Questions for beginners,.. Ask away

Most outbound ICMP is now blocked by default in most firewalls, as this gives the "stealth mode", this in itself can appear good to the user, but can affect network comms. I personally believe error messages (ICMP code 3) should be allowed out from a user PC, but no doubt others have own opinion.

You should allow ICMP on your local Lan, this is info/comms that is needed for good interaction between your hardware. (Just restict to local Lan (If you have the Lan in trusted, then these comms will be allowed by default))

 

Thank you Stem.
It's been a while since I've looked into firewalls.
For me, it is usually just get through the configuration process as quickly as possible and move on.
This thread is a great refresher course.

 

You are welcome,
I am still looking at your other questions, but dont forget, if you can answer/help with a question, please do. (the main aim of this thread, is for members to help members)

Regards,
Stem

 

hmm, yes, loopback. May I give a link to this, as this may explain better than I can Link, but am willing to discuss

Sorry, the only remote loopback I know is for testing purpose (any more info, (is this UDP/TCP?, is this possible ref to UDP remote IE port to port?))

I presume you mean the reply from server DNS request (possibly late) that a firewall may drop? Not all firewalls have a direction for UDP comms, so normally a rule to allow comms to remote DNS server allows the responce. Which firewall are you using?

You can be restictive to the IP server giving the reply (as with outbound policy,.. allow outbound to DNS server,... allow inbound from DNS server)

 

Adding specific IP addresses for these rules is not advice I would consider appropriate for a beginner (not least since you need to then spend time explaining how to find these using ipconfig/winipcfg). These addresses may not be under their control (i.e. they may be ISP servers) so they may change without warning, resulting in total loss of connectivity. Advanced users can be expected to troubleshoot and fix this but not beginners.

Domain names would be better here, as long as the firewall in question supports them (include IP addresses as a fallback).

Agreed, though others may consider this a privacy risk - hence this rule should be optional.

Some explanation for each item would be helpful but since this section is catering to beginners and limited to absolutely essential network traffic, I would advise that this be kept as brief as possible - more detailed explanation (and links to Microsoft KB articles) can be addressed in an advanced section.

A good metaphor (which I try to use in the mention of a doorman above). This does need to be kept brief also though - the guide is going to be long enough without multiple paragraphs explaining every basic term.

All these should be classed as advanced questions. However "remote loopback" is not a term I would ever expect to encounter for firewalls (I have only seen this with cable testing where the remote end is set up to loopback signals), "DNS loopback" I have never heard of (care to expand on this) and inbound DNS traffic (almost certainly due to slow server response) should really go in the expert section since it would require an explanation of how firewalls process UDP traffic compared to TCP (UDP/TCP descriptions would be advanced/expert).

Advanced again - and a more detailed description of ICMP should probably be left to the expert section.

There aren't many cases where definitive advice can be offered since the answer depends on what functions the user needs, what firewall they are using, what version of Windows they are using and what their network setup is. In addition, since malware will often try to use the same (or similar) filenames to Windows system files, the full pathname needs to be included also. My suggestions would be:

• csrss.exe - Block (connection attempts suggest malware)
• explorer.exe - Permit Optional (needed for a few functions like verifying DLL digital signatures, but those wishing to avoid Internet Explorer should really block Windows Explorer as well since the two are so closely interlinked).
• iedw.exe - IE Crash Detection. Don't use IE so can't comment.
• mdm.exe - Machine Debug Manager. Never encountered this - I'd suspect Block.
• spoolsv.exe - Spooler SubSystem App - Allow for printing over a network, block otherwise.
• userinit.exe - Userinit Logon Application - Block.
• wmplayer.exe - Windows Media Player - Permit Optional, those using this to view streaming media will need to allow it access but it poses a privacy risk since it reports some usage details to Microsoft.
• winlogon.exe - Windows NT Logon Application - Block, unless your PC is part of a Windows Domain (only likely for business users).
• drwtsn32.exe - Dr. Watson Postmortem Debugger - I'd say Block on this, since I've never seen it request a network connection.
• dwwin.exe - Microsoft Application Error Reporting - Permit Optional. Needs access to work, but users may consider it a privacy risk since it would include software/hardware setup in its report to Microsoft.

 

The main pupose of remote Loopback is providing network administrators the means to test and verify the integrity of the entire link unlike local loopback, which can test only one side of the link. Remote loopback, which is often used to troubleshoot networks, allows one station to put the other station into a state whereby all inbound traffic is immediately reflected back onto the link.

So i think it's not a question which considers Firewalls.

 

Used to view Virtual servers from within the LAN by their domain name or which allows you to access your local machine by domain name.
You can use it also to prevent the internal network from trying to resolve to an external ip address.

Also not for beginner

 

O.K. will edit on final.

there is the problem for "domain names" (and as you mention, beginners would not know this anyway, so no point to mention/ leave out?)

As mentioned "(users personal choice)" How to word?

This is draft, before editing/pinning, so all editing/considerations before final post considered.

 

I have started moving posts to a new (sticky) thread https://www.wilderssecurity.com/showthread.php?t=142036

 

@stem

wrt posts 40 & 41: Thank you.

This thread has exploded
Good info and good crossover observations for me
Good luck with the original project.
Looks like it might expand a bit !!

Regards

 

My only hope is that everyone will post, be it question or answer (answers are good). I would just like interaction from all members, and the knowledge that new members can ask questions (some new members think questions should not be asked (too simple)) We all started knowing nothing, lets share what we know now.

 

Domain names are a better choice since they are less likely to change over time - the underlying IP addresses need to be checked and updated so I would suggest noting them as a secondary option, e.g. "time.windows.com (if your firewall only allows numeric addresses then this was 207.46.130.100 at the time of writing)".

In Section E2 of the Outpost Secure Configuration Guide, this is described using "Windows Help may need Web access using svchost for some functions - if you do not intend to use Help (or do not wish Microsoft to know when you do...) then exclude this rule."

I would suggest having 2 sections for firewall rules - one (which I covered in my draft) covering critical items that have to have access in order to get online and be able to browse websites/review email and a second to cover applications generally. The first list needs to be as short and simple as possible since it is aimed at the new user encountering a prompt for the first time ("Svchost? What's that?") so the more detailed descriptions and "what-if" scenarios should be left to the second list.

Also we should consider the case of someone with a compromised system installing a firewall, giving some pointers as to what connections may be due to malware.

Thanks for the posts - based on them I'd suggest those questions fall outside the scope of firewalls completely.

Good idea - it may be worth having 3 different threads (for Basic, Advanced, Expert) with the first post listing the questions and subsequent ones giving the best answers. However this does mean that you (and other mods) have to do all the work in updating/copying stuff - BTW Devinco has advised of a spelling error, "existance" should be "existence".

 

In my follow up, I only covered options/services/rules included in your post.(some to follow), you stated "Allow access for HTTP, HTTPS (to *.microsoft.com) to access online Windows Help (optional)", should this be removed/edited?.

No problem, I will do this.

Spilling error?

 

I wouldn't suggest removing the more detailed explanation, just have it in a later section covering firewall rules in more depth - keep the "essentials" list at the start as short as possible for those wanting a quick answer.

Nah, I was too cheap to buy him enough beers for that...

Another useful item to have would be a list of all the questions at the start, each linked to the appropriate section later on. This does require "Set Anchor" and "Link to Anchor" vB tags, which are not currently listed in the Wilders vB Code List so we may have to ask LWM to add these.

 

I would like two see two links in the 'tutorial' which are helpfull regarding our discusion 'Domain names - IP adress - Subnets (Netmask)'.

http://www.dnsstuff.com/
A lot of tools for investigating DNS/Whois etc.

http://www.subnetmask.info/
As the name says, but for mopre advances user

 

Domain names are certainly worth a mention (see below), but subnet masks are very much for the expert user. Links to DNSStuff/NWTools (which I prefer since they don't block Tor users) would be better suited for the Advanced section IMHO.

What are Internet Addresses and Domain Names?

Every system on the Internet has a unique numeric address which needs to be known before connecting to it (rather like a telephone number). This consist of 4 numbers, each in the range 0-255 - for example 192.168.0.1. However most people find names easier and more meaningful so almost every system has a name also (like wilderssecurity.com) which is known as a Domain Name.

Before connecting to a Domain Name, your computer must look up this numeric address (known as an Internet Protocol or IP address - wilderssecurity.com had the IP address 65.175.38.194 at the time of writing) and it uses a system called the Domain Name System (DNS) to find this. DNS can be thought of as a giant phone directory split into thousands of sections, spread around the Internet. This is why it is necessary to allow DNS traffic for so many programs.

Almost all firewalls allow you to set access restrictions by IP address and many allow domain name restrictions also (for example, you could limit your email software to access your ISP email servers only, allowing it to read and send emails while preventing it from contacting any websites linked to in HTML emails, an increasingly popular technique by marketeers for tracking users).

Note: Due to a shortage of IP numbers, a new addressing system called IPv6 has been created which uses 32 numbers for an address rather than just 4. This is not in widespread use currently (and not many firewalls support it), but this is likely to change in the future.

 

How would you set up rules for different firewalls, or better yet where to place the rules in the program, not everyone here uses the same firewall.
For instance some here use Jetico, OutPost, Look N Stop, Kerio (2.1.5), or Comodo.
I'm just startng to understand things like DNS, TCP, UDP, remote port, loopback, things like that but each firewall has a different way of placing these rules in their program, this is where I get lost.
I can place the rules within OP and Kerio 2.1.5 but when I use a program like L n S the only thing I can do is use the enhanced settings and leave it at that but I don't feel as though that is enough, same thing with Comodo, I look at that program and I'm back to wondering where to place each rule.
On the OP board I go the FAQ and Paranoid 2000 has an excellent thread for configuring OP and through here I've been able to setup Kerio.
It just gets confusing when you try to follow the rules configuration someone has setup for a FW but you cant understand it for another FW.
Hope I explained this good enough.

 

Providing detailed instructions for each firewall would be an enormous task - indeed, each firewall would merit its own FAQ for this. To complicate matters, there is no universal "perfect" setup since factors like network environment (type of ISP, LAN setup), software usage (local proxies pose problems for Sygate and may require special configuration for other firewalls) and privacy/paranoia level (do you really want to be prompted if your ISP DNS server addresses change?) all affect the ideal configuration.

Should this FAQ reach the point of a detailed ruleset recommendation that can cover 95% of users, that would be a good time to ask experts for each firewall to contribute specific setup instructions. However I suspect this may be some time coming.

 

It's you, Stem, and Tommy that deserve the beers!

Many thanks for all the answers.

My mistake with using the loopback term, I was referring to a delayed reply from the DNS server not network diagnostics.

Until we can create bookmark links within a single post, a workaround might be to break the FAQ into separate posts and create a bookmark link that jumps to the specific post like this:
https://www.wilderssecurity.com/showthread.php?t=141446#post812166
Note: this link only works properly (jumping to the post) when you are logged in. If logged out, it will jump to post 1 of the thread.

Here's one that wasn't answered yet, though it's a hardware question:

If you are upgrading to Broadband (Cable, DSL, Satellite) and you want to share the connection, then a NAT (Network Address Translation) router with built in network switch is a good idea. Get one with enough ports to connect your computers to start with (maybe 4 or 8 port). You can always buy an additional switch to connect more computers later.
A router will be much less trouble to share the connection than setting up Windows built in ICS (Internet Connection Sharing).
No specific recommendations, but Linksys and D-Link make some good products. Unless you will need some high speed VPN (or other fancy features), you don't need to spend a lot on a router.

I'm surprised at how few people are jumping at the chance to ask you experts questions about firewalls. This forum has always been so helpful and friendly, so why not ask?
It's not like someone is going to correct their spelling.

 

I would suggest something like this regarding to aplications:

Allow/needed ports:
TCP local: 100
TCP remote: 200
UDP local: 110
UDP Remote: 210
ICMP: none (well only needed for aplication who need to act as a server aplications)

or:

IP/Host: allow xxx.xxx.xxx (or any) for following port on TCP: XX and UDP: XX

Regarding to the FW's people have, they can _translate_ it regarding to the rule managment they have.

I think most people are using, if they use, klick and go FW's like LS, Norton, etc. That maybe a reason. Or in worst case they don't care

 

It would work but would be rather messy - vBulletin can handle targeted links (links within a page or post) so it would be better to wait and see if Wilders choose to implement this.

This is a good point to address, though even general recommendations based on brand can be risky (see Yes, the Linksys WRT54G V5 Really Is a Lousy Router for an example) and satellite/cable users may have a restricted choice.

I'd there suggest splitting Which one should I use? (Is there a 'best'?) into two sections, the existing one subtitled Software Firewalls and adding the following:

Hardware Firewalls
With hardware firewalls, the type of Internet connection you use may affect the choice available. While it is possible to have a "2-box" setup with a modem (xDSL, Cable or Satellite) being connected to a router (which has multiple network connections and a firewall), most users would find a single box (providing the connection to their ISP, a firewall plus one or more connections for their PCs) easier to manage. However while such systems are readily available for DSL users (known as DSL routers - ensure you use the correct type like ADSL or SDSL for your connection), cable or satellite users may be limited to routers offered and supported by their ISP. If you use cable or satellite, you should first contact your ISP for advice on supported units.

Aside from that, most units will provide adequate security from incoming attack - the key features to look out for are:

• the ability to share an Internet connection (using a technique called NAT - Network Address Translation). Even without a firewall, NAT will block most incoming attacks due to the way it works;
• a firewall able to provide details of any attacks blocked (and ideally with some visible indicator when this occurs);
• enough network connections (known as ports) to cover all your computers plus one or two spare for future use;
• a straightforward and simple way of setting up the router (most can be done using your browser but some have strange interfaces);
• for wireless networking, comprehensive support for the strongest encryption available (128-bit WEP as a minimum with WPA strongly recommended).

Some routers offer extra features like virus filters, content blocking (mainly to prevent access to adult websites) or traffic prioritization (also known as Quality of Service). Filtering can be quite easily bypassed so should not be considered a key feature while prioritization can be done via software also. Faster wireless technologies may be worth paying extra for, but every computer will need a wireless network card that supports the same protocol (e.g. 802.11g, 802.11a or 80.2.11n).

 

Hello P2K,

thank you for your input. You offer a lot of tremendously sound advice. Regarding the DNS ip address, if one is behind a router like I am, should it not be okay to include the router's ip address (eg: 192.168.0.1) as the DNS server, since this is the address listed, at least in my case, as the DNS server? otherwise, I do see your point because I know that my isp is always changing their dns server's primary and secondary ip addresses.

 

This is what I was referring to that may need to be edited, not my follow up.

 

Is it safe to install or reformat/reinstall Windows with the network (LAN) cable plugged into the computer if:

A. You are the only computer on the LAN connected to a NAT router?

B. There are multiple computers on the LAN connected to a NAT router which you are pretty sure are clean?
At least they don't show any obvious signs of infection.

C. There are multiple computers on the LAN connected to a NAT router and you have no idea if they are clean or not?

Recommendations on the above for variations of OS: 98, 2000, XP SP1, XP SP2, Vista?

 

Fair enough - I'd suggest changing "(optional)" to "(optional - allow for online help if you agree to Microsoft collecting system information)". Please also note the suggested additions in posts 66 and 71 - if you wish to avoid doing the edits yourself, you could copy the post into a private thread that we can both access.

I'm unsure about whether to add processes where connection attempts indicate malware at work (e.g. winlogon, lsass) since this is very much a moving target - more generic advice like "If you don't recognise the file name, block it - if it is legitimate, you should receive an error message giving a better idea of the program responsible whereupon you can change the rule to allow." may be better. Opinions, anyone?

The last sentence in the first paragraph in "What benefits does it offer?" should cover that.