how-to block ads
|
|
Share Topic
 |
 |
|
|
|
 gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | reply to wiregauze
Re: Tiny + WebWasher Users Hey, glad you got it cornered! It takes a while to get comfortable with any firewall, especially one where the rules are as good as your own logic, if you're like me. I haven't found any holes in Tiny, so far, but I've found one or two in my own logic, now and then... a connection to "localhost" is a "loopback" connection, and won't go anywhere except back to your machine. localhost should be mapped in your hosts file, too, to 127.0.0.1 - so calls to "localhost" will always resolve. Great little firewall, isn't it? I've been using it pretty much since it became available just last year, and it's under constant development.
Now, for a little side remark. Bigfix is reputedly a pretty good site, which I've never used, but which others seem to trust. That's a good thing ... because what it does is to load an activeX control on your computer to do its scan, and then run the control, ON YOUR MACHINE, to send the data back. Even with a good firewall, you still need to take care with ActiveX, Java and scripting. They can all operate on your machine, and cause a trusted application to send data out for them, or otherwise tamper with your system without anything actually being done "over the internet" except downloading the code in IE or Outlook. Someone else would understand just how bigfix works better than I, but I hope the other stuff's useful to someone... you still have to surf safe and virus scan, even with a good wall.
Again, for others, 127.0.0.1, or localhost, are "loopbacks." They loop right back to your own PC. Localhost can send outgoings to other addresses, but they'll be handled, in due order, the same way as any outgoing traffic by most good firewalls, including Tiny; the first rule only applies if it's FROM a local ip TO localhost. If it's from localhost TO another IP, it's passed down into processing. before it's allowed. In essence, the first rule never lets anything leave the local machine Tiny's running on, by itself.
Glad to be of help. With the growing number of Tiny users, it's good that these things are discussed and followed up. Thanks.
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill | |
| gwion, it seems I was wrong again about suspecting cached temp files. I STILL have the same problem  .
I already removed rules blocking local 8080 ports, and here's the status at the time of my previous post:
1. Tiny is running as service.
2. Delete rulesets & MD5 for bigfix.
3. Fire up WW.
4. Clean-up Internet temp dir.
5. Start bigfix and click update.
6. bigfix pops up progress box showing server IPs.
7. Right after that, Tiny catches it.
I tried this sequence with or without reboots, and tried rerun WW and/or bigfix (basically every combination that I can think of). And Tiny caught it every single time. Concluding I have enough data to reason about, I sent out the last post.
BUT, now it happens again! This time, deleting temp files does not work at all:
1. Tiny is running as service.
2. Delete rulesets & MD5 for bigfix.
3. Fire up WW.
4. Clean-up Internet temp dir.
5. Start bigfix and click update.
6. bigfix pops up progress box showing it's accessing 127.0.0.1
7. Tiny stays quiet, although it leaves MD5 in its table.
As I press the update button, I could visually see network activity in win taskbar, LinkSys router, and Cable modem... Since Tiny leaves MD5 on its table, I assume bigfix was allowed to make a connection to WW by default loopback rule.
The picture shows Tiny alert when I UNchecked the allow rule for WW and reran bigfix. Tiny caught WW making a connection. Hmm... WW? Not bigfix? What's going on here...? If it's not Tiny's problem, it would mean WW is to blame. Then ZA users have similar problems...?
I found myself totally confused just when I thought I was confident about firewall stuffs .
-- wiregauze | |
gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | Do you have... OHHH webwasher... proxy server... yeah... I get it, now... I apologize, I missed the forest for the trees!
the connection to 127.0.0.1 is the client app (bigfix) connecting to your proxyserver, on your machine. That's normal and OK.
the connection alert is the proxy server asking permission to make access to the internet. Whatever goes through the proxy server will appear as "webwasher", not by name. Running a proxy with a firewall like Tiny is OK, but adds a complex dimension: whatever goes through it won't actually contact Tiny itself, it'll be "proxied" by webwasher.
Needless to say, that means you have to pay close attention to the filters you use IN WEB WASHER, because a rule allowing webwasher will allow EVERYTHING it proxies... this is going to be your call, but I personally decommissioned my own proxy server some time back, for largely this reason. Doesn't mean it can't be done, just that you have to be careful what you proxy.
Now, your problem... and I do apologize for missing this... there's nothing suspect or wrong with the 127.0.0.1 connection; leave those be.
You can do any of the following, now:
Allow or deny the connections on an individual basis (rather tedious)
Allow WebWasher by rule, (and every single app that uses it as a proxy, subject only to the filters in WW) to have access to the web; if you do this, of course, your ruleset might be pretty short... but you lose a lot of Tiny's versitility.
Allow (or deny, as you please) webwasher and go in and uncheck "use a proxy server" in the apps you want to go straight to the firewall, or don't use webwasher... suppsoedly a good product, though, so you probably do want it. Just pare off anything you want to deny, or deny it in webwasher, if that's possible. Here's an excerpt from the FAQ:
Q: I can no longer get onto the Internet without WebWasher.
A: It seems you have configured your browser and WebWasher manually. To make the browser run without WebWasher again, you will have to undo this manual configuration. Check whether the local proxy address of WebWasher is still entered in your browser. The address is "127.0.0.1" or "localhost" port "8080". Delete this, and replace it with the proxy address of your provider or indicate that you want a direct Internet connection.
We recommend the automatic configuration of WebWasher, because the browser can then establish connections to the Internet with or without WebWasher.
You may want it with IE, since that's where a filter proxy does it's best work, but that should give you the idea for any other app...
Not being familiar with WW, I hesitate to ell you to use it or not... that's your call, as is whether or not to allow the outbound connection to bigfix...
However, you can rest assured: contacting localhost (127.0.0.1) is how webwasher (and all local proxy servers, for the most part) works, and nothing ever leaves your machine on that address... it's a strict loopback address. Don't concentrate on that aspect. You have to concentrate on the interrelationship of the proxy and the firewall. It's Tiny that'll get the last word, though. Whatever rule you put in there will control whether and how web washer gets out... hope that was clear enough? Again, I apologize for the confusion... I kept suspecting bigfix... no, it's the proxy server... open 'n' shut! Wish I could help more, but it's really a decision on what to run through webwasher and what not to, which you'll just have to decide... keeping in mind that, if you do allow it without restrictions and run all traffic through it, ANY app connecting through webwasher will be "cloaked" by it at the firewall, and will be passed or denied without regard to what app sent it to webwasher... it just looks like webwasher to Tiny. Hope that helps...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill | |
| said by gwion:
Do you have... OHHH webwasher... proxy server... yeah... I get it, now... I apologize, I missed the forest for the trees!
I, too, apologize. If I'd made it clear that WW is a proxy server, a lot of confusion wouldn't have been around here  . Looks like my original understanding was not far from what things really work.
If I restate the situation:
1. Tiny grants local traffic by default.
2. a proxy server (WW in this case) runs listening local port 8080.
3. An application(ANY !!!) application connects 8080.
4. Tiny records MD5 and allow it because it's local traffic.
5. The proxy connects the Net to satisfy the application.
6. Tiny allows the connection because it's WW.
What do we do about this? The problem is WW does not have any ability to check which application is making it a connection to 8080 (WW, too, would need MD5 stuff in the end )
When WW starts, it does proxy setup in IE. It looks like the setup is advertised throughout the system, so that any application tries to make an HTTP connection just knows it should go to the proxy...
You mentioned to set individual applications to directly make connections to the net, but I don't think it's an option because, you know, I'm worried about spyware... If I don't know it is running, how can I set it to bypass the proxy...
So, it seems that I have two options: 1) remove loopback rule, and go through allow/deny work, or 2) allow/deny applications connecting the proxy.
Option 2) is what I originally did. As you stated, it's a tedious work...:( When I set rules as in my first post, when a new application tries to connect WW, I just get an alert (I checked "alert me" and "log"), not 'customize option dialog box. So, I have to manually open Tiny, and insert a new rule. Even worse, I get yet another alert when I don't run WW!
Now, I'm thinking about option 1). I mean, how many loopback-connecting applications are we talking about here? Probably handful of system processes are all I can think of. I'm going to delete the default loopback rule, and see how many Tiny popups I encounter .
Now, is this problem if ZA was there instead of Tiny? Does ZA allow local traffic by default? Hmm...
gwion, I'm kind of worried, because, if my original thought is right, then there are many users who have to worry about this.
Am I missing something here...?
Thanks,
-- wiregauze | | |
|
|
