some question about LnS rule setting & function !

Discussion in 'LnS English Forum' started by -NiCeGuY-, Mar 5, 2007.

Thread Status:
Not open for further replies.
  1. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    Hi ! i m new user of lns & firewall , my version is 2.05p3 , i have some question about firewall rules setting ,

    (1) i want set a rule just allow browser( maxthon , IE7 ) with port 80 & 443 & 11999
    (2) set a rule allow browser ( firefox ) with port 80 & 443
    (3) set a rule with Y!Messenger & Windows Live Messenger
    (4) am i need set a rule to protect my pc about "ARP attack" ?
    (5) Spooler SubSystem App , whts that , can i allow it to connect to internet?
    (6) whts meaning of "Raw mode" ?
    http://i128.photobucket.com/albums/p182/niceguy_hk/b39d5123.jpg
    http://i128.photobucket.com/albums/p182/niceguy_hk/6babefc1.jpg

    in this picture , this box appear in rules setting , i m newbie of firewall , whts meaning of those words ( URG , ACK , PSH , RST , SYN , FIN ) can sum1 explain about it & whts function of them ? sorry for my stupid question & pls forgive my bad english , coz i m chinese :D
     
    Last edited: Mar 5, 2007
  2. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    anyone help me ? no1 ? o_O :'( :'(
     
  3. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi -NiCeGuY- :)


    Create rules like this: (in the LNS enhanced rule set)

    R1
    Protocol: TCP
    packets: in and out
    addresse: from my @IP
    local ports: 1024 to 5000
    remote ports: Equal or 80, 443
    Applications: IE7 , Maxthon

    R2
    Protocol: TCP
    packets: in and out
    addresse: from my @IP
    local ports: 1024 to 5000
    remote ports: Equal 11999
    Applications: IE7 , Maxthon

    3 remarks:

    1- It's important to add the executables of ie7 and Maxthon in these specific rules.
    they are create for ie7 and Maxthon only, not all other packets...
    In the rule editin windows, click on "applications..." button,
    add the ie7 and maxthon executable from the list on the right to the list on the left.

    2- Place these specific rules immediatly before the general rule "allow most common internet applications".

    3- Since these internet applications (ie7 and maxthon) are managed by
    the general rule "allow most common internet applications" they are not really needed...

    Protocol: TCP
    packets: in and out
    addresse: from my @IP
    local ports: 1024 to 5000
    remote ports: Equal or 80, 443
    Applications: Firefox

    Place this rule immediatly before the general rule "allow most common internet applications"

    For Yahoo:
    the TCP packets are managed by the general rule "allow most common internet applications" (on ports 80, 443 and 5050)
    For the UDP packets you have to create a specific rule for the STUN [Simple Traversal of UDP through NATs]
    used by Yahoo and some other Instant messaging and VoIP...

    Protocol: UDP
    Packets: in and out
    Address: from my @IP
    local ports 1024 to 5000
    remote ports: 3478
    application: Yahoo messenger

    Place this specific (Udp) rule just after the general rule "allow most common internet applications"

    ARP packets are not routables over internet.
    There no such "attacks"...


    This is the Windows service "spooler": it must be allowed by the application filtering
    and there is no rule needed in the internet filtering.

    This is a windows service for printers and fax...

    It's a very low level of rule editing (for ethernet packets for example).
    There is also a raw mode log : it can be imported in application like MS Excel or Open Office Calc.

    This is the TCP protocol flags.

    To understand this let me give you an example of a browser connection to a web server.

    When you type an Uniform Ressource Locator (site name) in the browser, the system:

    1- check yout HOSTS file
    2- make a Domain name server request in UDP on the DNS server port 53 to have the IP address corresponding to this URL
    3- initiate the connection with the TCP protocol from the first avalaible local port (1024 to 5000)
    to the remote port 80 (HTTP)

    Your PC ----------------- The web server (in "listening state on port 80)

    SYN --------------------->>>

    <<<---------------------- SYN ACK

    ACK --------------------->>>

    Here the connection enter in a state call "established"

    There are many data exchanged between the local port (say 1247 for example) and the remote port 80:

    Your PC ------------------ The web server

    ACK --------------------->>>

    <<<----------------------- ACK PSH

    ACK ---------------------->>>

    etc.

    Then the connection is closed:

    Your PC ------------------- The web server

    FIN ---------------------- >>

    <<<------------------------ ACK FIN

    ACK ----------------------->>

    Here the connection enter in different stages of ending the connection:
    "Fin WAIT" then "CLOSED"

    The flag SYN is used to initiate a connection from a "client" to a "server"
    the flag FIN is used to close a connection from a "client" to a "server".

    They can't be sent to a "client".
    If so this is "illegal" and "abnornal" and the packets with such flags must be blocked...

    All packets must have the flag ACK except the first SYN flag sent to a server by a client
    and the FIN flag sent by a client to a server to closed the connection...

    URG : URGent
    ACK : ACKnowledge
    PSH : PuSH
    RST : ReSeT
    SYN : SYNchronised
    FIN : FINished

    The TCP packets with only a flag SYN or FIN are normal only from a client to a server but not the opposite.

    The TCP packets exchanged during the connection have one ACK flag at least..

    The possible combinations of flags are SYN (to the server), FIN (to the server), ACK-SYN, ACK-PSH, ACK-URG, ACK-RST ACK-FIN and ACK.

    All other combinations are abnormal / illegal and supposed to be from a malicious source such as TCP packets without any flag, with all flags or with absurd combinations like SYN-FIN, PSH-URG-FIN, etc.

    Last remarks:
    any of your question are stupid
    and your english is excellent as far as I know (since french is my native language, not english)

    :)
     
    Last edited: Mar 8, 2007
  4. -NiCeGuY-

    -NiCeGuY- Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    79
    Climenole , Thanks you 4 yr answered my question very exhaustively TYVM :thumb:
     
Thread Status:
Not open for further replies.