Single Internet Filtering rule for inbound monitoring only ?

Discussion in 'LnS English Forum' started by Fad, Jul 9, 2010.

Thread Status:
Not open for further replies.
  1. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    As the title suggests, is there an existing premade (or simple to implement) Internet Filtering rule that will allow for monitoring of inbound requests only ?

    I don`t understand rulesets at the best of times, and I can`t think of how to do this :rolleyes:

    With regard to my thread of a couple of months ago, I did stop using internet filtering (with no problems), but have realised that this will not allow me to simply monitor any inbound attempts that may happen.

    I presume there is a way of doing this with the application of one simple rule ?
     
  2. ktango

    ktango Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    39
    Hi Fad,

    Please using the rule as follows:
     

    Attached Files:

    Last edited: Jul 14, 2010
  3. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    Thankyou ktango, I have been offline for a while and have only just seen your reply.

    I had an idea it might be something like that, but wasn`t confident that it would be correct....

    I will test this later :thumb:
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi Fad.

    What exactly do you mean by "inbound requests"?
    The rule posted by ktango will allow and log all inbound packets, and not just requests. If you wish to monitor inbound TCP requests (requests for connection), then you would need to filter that protocol with a SYN flag set, and set that rule for blocking with logging. Normally, besides giving a full stealth, that would block and log all SYN requests, but will also defeat the use of any server software (say, P2P client) if it stands at the top of the ruleset. Of course, all of this is valid only if you have an open connection (as in, no NAT in front).
     
  5. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    Thanks Seer for the extra info....

    I am in fact behind a router, but initially was curious to see what inbound connections might have been trying to get through past the router (if any are even possible behind a router ? - I don`t know)

    Where you said:
    "you would need to filter that protocol with a SYN flag"
    that actually went right over my head, as I have mentioned rules creation and the mechanics of them is like black magic to me :blink:

    So would I be correct in thinking that because I am behind a router (NAT ?) that it is impossible for any unsolicited inbound connections to occur ?

    Either way, the inbound logging rule as shown above will allow me to see what programs I have allowed are getting up to, and the IP addresses of those connecting through those programs :thumb:

    I hope that made some kind of sense as even I started to confuse myself then :)
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Yes. If you are behind a router, then no connection attempts (TCP packets with SYN flag set) will pass to your PC. Routers are specifically set to block these attempts.

    Certainly, if you feel the need to monitor your allowed applications, by all means use the rule posted by ktango.
     
  7. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    Thanks, that`s good to know - I was never really sure if that was the case or not.

    That rule above is useful for checking certain programs or just general checking under certain circumstances, not for full time monitoring...I would be sat here for the rest of my life watching otherwise !

    that was part of the reason I wanted to just not use internet filtering generally, I was constantly checking the logs and getting paranoid - I`m sure I have better things to do :thumb:
     
Thread Status:
Not open for further replies.