Broadband Tech > Security > Security > Tiny + WebWasher Users

reply to wiregauze

Re: Tiny + WebWasher Users

No, by operating at the lowest possible level, it stops ANYTHING AT ALL, even itself, from accessing. WW is going through Tiny, after it goes to localhost. The illustration wiregauze supplied is a graphic illustration of how it does that.

By operating at the lowest level, as a device driver and a service, Tiny loads before any app that might bypass it (like WW), and binds the ports FIRST. Nothing can bind a port that's already bound, which is why "enterprise grade" walls ALWAYS load as drivers and services. We're all familiar, I think, with the trojans that can "load at next boot," to try to get in below the firewall or proxy server... loading at such a low level, a firewall like Tiny gets there first, and the trojan has to try to go through it to reach a port.

That's my whole point: in wiregauze's scenario, the connection, to 127.0.0.1, is NOT a remote machine, it's wallwasher itself. The popup in his screenshot is Tiny trying to determine whether or not to let it through to go out to the internet. Perhaps what you mean is this, and you're correct, if so: If you ALLOW wallwasher, any port, any app, any remote host, Tiny won't see the app that asked the proxy to make the connect, it'll see the proxy server, which is allowed, so it won't discriminate - it will either allow or deny strictly based on the rule applied to wallwasher, and any further filtering will have to be done in wallwasher, because the originating app is "proxied" by wallwasher... carried in and out under it alone, with no reference back to the originating program except inside of wallwasher. By the way, I thought it out, and Tiny WILL see the hash fingerprint of the app when it goes to get to localhost, so it will detect a change, at that stage...

Deleting a hash from the table will NOT deny an app. It will just get the hash again next time the app hits Tiny. The only time that will stop the connection is if it HAS a hash, and the requesting app's hash doesn't match it (it was replaced); THEN, and only then, it will stop everything and ask if you accept or reject the changes before it passes the packets... for example, I upgraded a scanner, recently, and the very first time the new .exe component tried to get out, a warning told me that the file was changed (of course... I replaced the old one with the upgrade), and asked whether it was OK or not. However, blocking apps by application name isn't done with the hash table, it's done in the rules.

The rule I suggested above would stop a local app from proxying through WW at all, by preventing the localhost connect, so a rule like that could be used to selectively filter what is and isn't allowed hrough WW... but it would be a whole lot easier to set up filters in wallwatcher, in this unique case, and let the connections go through to it, wouldn't it? Of course, that assumes wallwatcher is a trusted application in your estimation... doing it one proggie at a time above localhost is awfully tedious, and runs a risk of blocking localhost connectivity to an unintended app... like all your wallwatcher traffic in gross, or Tiny, for instance... which will block itself if it can't get a 127.0.0.1 connection... either of which will simply block you from the web...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill
[text was edited by author 2001-05-24 13:41:45]

said by gwion:

---

"1. Deny application bigfix - any IP, any remote port, any local port."

2.the localhost rule
3~~~~~~
4~~~~~~
~~~~~

---

first time? Could you confirm if it does? (I know you are a big fan of WW ) Could you try running bigfix after starting WW?


I just tested it. I denied BigFix access to the net within ZAP, and BigFix was unable to access the net, even though I use WW. Hence, ZAP does stop applications from accessing the net, even if you use WW.

said by Zhen-Xjell:

---

I just tested it. I denied BigFix access to the net within ZAP, and BigFix was unable to access the net, even though I use WW. Hence, ZAP does stop applications from accessing the net, even if you use WW.

---

Yes, BigFix was trying to access 127.0.0.1 port 8080.

reply to wiregauze

ZAP.zip 41,325 bytes (ZAP.bmp)

reply to Zhen-Xjell

said by Zhen-Xjell:

---

Yes, BigFix was trying to access 127.0.0.1 port 8080.

---

said by wiregauze:

---

. So, solution would be: when Tiny does not find MD5 checksum in its table, it pops up an allow/deny dialog box; yes, even if its ruleset permits. Obviously this requires an update from Tiny.

-- wiregauze

---

reply to wiregauze
Very interesting indeed is all this. I do not have the time to learn Tiny, but this does not mean I will never try it just to understand what all the talk is about.

However, it is a good thing this certain case has been caught. Yet again, ZAP is proven.

reply to wiregauze

lt.zip 11,045 bytes

What is the Loopback rule in my filter rules?
The default installation of TPF includes a few predefined filter rules for a more convenient administration. Although you are allowed to remove these rules, you must not remove the Loopback rule because it allows TPF to communicate with your operating system. By removing this rule you will no longer be able to access the administration.

Why can't I access the administration?
This can be caused by two reasons. If the engine is not active you cannot access the administration or status monitor. If you have modified or removed the loopback rule you may not be able to access the administration. If this is the case then you should restore the original configuration by removing the persfw.conf file.

This is from TPF's site, I have had no problems, Denying the loopback rule,but just incase someone does, Here are the warnings.
--
Companies would rather lose you as a customer than fix the problem
Vampirefo

Joke Page

said by Vampirefo:

---

What is the Loopback rule in my filter rules?
The default installation of TPF includes a few predefined filter rules for a more convenient administration. Although you are allowed to remove these rules, you must not remove the Loopback rule because it allows TPF to communicate with your operating system. By removing this rule you will no longer be able to access the administration.

Why can't I access the administration?
This can be caused by two reasons. If the engine is not active you cannot access the administration or status monitor. If you have modified or removed the loopback rule you may not be able to access the administration. If this is the case then you should restore the original configuration by removing the persfw.conf file.

This is from TPF's site, I have had no problems, Denying the loopback rule,but just incase someone does, Here are the warnings.

---

That sounds very good then! I'm glad Tiny has such a work around.
[text was edited by author 2001-05-25 14:08:45]

said by Zhen-Xjell:

---

That sounds very good then! I'm glad Tiny has such a work around.

---

While using WW,Rather than remove the loopback rule, I just uncheck it, by removing the check mark, it disables the rule, and all works well, If I am not using WW, I recheck the rule. I will spend some time on this problem, This weekend and see if I can come up with a set of rules to work well with WW.

That's a great thought... cool. Yeah, I was upset when they briefly removed the checkboxes from Tiny. I had become so used to running a pair of rules (before they added the dandy little ZA type "cut me off" function) that could be checked when I left my machine to effectively do just that... but, without checkboxes, they became perfectly useless as "emergency rules," much less for the original purpose. One of the nice features about Tiny... you can have special case rules at your fingertips in the task bar. Great tip.
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill

reply to Vampirefo

said by Vampirefo:

---

While using WW,Rather than remove the loopback rule, I just uncheck it, by removing the check mark, it disables the rule, and all works well, If I am not using WW, I recheck the rule.

---

I don't guess that something like that would be too heavy, but could create a stream of popups, be mindful. Just because an app registers an MD5 doesn't mean it's accessing the internet. ALL the MD5 does is ensure that an app isn't replaced by a trojan, or that one with a similar name doesn't slip by through an app specific rule.

One problem Tiny does have, for new users, is that lets the user see so much of the process. Zone Alarm is handling proxies pretty much the same way, but it isn't as obvious what's going on. If ZA doesn't have a default allow for localhost, then, of course, it's prompting on every loopback... as Tiny will if you remove loopback. I don't consider that a big security issue, though, as stated above. Knowing, as we do now, that a proxy is a natural firewall tunnel, though, is vitally important, and you couldn't be more right that new users need to understand how that is, and why it can be bad. Thanks for the ongoing discussion... I learn something everytime I take on a problem like this, and this is no exception... sometimes, I look at Tiny from the viewpoint of someone who's used it for several months, and I forget how it felt looking at a new firewall for the first time... yes, there are a lot of things that a new user has to get comfortable with, before we can say that we fully trust any firewall, and feel articulate working with it. Wish you lots of luck, and safe surfin'... pleasure discussing this with all... good sailing!
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill