Rule Set advice

Discussion in 'LnS English Forum' started by albatross, Jun 21, 2006.

Thread Status:
Not open for further replies.
  1. albatross

    albatross Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    8
    Location:
    London
    Hello Wilders

    I'm new to the forum and currently trialling LnS. Very impressed so far. I'm using the enhanced rule set (thanks very much for the set up and settings Blackspear), and imported the wifi secure to get connected to the internet.

    I've come to a stop trying to get connected to my desktop at work from home through Vpn client software, which I had running before with my previous firewall.

    Can anyone advise which rule set or combination I need to use (and edit if necessary) to get this working.

    Thanks
    o_O
     
  2. Kush

    Kush Registered Member

    Joined:
    Dec 10, 2004
    Posts:
    138
    Location:
    Montreal,Canada
  3. albatross

    albatross Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    8
    Location:
    London
    Thanks for taking the time to reply to this Kush

    I've tried the IP47.rie rule but it hasn't worked.

    I'm using Cisco VPN Client software, (IPSec/UDP transport), on connecting it tries to initialize continuously, no screen messages and nothing appears in the LnS log file during this time.

    I've tried reinstalling the VPN software and a compatibility message appears relating to the LnS driver, so it looks like there a conflict somewhere.

    Any clues, anyone?

    Thanks in advance.
     
  4. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Is there any LnS user successfully using a VPN together with LnS??

    Our University offers VPN with Cisco software to allow some internal services. They suggest allowing protocol type "50-ESP" and "51-AH" instead of protocol "47". I can select protocol "50", but there is no easy button in LnS for protocol "51".

    I can successfully connect to the endpoint, get an IP from the University, but my browser (Firefox) does not work. In Windows XP I see 2 networks connected at the same time (1. normal WLAN, 2. Cisco VPN network adapter??), and in LNS Options the Cisco VPN adapter is automatically selected.

    When I go to grc.com, it still scans my IP from my local ISP instead of the University IP (is this OK?)

    In their FAQ they suggest not to use any 3rd party firewall besides ZoneAlarm :(

    HELP !!!

    Thanks,
    Thomas :)
     
  5. r_e_endymion

    r_e_endymion Registered Member

    Joined:
    Sep 26, 2006
    Posts:
    35
    Location:
    France
    There is no way to handle a specific protocol not present in the standard rule editor. You have to download the RAW plugin to be able to handle the specific 51 protocol. But the RAW rule editor is not as simple as the standard rule editor.
    To simplify the creation of a RAW rule :
    1. create a standard rule with a protocole like 50-SIPP-ESP and the other fields (source, destination, etc...) you want
    2. after the standard rule is created, edit it again with the RAW plugin, and lookups in the Field (0 to 9) list until you see
      Field offset​
      type IP​
      Inbound 9​
      Outbound 9​
      Field value(s)​
      Value1 50​
    3. Then, you can change the value1 to 51.

    Regards,

    Endy
     
  6. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    r_e_endymion,

    Thanks for your advice on how to create a rule for protocol 51.

    1.) So, are you using LnS together with a VPN ?

    2.) Any other LnS user doing VPN ?

    3.) Which one of the visible "network interfaces" do I need to choose with VPN active:
    (A) The standard connection to my ISP, e.g. WLAN driver (gives me an IP from the ISP)
    (B) Or the so called "Cisco VPN network adapter" (gives me an IP from behind the tunnel??)

    Thanks again for help,
    Thomas
     
  7. r_e_endymion

    r_e_endymion Registered Member

    Joined:
    Sep 26, 2006
    Posts:
    35
    Location:
    France
    Sorry Thomas, but i'm not a VPN user, nor a network god, so I can't help you further. I wish you to find the answers to your questions...
     
  8. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Thomas M :)

    Create a new "Test" rule :

    Ethernet type : all
    Protocol: others
    all ports and addresses local and remote
    incomming and outgoing packets

    Add the cisco program you want to check in this rule.

    Place this rule at the top of the list.

    Save it and restart your PC.

    Check in the log to see the results.

    You may also use the raw log option in the advanced options.
    The raw log may be imported in a spreadsheet such as OO Calc or Ms Excel.

    Keep only the entries for your test rules and blocking entries.

    This way you'll be able to create the rules needed for your Cisco stuff.

    :)
     
  9. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    Hi guys,

    Yes i'm using the cisco client to connect to my university. The problem with the ip one user mentioned could be related to a setting in the cisco app. for instance i have two connections in my list, one which applies globally, tunneling everything, and one which only tunnels traffic to university related ips. meaning you get an encrypted connection while surfing university sites, but your usual ip while going elsewhere.. i think that depends on the authentication settings your university provides you with. i had two different keys for those two options. also, in the transport tab you should uncheck the "allow local LAN access" for the global tunnel and check it for the restricted one. i hope that solves the ip issue.

    the two rules i use are appended, maybe they work for you as well.
    the first is placed right before/above a rule that blocks all UPD in/out, and the second is placed at the end above the block all other rule.
    in the applications tab i specified the three cisco things with the following

    1. CVPND.exe (look at the screen capture for the apps)

    TCP
    62514
    127.0.0.1

    UDP
    62515;53;500


    2.

    -


    3.

    TCP
    62514;62516
    127.0.0.1

    UDP
    62514
    -


    as for the interface selection, i usually don't check the cisco adapter to be filtered since it's encrypted anyway. i temporarily uncheck automatic selection and keep my usual interface to be filtered.. wan miniport etc..
    i think you can also run a second LNS instance and select the cisco adapter
    as well, but i would like to hear from some experts what they think one should do regarding that..

    best regards,

    :)
     

    Attached Files:

  10. tristantzara

    tristantzara Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    78
    oh, climenole's advice is good, he has a good site with explanations, i used that test rule back when i configured the cisco client..
     

    Attached Files:

    • vpn.txt
      File size:
      2.5 KB
      Views:
      10
  11. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Thank you so much "tristantzara" and "Climenole" :)
    I'll give it a try over the weekend.

    Thomas :)
     
  12. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    Hi Thomas,

    I'm successfully using a VPN with LnS, but it's not from Cisco.

    Regarding the two networks, I think that it's normal for your computer to only use the VPN network when you make connections to specific servers at your university (e.g. their POP3/SMTP servers for email). All other traffic (including grc.com) would go through your regular internet connection. I think that this is the expected behavior, however it probably depends on the features that your university offers you.

    Whenever I need to add complex rules to LnS, I first check if one exists at LnS' website. If not, then I do this in LnS:

    1) Go to the "Internet Filtering" tab and enable logging for each of the rules that Block things. There will be a single exclamation point (!) for those rules after you do this.

    2) Optionally, go to the "Log" tab and click "Remove All".

    3) Use your VPN by trying to do something with your university servers (e.g. downloading new mail into your email client).

    4) Go to the Log tab again. See what LnS has blocked. Right click on the relevant lines and choose "Add Rule".

    5) After it's working, go to the "Internet Filtering" tab and disable logging.

    I don't know if this will work for you, but it has helped me when I needed to create some complex rules.
     
  13. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    I guess that I repeated what some other people said. That was not my intention. However, perhaps I provided more detailed step-by-step instructions about how to create rules from the Log tab.

    Regarding the two different networks, I don't even see my VPN in LnS in the list of "Network Interfaces". This is perhaps because I only open my VPN connection when I want to use it and I stop my VPN connection as soon as I'm done with it. Perhaps I would have to restart LnS while my VPN is running in order for LnS to see it.

    Since LnS doesn't see my VPN, I assume that LnS is not filtering the traffic. That's okay for me because I completely trust the other computer with which I use the VPN connection.

    However, in your case, you might not trust the university's VPN so much because there might be curious college students on the VPN network who might want to experiment with hacking. :)

    So if I were in your situation, I would have LnS filter both my regular internet connection and the VPN connection.
     
Thread Status:
Not open for further replies.