Questions about Phantom v6 set - how to enable stuff?

Now that I have L'n'S working, it's time to start learning some rule making.

I'd appreciate if somebody could answer any of my below questions with a simple example instruction on how to enable particular network traffic for a particular app (I'm using Phantom Ruleset v6).

Q0: Now, I assume that even though I have an application Authorized in L'n'S, it can still be filtered by rules in the "Internet filtering" tab, right?

Q1: If the answer is no, then I'm puzzled. Software that worked before L'n'S is not working anymore (with Phantom v6), even though the software is Authorized for direct network access.

Q2: I'd like to be able to ping other computers. What rules should I change in Phantom v6 to enable me to ping others?

Q3: As above, but traceroute.

Q4: As above, but application TeamSpeak (port 8767 UDP)

Q5: As above, but games with multiple ports (TCP and UDP) needing opening

Q6: As above, but for Bittorrent client (port X UDP and port Y TCP/UDP).

I don't need instructions to all of the above.

Just for one question. How to make the rule and where to place it in Internet Filtering rules.

I'd appreciate any help or pointers to good instructions.

Thanks!

cheers,
halcyon

 

Hi halcyon,

The simple way is to look at the log, and with a right clic on one alert you can automatically create the rule that will allow the blocked packet.

Another way is to import a pre-defined rule from .rie files. There is one provided with Look 'n' Stop (which should solve the tracert blocking) and there are other import files here:
http://www.looknstop.com/En/rules/rules.htm

And finally there is the manual way by editing a new rule and specifying the protocol, port numbers... you can be assisted by first importing a generic UDP/TCP client/server rules from the import file, and then you just have to replace the default 55555 by the port you want to open.

Frederic

 

Thanks Frederic.

Am I correct in assuming:

1) Counting from outside (WAN->LAN). "Internet filtering" rules are matched first and inbound traffic may be blocked at that level (even for apps that are Authorized for internet access and which have initiated the connection earlier with a succesful outbound access)?

2) If "The rule warns forbidden packets" is not active for a specific fule, no mark is made in the "Log" tab for filtering made by that rule (but perhaps in raw log)?

3) For outbound access, App rules are matched first, then Internet filter rules (app has no authorization=block, traffic is not allowed/even if app is authorized=block)?

4) To make an application work correctly (client-server), one must:

A) Authorize the app (Application filtering)
B) Make a Internet filtering rule that allows certain outbound access required by that app
C) Put the aforementioned new outbound rule high enough in the "Internet Filtering" rules list, so that another rule doesn't block the traffic first
D) Do the same for the incoming connection (allow the connection/port for the application you want to use)
E) Do the same for the newly created inbound rule sort order

You (or anybody else) can just answer with simple yes/no. I'll dig up the rest.

Thanks!

Also, if there is a simple model (diagram) that shows how filtering in L'n'S proceeds from stage-to-stage (both inbound and outbound). I'd very much like to see it

cheers,
halcyon

 

Yes

Yes. However, the raw log log shows exactly the same number of entries as the normal log but just contains a bit more information, so it would not appear in the raw log either if it wasn't active.

Yes, you are correct. If an app is not authorized in Application filtering, then Internet Filtering won't even come into play. Once authorized, then the Internet Filtering rules actually decide what can and can't be sent.

If it is authorized in Application Filtering, then some rule in Internet Filtering is blocking traffic (either in or out of the computer) from that application. If you view the log when you start the app or connect to the internet with the app that used to work, you will often see a few rules being applied which is probably blocking the app. If you right-click on that log entry you are given options to automatically create a new rule which either allows traffic in or traffic out of your computer on that specific port. This automatically created rule can then be tightened up, if you know what you are doing.

Yes.

HTH. Frederic or Phant0m will be able to give extra details, but this forum and the looknstop website are good sources of info.

 

Thank you very much Defenestration!

Learning is so much faster then there is a more capable peer helping out.

cheers,
halcyon

 

Right click to create rules

I've read in this and other posts that you can automatically create rules from right clicking the event in the log. Whenever I try this the only option I get is "look" which brings up a window with the packet details but I can't see how I can automatically create a rule from this.

Is this a limitation on the trial version or something?

 

It also helps when you don't have a dozen redundant rules blocking the same traffic. Your security isn't directly proportional to the length of your rule list, though some people like to think it is.

 

You think my rule-set contains redundant rules?
If this is the case, can you name some? Thanks

 

I haven't used your rule set, and so was not speaking about it specifically. Just making a general point.

 

Re: Right click to create rules

There isn't a limitation during thew first 30 days. After this, Application Filtering stops working.

What happens if you click on the "Create Rule" button at the bottom of the log ?

This should also bring up a context menu with the same two options.

 

Re: Right click to create rules

Some alerts don't allow for automatic rule creation, some do.

 

Re: Right click to create rules

Yes I have now discovered that and realise now why I couldn't create rules automatically.

Just out of curiosity, why can't all alerts allow rule creation?

 

Hi,

Yes, only usual protocols like ICMP/UDP/TCP are supported for this automatic rule creation feature.

Why only these protocols ?
Because for other kind of packets, it's difficult to automatically know what are the specific fields the rule should handle to allow packets.
Only the Ethernet Type and IP Protocol would be used, and there is a risk some unexperimented users create bad rules allowing everything.

If you think some protocols are really missing with obvious fields to look at, just let me know (perhaps IGMP with the Type, but I'm not sure these packets are seen very often and they have to be allowed).

Otherwise, another suggestion was to offer a completely filled rule with all fields (MAC and IP Address, source+dest...), and the user would have to edit the rule manually to remove controls for some fields if they are too specific.

Frederic

 

Re: Right click to create rules

I've noticed that when you posted the screenshot of the right-click rule creation in the LNS log that you have an additional option available called "ARP". I don't have the "ARP" option listed when I right-click. The only option I get (below the "add rule" options") is "Look". Does the "ARP" option appear on the right-click menu only for certain log entries, or am I missing something essential?

 

Re: Right click to create rules

I should have mentioned that. It is a plug-in for LnS that allows some more advanced features than the default. You can view a list of the official plug-ins here:

http://www.looknstop.com/En/plugin.htm

I was using the Raw Rules edition and ARP packet
viewer plug-ins.

 

Re: Right click to create rules

Thank you for your reply.
What advantage/convenience have you see by using the ARP packet plugin? In what way if any has it helped you by having the ability to view the packets?
I'm not being sarcastic about it, but I have become a paranoid security nut in the past several months.

 

Frederic,

I'm attempting to put together a set of rules that would be most beneficial to someone that uses their system for browsing only (no email, IRC, chat etc..). I'd like everything else (all ports, protocols, adapters, MAC, IPs, activex, java etc) excluded. Are there any rules available that you would consider to be especially useful for this scenario? In a nutshell, i'd like my web port open only for the instant it sends/receives traffic, and airtight at all other times along with all unnecessary traffic and services.
LnS is a terrific firewall, and i've used 4 others for a significant period in the past.
Thank you.

PS. i'm also interested in rules that would recognize an attacker that is targeting my machine, where i'm the victim.

 

Phantom,

How can I get your latest ruleset?
Is it V6? I have V5

 

To:
Frederic, or anyone that can answer with at least some knowledge,

I have an attacker that has an ethernet source address of, lets say 92:F1:20:00:02:00. If I notice that there are several entries in my log with the same ethernet "source address", but different IP addresses and ports, would this mean that the attacks are originating from the same machine (foremost)? And whether or not it's the same machine, could the ethernet "source address" be a faked address?

 

Phant0m's rule set and instructions on setting it up for your connection can be found here(latest is V6):
http://www.fluxgfx.com/forum/viewforum.php?f=11&sid=78b9aa73a01494149d4524142d7d311e

For the most part, MAC addresses (your eg. was 92:F1:20:00:02:00) are specific per machine. MAC addresses can be changed in some circumstances but it isnt common. An example would be my LinkSys router, which allows you to choose the MAC address it uses.

The ARP plug-in for LnS shows some more information on packets. ARP stands for Address Resolution Protocal:
http://www.inetdaemon.com/tutorials/lan/arp.html
http://www.fluxgfx.com/forum/viewtopic.php?t=49

 

AJohn, thanks for that response. I'll see what's included in Phant0m's v6 ruleset.