Sygate Question

Ive been using Sygate Personal Firewall Pro for awhile and cant find an option to block ping/icmp attacks. Does anyone know a rule I can create so it will block them?

Regards,

snowboard

 

Does Sygate not block this by default? Are you seeing ICMP permitted that you do not want?
You may need to check your application rules. Advanced rules could be created that would be applied before anything else.

Regards,

CrazyM

 

Sygate does indeed block icmp type 8 inbound, not sure about the other types though. To configure it yourself, you would just create advanced rule(s) yes.. I think the free Sygate has a rule limit, but there should be plenty of room for a few icmp rules.

I would allow 8 out, and perhaps 3 out to dns servers.
And I would allow 0, 3, 11 inbound.
Block all other icmp both directions.

 

First off I'm on dial up, XP SP1, bandwidth 85-90 Kb (average), using Syagte Free 5.5 build 2710.
Are you seeing any outbound ICMP in your Traffic Log after a cold boot? I do, from svchost.exe, with XP. So I have svchost.exe blocked in the Application Rules.
If you block svchost in Application Rules then you must then create Advanced Rules for UDP services, like DNS, NTC, etc. which are child processes of svchost.exe. Broadband has other UDP services that must be allowed, which one(s), I don't know. Also make sure that under Applications, within the Advanced Rules tab, that you select svchost.exe for DNS, NTC, etc.
Depending on what software you run you may get by with blocking all ICMP, but some programs must use ICMP, mainly pinging utilites, like Ping Plotter, IMHO a "must have".
I don't know why you're being pinged that frequently. I never am, on dial up.
You can of course disable the ICMP protocol by going to the Advanced Rules window and create a global rule, which overides all application rules.
Final thought, deny every program in the Application Rules to "act as server". This may break some programs, depending on your apps, but if so then immediately check your Traffic Log for the block and then allow "act as server".
Hope this helps.

 

Hi Snowboard,

The "correct" configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the "control messages" for TCP/IP. If you block some incoming ICMP, then you will break communication.

The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

Quoted from This this web site. Alot of good info on this site.

Regards,

Jaws

 

To Crazy M and Kerodo:
One can, with the Sygate build I'm using, in the Advanced Rules with ICMP selected, either permit or block basic, common ICMP traffic, in either direction, or both, but no sub codes. Falls way short of Kerio 2.15 and CHX-I. I'm still tempted to run Sygate and CHX-I in tandem, just for the stateful packet inspection of UDP and ICMP that CHX provides.

 

I don't think you can set icmp sub codes in Kerio 2. You can in others like Jetico for example.

CHX and Kerio make a great combo if you don't mind a little double filtering of browser traffic etc. But both are fast and you shouldn't notice any speed degradation. I have run both before with success and liked it..

I have also ran CHX with Sygate.

In both cases however (CHX/Sygate and CHX/Kerio), Kerio or Sygate will get the traffic first and filter it before CHX. Then, when you check the CHX logs, you will see an occasional packet blocked due to CHX's slightly stricter SPI.

 

To Jaws:
You are absolutely correct. ICMP is the Net's "troubleshooter". However, with Sygate, I cannot allow it to be a "troubleshooter", as I can with the other programs mentioned above.

 

Speaking of Sygate, does anyone know what's up with Sygate Pro 5.6? I checked their forum and there's no posts on the beta for over a month now. And it looks like the current beta is 2-3 months old. But when you download it, it says it's good for 30 days.

Does anyone know if they have abandoned the home market completely? Or if there is any work being done on the Pro 5.6 at all? Not to mention there has been no comment on the age old loopback issue either.

 

To Kerodo:
CHX-I's SIP wth Sygate for TCP, UDP, ICMP? All or just maybe ICMP and UDP?

 

Sygate has TCP SPI only, right? CHX has TCP SPI and also UDP and ICMP pseudo SPI. So I would think that CHX would complement Sygate a little. I did run both here so I know they can coexist ok. Sygate seemed to filter packets first, then CHX. Occasionally you would see a packet or two in the CHX logs that Sygate either missed or didn't handle as well as CHX.

 

To Keredo,
Yes, TCP SPI only with Sygate, and all other software firewalls, except for CHX-I, as far as I can determine. Anyone know otherwise, please post with documentation.
Maybe Stephan will reply.

 

I can't post documentation (because I'm lazy ), but many of the other firewalls have SPI or pseudo SPI for UDP also. A few examples are Kerio 4, Jetico, ZA, Outpost Pro, there are also more I'm sure. It is more common to have than to not have these days...

 

I'm lazy too, lol.
I'm going to try Sygate with CHX's SPI for ICMP and UDP only, with all packet rules deleted. Have you tried this?

 

If you want simple for CHX, I'd try downloading the sample rule set on their web site, and then turn on SPI for TCP/UDP/ICMP (and logging) in Interface Properties. That will allow all outbound and only what SPI allows inbound. You can control outbound with Sygate's app control.

 

Thanks everyone for your input but can someone tell me exactly (step-by-step) on how to block icmp by making a advanced rule.

Regards,

snowboard

 

Does Outpost Firewall Pro has an option to block icmp/ping attacks? Or do you have too make a rule for that?

Regards,

snowboard

 

Snowboard - Outpost Pro has the option of turning on or off all the various icmp types without having to use rules. It's very simple.

Sorry, I can't give you a step-by-step for Sygate since I'm not running it now and don't remember all the options and so on.

 

Is Outpost Personal Firewall Pro better than Sygate Personal Firewall Pro?

Regards,

snowboard

 

That's a tough question. My vote would be yes..

 

You still have not mentioned if something is currently being permitted you do not want. Do you need an advanced rule at this point, or modification of one of you application rules?

Rules wizards are usually fairly intuitive and for Sygate should be something like:
Tools > Advanced Rules > Add > Deny Inbound > Ports and Protocols > ICMP

Regards,

CrazyM

 

I need for someone to help me make a advanced rule for blocking icmp attacks.

Regards,

snowboard

 

I just switched over to Outpost to try. And I see the ICMP settings, now what is a good way to set that up?

Regards,

snowboard

 

The defaults are pretty good. You might just go with that and see how it goes...

 

Is that the way you have it? Right now im on defaults.

Regards,

snowboard