Sygate Question

Discussion in 'other firewalls' started by snowboard, Jun 26, 2005.

Thread Status:
Not open for further replies.
  1. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    Ive been using Sygate Personal Firewall Pro for awhile and cant find an option to block ping/icmp attacks. Does anyone know a rule I can create so it will block them?

    Regards,

    snowboard
     
    Last edited: Jun 26, 2005
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Does Sygate not block this by default? Are you seeing ICMP permitted that you do not want?
    You may need to check your application rules. Advanced rules could be created that would be applied before anything else.

    Regards,

    CrazyM
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Sygate does indeed block icmp type 8 inbound, not sure about the other types though. To configure it yourself, you would just create advanced rule(s) yes.. I think the free Sygate has a rule limit, but there should be plenty of room for a few icmp rules.

    I would allow 8 out, and perhaps 3 out to dns servers.
    And I would allow 0, 3, 11 inbound.
    Block all other icmp both directions.
     
  4. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    First off I'm on dial up, XP SP1, bandwidth 85-90 Kb (average), using Syagte Free 5.5 build 2710.
    Are you seeing any outbound ICMP in your Traffic Log after a cold boot? I do, from svchost.exe, with XP. So I have svchost.exe blocked in the Application Rules.
    If you block svchost in Application Rules then you must then create Advanced Rules for UDP services, like DNS, NTC, etc. which are child processes of svchost.exe. Broadband has other UDP services that must be allowed, which one(s), I don't know. Also make sure that under Applications, within the Advanced Rules tab, that you select svchost.exe for DNS, NTC, etc.
    Depending on what software you run you may get by with blocking all ICMP, but some programs must use ICMP, mainly pinging utilites, like Ping Plotter, IMHO a "must have".
    I don't know why you're being pinged that frequently. I never am, on dial up.
    You can of course disable the ICMP protocol by going to the Advanced Rules window and create a global rule, which overides all application rules.
    Final thought, deny every program in the Application Rules to "act as server". This may break some programs, depending on your apps, but if so then immediately check your Traffic Log for the block and then allow "act as server".
    Hope this helps.
     
  5. Jaws

    Jaws Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    210
    Hi Snowboard,

    The "correct" configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the "control messages" for TCP/IP. If you block some incoming ICMP, then you will break communication.

    The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

    Quoted from This this web site. Alot of good info on this site.

    Regards,

    Jaws
     
  6. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    To Crazy M and Kerodo:
    One can, with the Sygate build I'm using, in the Advanced Rules with ICMP selected, either permit or block basic, common ICMP traffic, in either direction, or both, but no sub codes. Falls way short of Kerio 2.15 and CHX-I. I'm still tempted to run Sygate and CHX-I in tandem, just for the stateful packet inspection of UDP and ICMP that CHX provides.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I don't think you can set icmp sub codes in Kerio 2. You can in others like Jetico for example.

    CHX and Kerio make a great combo if you don't mind a little double filtering of browser traffic etc. But both are fast and you shouldn't notice any speed degradation. I have run both before with success and liked it..

    I have also ran CHX with Sygate.

    In both cases however (CHX/Sygate and CHX/Kerio), Kerio or Sygate will get the traffic first and filter it before CHX. Then, when you check the CHX logs, you will see an occasional packet blocked due to CHX's slightly stricter SPI.
     
  8. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    To Jaws:
    You are absolutely correct. ICMP is the Net's "troubleshooter". However, with Sygate, I cannot allow it to be a "troubleshooter", as I can with the other programs mentioned above.
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Speaking of Sygate, does anyone know what's up with Sygate Pro 5.6? I checked their forum and there's no posts on the beta for over a month now. And it looks like the current beta is 2-3 months old. But when you download it, it says it's good for 30 days.

    Does anyone know if they have abandoned the home market completely? Or if there is any work being done on the Pro 5.6 at all? Not to mention there has been no comment on the age old loopback issue either.
     
  10. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    To Kerodo:
    CHX-I's SIP wth Sygate for TCP, UDP, ICMP? All or just maybe ICMP and UDP?
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Sygate has TCP SPI only, right? CHX has TCP SPI and also UDP and ICMP pseudo SPI. So I would think that CHX would complement Sygate a little. I did run both here so I know they can coexist ok. Sygate seemed to filter packets first, then CHX. Occasionally you would see a packet or two in the CHX logs that Sygate either missed or didn't handle as well as CHX.
     
  12. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    To Keredo,
    Yes, TCP SPI only with Sygate, and all other software firewalls, except for CHX-I, as far as I can determine. Anyone know otherwise, please post with documentation.
    Maybe Stephan will reply.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I can't post documentation (because I'm lazy :)), but many of the other firewalls have SPI or pseudo SPI for UDP also. A few examples are Kerio 4, Jetico, ZA, Outpost Pro, there are also more I'm sure. It is more common to have than to not have these days...
     
  14. dholiday

    dholiday Registered Member

    Joined:
    Nov 4, 2004
    Posts:
    48
    I'm lazy too, lol.
    I'm going to try Sygate with CHX's SPI for ICMP and UDP only, with all packet rules deleted. Have you tried this?
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    If you want simple for CHX, I'd try downloading the sample rule set on their web site, and then turn on SPI for TCP/UDP/ICMP (and logging) in Interface Properties. That will allow all outbound and only what SPI allows inbound. You can control outbound with Sygate's app control.
     
  16. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    Thanks everyone for your input but can someone tell me exactly (step-by-step) on how to block icmp by making a advanced rule.

    Regards,

    snowboard
     
    Last edited: Jun 26, 2005
  17. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    Does Outpost Firewall Pro has an option to block icmp/ping attacks? Or do you have too make a rule for that?

    Regards,

    snowboard
     
  18. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Snowboard - Outpost Pro has the option of turning on or off all the various icmp types without having to use rules. It's very simple.

    Sorry, I can't give you a step-by-step for Sygate since I'm not running it now and don't remember all the options and so on.
     
  19. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    Is Outpost Personal Firewall Pro better than Sygate Personal Firewall Pro?

    Regards,

    snowboard
     
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    That's a tough question. My vote would be yes..
     
  21. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You still have not mentioned if something is currently being permitted you do not want. Do you need an advanced rule at this point, or modification of one of you application rules?

    Rules wizards are usually fairly intuitive and for Sygate should be something like:
    Tools > Advanced Rules > Add > Deny Inbound > Ports and Protocols > ICMP

    Regards,

    CrazyM
     
  22. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    I need for someone to help me make a advanced rule for blocking icmp attacks.

    Regards,

    snowboard
     
  23. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    I just switched over to Outpost to try. And I see the ICMP settings, now what is a good way to set that up?

    Regards,

    snowboard
     
    Last edited: Jun 27, 2005
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    The defaults are pretty good. You might just go with that and see how it goes...
     
  25. snowboard

    snowboard Registered Member

    Joined:
    May 25, 2005
    Posts:
    160
    Is that the way you have it? Right now im on defaults.

    Regards,

    snowboard
     
Loading...
Similar Threads
  1. ttomm1946
    Replies:
    0
    Views:
    521
Thread Status:
Not open for further replies.