Private fw for the non tweeker?

Discussion in 'other firewalls' started by elstupido, Apr 12, 2012.

Thread Status:
Not open for further replies.
  1. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    INBOUND REPLIES ARE NOT INBOUND INITIALIZATION REQUESTS OR INITIALIZED INBOUND CONNECTIONS.

    Inspection of the rule base is not required. The INITIALIZED OUTBOUND CONNECTION has already been validated by
    the Access Control List, Established, and the Connections Table updated. The REPLY will be looked up in the
    Connections Table, and then passed on through to the Client.



    The client generates an Synchronization (SYN) Packet, outbound to the Server to establish an NEW connection.
    An (outbound TCP TRAFFIC data stream) in an INITIALIZED OUTBOUND CONNECTION.

    The Access Control List (ACL) is referenced to determine if the information flow control policy should permit
    the NEW connection outbound.

    Assuming the NEW connection is valid in the Access Control List, and permitted outbound, the Connections Table is
    then updated. The Connections Table is always updated as necessary.

    The outbound TCP TRAFFIC data stream is processed and sent on to the Server.

    When the Server REPLIES on the reverse path back to the Client, through the Clients INITIALIZED OUTBOUND CONNECTION,
    (the inbound TCP TRAFFIC data stream), the Server is responding with its Synchronization/Acknowledgment (SYN/ACK).

    <-----THEREFORE, HOWEVER, AND PLEASE NOTE!----->

    SINCE THE REPLY IS NOT AN INITIALIZED INBOUND CONNECTION OR AN INBOUND INITIALIZATION REQUEST,

    Inspection of the rule base is not necessary or required, the connection has already been validated OUTBOUND,
    Established, and the Connections Table has been updated.

    When the Client recieves the REPLY packet from the Server, the packet is looked up in the Connections Table,
    and then passed on through to the Client.




    All that SYN and SYN/ACT work is so both sides will agree on an Initial Sequence Number (ISN) for each side of
    their communication. Unfortunately, many Servers use an easily guessed Initial Sequence Number generation function.

    Some firewalls use Transmission Control Protocol (TCP) sequence number randomization. As the packets pass through
    the firewall, they are rewritten so that the Initial Sequence Number(s) cannot be predicted.


    EDIT: grammer


    HKEY1952
     
    Last edited: Apr 19, 2012
  2. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    Are the default settings not optimal/secure? Perhaps, Stem could provide his input on this.

    Hi Stem,

    Since we are on a PFW thread, I thought maybe I could ask you to look at the default settings of PFW for 'System Services' and 'System' (see attachments). Thanks.
     

    Attached Files:

  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello HKEY1952,

    I see from your last post you still do not want to answer my simple question. OK.
    ------------------------

    The info you are now putting forward (and have in some previous posts) appears to be about a stateful firewall implementation within a gateway or business class router rather than an Home users firewall.

    The implementation you put forward, well, you will not find that in the windows firewalls that are frequently mentioned on this forum.
    The closest you would get would be either 8-signs or Norton.

    8-signs does perform sequence number randomization, or, as 8-signs describes it, "Sequence Number Hardening" (have not checked)

    Norton does check sequence numbers, but only for the initial 3 way handshake. It does not check sequence numbers for the streams or termination of connection.(I checked)

    You can look at any of the other firewalls/packet filtering firewalls mentioned on this forum and they do not have the implementation you describe. (I have checked.)

    I would be interested to know which windows firewall you are using that you believe has the stateful TCP implementation that you describe.


    - Stem
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello datarishik,

    It depends on your setup/needs.

    Most of these firewalls by default simply allow all traffic for all applications that are either signed or on white lists. It is usually done to save them time with support issues.

    Are you behind a router? or on an ISP LAN?

    I will be trying to find time tomorrow (or it may be weekend), to have a look at the default rules for PFW and how it handles packet filtering.

    - Stem
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Nice to see you bellgamin,

    Always good advice.

    Regards,

    - Stem
     
  6. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    Thanks a lot, Stem; really appreciate it. I'm not really concerned about configuring the firewall to its maximum potential (I'm behind a router) as much as curious about what the potential holes could be as Rilla pointed out. If there are really any holes, we could do some tweaking in order to ensure that it's intrusion proof. As I said before, I don't really know how to establish rules for protocols, - would really love to do it if I knew - but have learned quite a few points from your and other members' posts.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,321
    Location:
    U.S.A. (South)
    I second that special request about PFW. It will be welcome by a many the inquisitive minds about here.

    That was some heavy interpretation a few posts back as regards stateful firewall implementation within a gateway or business class router. Just had to do a Copy/Paste on that for further review & study. :cool:
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Again a matter of language. IMO the misunderstanding around all of these blocked/allowed - inbound/outbound can be resolved if you add a simple "solicited" or "unsolicited" in front of it (equivalent to your "initiated" and "non-initiated"). :)

     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It actually sounds like it is from a book on how a stateful firewalls should be implemented, rather than how the majority are actually implemented.

    It can be good reading books (or making google searches), but a practical approach, by actually testing firewalls packet filtering, gives you actual results of the implementation.


    - Stem
     
  10. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    The first rule in the ruleset must be: "allow all outbound TCP"
    The second rule in the ruleset must be: "block all inbound TCP"

    In other words:
    If the data stream was INITIATED by someone on the INSIDE, (the higher security interface = LAN) Let it pass.
    If the data stream was INITIATED by someone from the OUTSIDE (the lower security interface = WAN) Block it.


    Admit it Stem, this is the second time I have proven you wrong!


    /END

    /END SUB


    HKEY1952
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    But which firewall? I asked earlier which firewall you are using with the implementation you state.

    If for example, you use 8-signs, which is a firewall close to the implementation you mention, then setting those rules will block all Internet, as the replies will be blocked. Or, if easier, try L'n'S, that would also block Internet with such rules.

    Try checking rather than guessing.

    - Stem
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    The above should read:
    The first rule in the ruleset must be: "allow all outbound TCP"
    The second rule in the ruleset must be: "block all unsolicited inbound TCP"

    Otherwise, some software firewalls will also block the INITIATED connections.

    This is what I think Stem tries to explain since some posts... :)
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I really dont know why I am waisting my time with this, but anyway,


    L'n'S rules (just because I have it set up.)

    The main rule to allow Internet connections, will allow outbound and inbound TCP. The rule controls the state table entries.

    01.jpg

    I change the ruleset and add a rule to "Allow all outbound TCP"

    02.jpg

    I add a rule to "Block all inbound TCP"

    03.jpg

    Placed at top of ruleset.

    05.jpg


    I get blocked from Internet.

    This is the log showing the allowed outbound TCP and the replies being blocked.

    04.jpg

    - Stem
     
  14. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Last edited: Apr 20, 2012
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That is to block inbound connections (TCP SYN) not to "block all inbound TCP".


    You really need to read the thread more carefully. You also need to actually check/test how WF filters packets, rather than just reading about it.

    .
     
  16. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    This block all connections an packed, when I say ALL means ALL, not only TCP, but UDP and ...... alll. You are "expert" and perform test, LOL.
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    They are really hungry on this one. Now where is that UserCP ignore list setting.


    - Stem
     
  18. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    I'd really like to learn something from all you guys since this is an area in which my personal knowledge is sorely lacking...but I truly hope that we can find a way to have this discussion with less sniping and acrimony.

    Thanks in advance. :thumb:
     
  19. elstupido

    elstupido Registered Member

    Joined:
    Apr 8, 2012
    Posts:
    14
    Location:
    seattle,wa.
    I feel like im playing in the middle of a freeway.:eek:
    Which 3rd party firewall would be the easiest for a non tweeker to use at the present?
     
  20. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,740
    I totally agree:thumb:
     
  21. 2good

    2good Guest

    you brought tears to my eyes from laughing so much cause I'm in the same boat with you now the answer to your question it would be one with the best packet filtering.
    its not what you read that counts, but what can you remember.
     
  22. elstupido

    elstupido Registered Member

    Joined:
    Apr 8, 2012
    Posts:
    14
    Location:
    seattle,wa.
    Yes, it sucks being the dummy. How does one figure out which firewall has the best packet filtering? dummy out.o_O
     
  23. 2good

    2good Guest

    if you follow Stem posts there is only one firewall Look&stop.
     
  24. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    And from what I have read hereabouts, not the best recommendation for the non-tweaker...

    ...Interesting how the one that originated the thread is the one that ends up as roadkill or thrown under the bus (to keep the freeway metaphor going). :eek:

    (Perhaps there is a place for default settings or ones that can be strengthened via the user interface without an advanced degree or years of hands on experience. One can only hope.)
     
    Last edited: Apr 21, 2012
  25. 2good

    2good Guest

    you are absolutely right realized that after posting, as far as the firewall the easiest one that one can Handel would be the one
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.