Question about loopback rule for firewalls

Discussion in 'other firewalls' started by CJsDad, Jul 14, 2006.

Thread Status:
Not open for further replies.
  1. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Can someone explain this feature in detail?
    Is it needed or not, in other words would it make your firewall more secure or less secure with or without it?
    Thanks.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Question about loopback rule for fiewalls

    Hi CJsDad,
    Some info here, if you block loopback, browsers will slow to a possible stop.
     
  3. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Re: Question about loopback rule for fiewalls

    Thanks Stem.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Question about loopback rule for fiewalls

    CJsDad,
    Your welcome,... any more questions about this, then ask
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Re: Question about loopback rule for fiewalls

    Loopback features of a router are similar, yet a bit different than the old loopback test of 127.0.0.1 in the link above.

    Loopback on the router..is the ability for application traffic to go out to the "wild side" of the router...and come back in and recognized the WAN interface as itself.

    Say you run a game server from behind your router...if your router supports loopback..it will allow your traffic to go out (say..the game servers master browser list)..and come back in and join on your WAN IP.

    If your router does not support loopback..you'd never be able to join that way..you'd have to join by searching you LAN for a game server.

    Or similar with a web server...your record points to the WAN IP of your router..but you can't connect to it using your domain name if your router does not support loopback. You'd have to edit your hosts file, or just enter the LAN IP.

    Most consumer grade routers do not support loopback. Irrelevant of slowing your browser to a crawl.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Question about loopback rule for fiewalls

    YeOldeStonecat,
    Is this not "trigger"? within the router you mean?.
     
  7. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    I use Kerio 2.1.5 with BlitzenZeus' rule setup, although I made some adjustments from BZ's setup.
    The one thing I did was turn the loopback rule off to see how my programs would react.
    I had no problem with any of them.
    I also use two web browsers, Opera which is my main browser and Firefox, my secondary browser.
    I had no problem logging onto my homepage using Opera but could not get to my home page using FF.
    When I used the loopback rule I had no probelm using FF
    This is why I was curious as to why the loopback rule would be important or not because all of my programs worked (except FF) with it turned off.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi CJsDad,
    I was just checking,.. Opera does not use loopback,.. IE loopbacks using UDP.
    Some firewalls have loopback (127.0.0.1) as trusted, and do not require a loopback rule even for firefox.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The loopback address is used when programs running on the same machine send data to one another via the networking subsystem (e.g. a browser requesting a web page via a filtering proxy or an email client receiving messages through an anti-virus email scanner). Programs that send or receive data on behalf of others in this way are known as local proxies (as opposite to remote proxies, which run on a different computer, typically to provide a filtering service for an entire network).

    Such traffic is legitimate but having an "allow all" loopback rule means you won't be informed if malware tries connecting to such proxies in order to gain network access without being blocked or detected by firewalls. From a security perspective therefore, it is better to allow such traffic only for applications you trust and firewalls that do not offer control over loopback traffic (e.g. Sygate) should be avoided if you run any local proxy software on your system (examples include anti-virus email/webscanners and filtering software like Proxomitron).

    For maximum security, a firewall should also require rules to permit incoming traffic for local proxies to avoid the possibility of a proxy being hijacked by malware. This more subtle exploit is discussed in the (long!) Outpost forum thread Proxomitron default ruleset question (this issue was addressed with Outpost 2.5).
     
    Last edited: Jul 15, 2006
  10. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    This is what the loopback rule description is for my fw, should anything be changed or should I leave it as is?

    Standard Loopback UDP/TCP (out) Any Port (127.0.0.0/255.0.0.0) Any Port Any Application

    I'm still somewhat new to all of this, on a learning curve sort of with a rule based FW, something new everyday comes up I have to ask, thats the only way I'll ever find out so sorry if it seems like I dont understand something.

    Also, thanks for the help and replies Stem, YeOld and Paranoid, the more I know the better off I am.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi CJsDad,
    For loopback, I normally enter: Allow "app" out to any port 127.0.0.1/255.255.255.0
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Do yoiu have any local proxy software running on your system? If not, then you do not need a loopback rule at all so you should remove it (Firefox does use loopback to talk to itself on startup but this can be blocked with no ill effect - or you can create a rule for Firefox only to allow it if necessary).

    If you do have a local proxy, then create a loopback rule only for those applications that need to have access (email client, web browser, etc). You can restrict the remote port to that used by the proxy (e.g. 8080 for Proxomitron, 8118 for Privoxy, 9050 for Tor - see the proxy documentation for details) but there is less security benefit to this - the main thing is to prevent malware from having access to 127.0.0.1 and limiting localhost access by application will do this.
     
  13. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    I am not sure about this paranoid2000. No loopback rule if no proxies?
    I have this ruleset made for avasts proxies for kerio 2.1.5, but most of it is to PREVENT any software accessing those proxies without my will.
    There is this strategy that I somehow believe BZ standard loopback to be usefull if not running any proxies? Or it is useless?
     

    Attached Files:

  14. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184

    Attached Files:

  15. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Paranoid,
    I don't have any proxy software running on my computer.
    As I posted before, if I turn off the loopback rule than FF will not let me log onto my home page.
    What rule can I create to allow the use of FF or how can the loopback rule for FF be blocked with out any noticeable effects?
    The rule I am currently using for FF with Kerio 2.1.5 is for local ports 1024-5000 and remote ports 80, 443.

    Thanks.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    My understanding is that FF's loopback is to do with its Password Manager function so if you use it then you will need to permit loopback for Firefox - but you should still be able to log into sites manually without it.
    To allow loopback, just use your existing rule but limit it to Firefox only.
    A "good" firewall configuration is one that allows whatever traffic you need for your applications, and nothing else. This means that the ideal configuration is going to be different for each person since everyone will have different programs and usage requirements.

    Allowing loopback globally makes configuration easier, just like allowing DNS globally makes it easier - but such over-generous permissions can then be exploited by any malware that gets on your system. A tighter configuration on the other hand can require more maintenance (e.g. limiting DNS traffic to your ISP's DNS servers only will mean the rule needing an update if these addresses are changed) so the balance between security and convenience is one that you have to decide.
     
  17. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Thanks Paranoid, I can now use Firefox without using the loopback rules.
     
    Last edited: Jul 15, 2006
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Re: Question about loopback rule for fiewalls

    Nope..that's different...not talking about port triggering.

    Routers have loopback..while somewhat similar to the 127. loopback test of the TCP stack..it's a bit different..with routers..it's more wether they are aware of their WAN alias on the application level.

    Most routers support it fine these days..so it's not an issue, or even realized that it used to be an issue..but several years ago with entry level routers...you'd stumble across that issue now and then.

    http://www.dslwebserver.com/main/fr_index.html?/main/sbs-hosts-file.html

    http://www.dyndns.com/support/kb/archives/loopback_connections.html
     
Loading...
Thread Status:
Not open for further replies.