What is the processing order of rules and Highlighting questions

Discussion in 'LnS English Forum' started by act8192, Jul 17, 2011.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    I can't find the answers in the Help file.

    (1) What is the processing order of rules when DLLs, Applications(some with IP and remote port restrictions) and Internet rules (some with applications linked in) are active?
    Some of it I can figure out by trial and error and logging an enormous amount of stuff, but it's an unwieldy process. Especially that rule making for me is not all that intuitive here.

    (2) Is there any way to color the dropped U- and D- packets without major changes to the GUI, something a user could do?
    And could we color in (D) differently from out (U), green and pink, Kerio-like?
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Application connecting or listening, or launching another one that will connect

    1 - Is the parent exe allowed to start the exe that is connecting
    2 - Is the exe allowed to connect
    3 - Are the DLLs involved in the connection allowed (DLL filtering not available for 64-bits)
    4 - Is the connection allowed through Application Filtering - 'Ports and IP address selection'
    5 - Is the connection allowed with the Packet Filter (Internet Filtering)
    6 - Is the connection allowed through TCP SPI & pseudo-stateful
    7 - Is the non-standard protocol driver allowed through Protocols Filtering
    8 - Packet has successfully left the building ... (to Internet)
     
    Last edited: Jul 18, 2011
  3. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Thank you so much!
    Just to make sure, let's say the answer to 4 is not allowed. We stop and block. We do not go into packets' step 5 and the rest. Correct?
    If so, does it make sense, then, to add applications to, let's say, one of those Http rules? Why or why not?

    Regarding DLLs. There's no way how I could determine if a DLL is allowed. I know few of them, but not enough to cover the whole thing. Does LnS tell me?
    The other day, for instance, I allowed (in SSM) IE to go on the web. Normally here IE only allowed the day I run M$ patches. So ieframe.dll wanted to connect. I allowed, I had to. But that's the sort of user lack of knowledge I have trouble with. At this point I don't have LnS running. Still scared of rule making, but trying to learn so when I start it up again, I'll know few things more.
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Correct for your first question.

    Associating application to rule will have the rule enabled when application is running and connecting or listening, just think of opening the house door in the summer and closing the door to keep the flies out.

    Regarding DLL filtering, ... this is what Look ‘n’ Stop does, to determine if it allows, blocks or prompts when this feature is enabled. If its blocked at this stage, the processing stops cold there, so no moving to stage 4 and onward.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I’ve updated my original post for better clarity.
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    Thanks again. Your explanations do make things much clearer. It would be nice if the processing sequence was in the user guide. Perhaps it is, but not obvious to me :(

    Are the DLLs which are listed in the DLL window those that might potentially connect, a subset, or are they all DLLs that application xxx.exe might use?

    I guess no way to do highlighting, my initial item 2. Anything to tweak in the registry?
     
    Last edited: Jul 17, 2011
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Information like this isn’t normally detailed.

    The DLLs listed are the ones that was involved in a connection attempt, unless you added the DLL file manually. They could have been used in A.exe connecting, or B.exe connecting, or C.exe connectings.

    To your original post question #2, no tweak exists for coloring, this requires Frederic to make a change and release a new update.
     
  8. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    hi stem,

    I have newbie question, but related to the post...
    as I'm very pleased with your ruleset, I cant use it for steam
    so I've allowed port that is used by them and put that on top of your ruleset.
    should set it on the bottom? or you have a better idea?

    edit: I mean phant0m, sry I was reading stem comments on pure firewall. it was too much and make me dizzy (completely noob alert)
     
    Last edited: Jul 18, 2011
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Stem? :p
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    How many rules for Steam?
    Is a rule for both TCP and UDP protocols?
    Is the rule a server or client rule?

    Sorry for the questions.
     
  11. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    LOL sry pahnt0m my mind is messed up

    ok all I know is that I made custom rule by right clicking on the log
    result :
    "This rule allows your pc to connect to other
    computers on the UDP port 27017.'
     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    No problem :)

    I would relocate the rule to just above rule named Win.F&P Sharing_NetBIOS (Out)
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Is the port 27017udp fixed? Or does Steam use a small range of ports?
     
  14. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    thx for the answer :D
    since my knowledge for firewall are very limited, so perhaps the screen shot will explain :

    (please note that this was made only by right clicking the log for udp, and renaming the ruleset to Steam)
     

    Attached Files:

  15. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    and also to play counter strike I use ruleset taken from LnS sites, it contain :


    (where should I put this?)
     

    Attached Files:

  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Are you planning on associating these applications to rules? Otherwise just the CounterStrike rule will also work for Steam.
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Also I'm reading elsewhere that CounterStrike UDP port range is 27000-27015.
     
  18. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    I see, I'll remove my custom rule for steam and use counter strike instead.
    Will post the result tommorow :D
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I’d personally associate application to rule, no need for game rules to be still active after game has been closed. ;)
     
  20. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    :ouch: Ok I've done that just now, never realized that can be set that way :p
    Thx phant0m, for being patient with me :D
     
  21. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  22. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Hi again Phanth0m

    thx for the advice, all are working fine now, but I haven't found the best way to add rules

    taken from steam websites :

    Steam Client

    UDP 27000 to 27015 inclusive (Game client traffic)
    UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
    TCP 27014 to 27050 inclusive (Steam downloads)
    UDP 4380


    right now I only allow UDP from 27000 to 27050 when steam are running
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You could change the UDP rule to "TCP or UDP"(which would then allow those TCP outbound: just make sure the rule is placed below the "Block incoming connections"), then add a rule for UDP port 4380.


    - Stem
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Sorry

    :D


    - Stem
     
  25. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    Ok I will try that, thx stem :D

    LOL, sry I'm just a noob, this is my first time setting a firewall rules :argh:
    Thx again for the info and knowledge
     
Thread Status:
Not open for further replies.