Question about loopback rule for firewalls

Can someone explain this feature in detail?
Is it needed or not, in other words would it make your firewall more secure or less secure with or without it?
Thanks.

 

Re: Question about loopback rule for fiewalls

Hi CJsDad,
Some info here, if you block loopback, browsers will slow to a possible stop.

 

Re: Question about loopback rule for fiewalls

Thanks Stem.

 

Re: Question about loopback rule for fiewalls

CJsDad,
Your welcome,... any more questions about this, then ask

 

Re: Question about loopback rule for fiewalls

Loopback features of a router are similar, yet a bit different than the old loopback test of 127.0.0.1 in the link above.

Loopback on the router..is the ability for application traffic to go out to the "wild side" of the router...and come back in and recognized the WAN interface as itself.

Say you run a game server from behind your router...if your router supports loopback..it will allow your traffic to go out (say..the game servers master browser list)..and come back in and join on your WAN IP.

If your router does not support loopback..you'd never be able to join that way..you'd have to join by searching you LAN for a game server.

Or similar with a web server...your record points to the WAN IP of your router..but you can't connect to it using your domain name if your router does not support loopback. You'd have to edit your hosts file, or just enter the LAN IP.

Most consumer grade routers do not support loopback. Irrelevant of slowing your browser to a crawl.

 

Re: Question about loopback rule for fiewalls

YeOldeStonecat,
Is this not "trigger"? within the router you mean?.

 

I use Kerio 2.1.5 with BlitzenZeus' rule setup, although I made some adjustments from BZ's setup.
The one thing I did was turn the loopback rule off to see how my programs would react.
I had no problem with any of them.
I also use two web browsers, Opera which is my main browser and Firefox, my secondary browser.
I had no problem logging onto my homepage using Opera but could not get to my home page using FF.
When I used the loopback rule I had no probelm using FF
This is why I was curious as to why the loopback rule would be important or not because all of my programs worked (except FF) with it turned off.

 

Hi CJsDad,
I was just checking,.. Opera does not use loopback,.. IE loopbacks using UDP.
Some firewalls have loopback (127.0.0.1) as trusted, and do not require a loopback rule even for firefox.

 

The loopback address is used when programs running on the same machine send data to one another via the networking subsystem (e.g. a browser requesting a web page via a filtering proxy or an email client receiving messages through an anti-virus email scanner). Programs that send or receive data on behalf of others in this way are known as local proxies (as opposite to remote proxies, which run on a different computer, typically to provide a filtering service for an entire network).

Such traffic is legitimate but having an "allow all" loopback rule means you won't be informed if malware tries connecting to such proxies in order to gain network access without being blocked or detected by firewalls. From a security perspective therefore, it is better to allow such traffic only for applications you trust and firewalls that do not offer control over loopback traffic (e.g. Sygate) should be avoided if you run any local proxy software on your system (examples include anti-virus email/webscanners and filtering software like Proxomitron).

For maximum security, a firewall should also require rules to permit incoming traffic for local proxies to avoid the possibility of a proxy being hijacked by malware. This more subtle exploit is discussed in the (long!) Outpost forum thread Proxomitron default ruleset question (this issue was addressed with Outpost 2.5).

 

This is what the loopback rule description is for my fw, should anything be changed or should I leave it as is?

Standard Loopback UDP/TCP (out) Any Port (127.0.0.0/255.0.0.0) Any Port Any Application

I'm still somewhat new to all of this, on a learning curve sort of with a rule based FW, something new everyday comes up I have to ask, thats the only way I'll ever find out so sorry if it seems like I dont understand something.

Also, thanks for the help and replies Stem, YeOld and Paranoid, the more I know the better off I am.

 

Hi CJsDad,
For loopback, I normally enter: Allow "app" out to any port 127.0.0.1/255.255.255.0

 

Do yoiu have any local proxy software running on your system? If not, then you do not need a loopback rule at all so you should remove it (Firefox does use loopback to talk to itself on startup but this can be blocked with no ill effect - or you can create a rule for Firefox only to allow it if necessary).

If you do have a local proxy, then create a loopback rule only for those applications that need to have access (email client, web browser, etc). You can restrict the remote port to that used by the proxy (e.g. 8080 for Proxomitron, 8118 for Privoxy, 9050 for Tor - see the proxy documentation for details) but there is less security benefit to this - the main thing is to prevent malware from having access to 127.0.0.1 and limiting localhost access by application will do this.

 

I am not sure about this paranoid2000. No loopback rule if no proxies?
I have this ruleset made for avasts proxies for kerio 2.1.5, but most of it is to PREVENT any software accessing those proxies without my will.
There is this strategy that I somehow believe BZ standard loopback to be usefull if not running any proxies? Or it is useless?

 

And here is the application part, also posted in avast forum, but people using bloated FW's these days so no answer there. lol
http://forum.avast.com/index.php?topic=22030.0

 

Paranoid,
I don't have any proxy software running on my computer.
As I posted before, if I turn off the loopback rule than FF will not let me log onto my home page.
What rule can I create to allow the use of FF or how can the loopback rule for FF be blocked with out any noticeable effects?
The rule I am currently using for FF with Kerio 2.1.5 is for local ports 1024-5000 and remote ports 80, 443.

Thanks.

 

My understanding is that FF's loopback is to do with its Password Manager function so if you use it then you will need to permit loopback for Firefox - but you should still be able to log into sites manually without it.

To allow loopback, just use your existing rule but limit it to Firefox only.

A "good" firewall configuration is one that allows whatever traffic you need for your applications, and nothing else. This means that the ideal configuration is going to be different for each person since everyone will have different programs and usage requirements.

Allowing loopback globally makes configuration easier, just like allowing DNS globally makes it easier - but such over-generous permissions can then be exploited by any malware that gets on your system. A tighter configuration on the other hand can require more maintenance (e.g. limiting DNS traffic to your ISP's DNS servers only will mean the rule needing an update if these addresses are changed) so the balance between security and convenience is one that you have to decide.

 

Thanks Paranoid, I can now use Firefox without using the loopback rules.

 

Re: Question about loopback rule for fiewalls

Nope..that's different...not talking about port triggering.

Routers have loopback..while somewhat similar to the 127. loopback test of the TCP stack..it's a bit different..with routers..it's more wether they are aware of their WAN alias on the application level.

Most routers support it fine these days..so it's not an issue, or even realized that it used to be an issue..but several years ago with entry level routers...you'd stumble across that issue now and then.

http://www.dslwebserver.com/main/fr_index.html?/main/sbs-hosts-file.html

http://www.dyndns.com/support/kb/archives/loopback_connections.html