enable DLLs Watch also for even more added protection against DLL injection,Good Luck
     
  23. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
  24. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    the way i do it is i go to the start menu, click on run, and type "cmd" and press enter. at the prompt i type "ipconfig /all". DHCP Servers are for the BOOTP/DHCP rule (i only have one rule enabled), DNS servers are for the DNS-Allowed rule, and Physical Address is for the Anti-Mac spoofing rule. also remember to enable the rules (green checkmark)
     
  25. JohnnyBravo

    JohnnyBravo Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    82
    Last edited: Feb 16, 2006
Thread Status:
Not open for further replies.