Broadband Tech > Security > Security > Ad Filtering Programs keep Ports open

Ad Filtering Programs keep Ports open

In particular to you, Judge:

I'm not sure what you're saying, but if it's that the ports show only when you drop the firewall, that's probably a-OK. Most filters are proxy servers, and I've used a few of those, but never Naviscope (I use proxomitron, myself, in the filters department). Do you set use a proxy in your browser to use the filter? If so, it's acting as a proxy server. Those ports should not be available from the internet, if the firewall's running, and you can and should use ZAP to make a rule blocking outside access to any proxies you run. Open proxy servers can be an immense security risk. Odd set of ports for a proxy to be listening on... I always promptly restrict any local proxy like that to localhost, NOT the LAN address of my NIC, whenever I set anything up like that, myself...

More Generally, more miscellaneous proxy server ramblings:

If you have an option to do so, make sure that the proxy binds only to localhost, 127.0.0.1, if it's only for use from that machine... some I've seen default to bind IN_ADDR_ANY, meaning they accept connections on any interface available on that computer... I don't like that, and I think it's an incredible risk. If you run a proxy for filtering only, and only need to reach it from that machine, find the settins and tell it to bind address 127.0.0.1 - nothing else, unless it absolutely has to be available from the LAN. Set the browser, etc., to use localhost:[proxyport]. Then find the administrative interface settings, and restrict administrative access to 127.0.0.1, too.

Well, I may be dead wrong, but that's my instinct. Also, you can make the ports your proxy accepts connections on accessible only from localhost, on a rules based firewall; make sure your browser is set to localhost, not your LAN address. I, personally, would pick other ports... 8080/81 or some other high range preferably. 80's a heavily scanned port, if nothing else. One last tip... if you have a router, by all means, you can block your proxy's active ports at the router. That will help ensure that only local connections are made to the proxy server. Set up with all or any one or combination of the above, almost any local server can be made pretty virtually invisible from the outside, mutatis mutandis. Hope my mind dump makes some sense, and maybe helps out a bit. Good luck.
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill

ok so just a question to simplify my understanding of what you said.

nutshell--> most filtering software works along the same premise as using a host file in that it detects ads by what ever menas and diverts it to a localhost address, right?
--
....common sense isn't too common anymore....

reply to Hutch
The AtGuard/NIS Firewall/AdFilter works at the tcp/ip level as a packet filter, and does not require web pages to run through it like a proxy.
--
If you fee like expressing yourself, run that through the COMMON SENSE filter so it doesn't ruin something for others!
[text was edited by author 2001-06-10 03:05:20]

reply to Hutch
Well, no. Sort of. What a proxy server is is a layer between your browser and the internet. It normally rides above the firewall and below the browser, or anything else you let use it. You know your favorite app s acting as a proxy server if you have to open up your IE tools/options/connections and enter an address and port for a proxy server. Usually, you should use a loopback connection to connect to a proxy server you only want to be accessible on the local machine, and that would include most ad and cookie filters that load as servers. The reason is that you don't want it to be available over the internet. If someone connects to your proxy through the internet, it's possible to "pirate" your IP and tunnel through the proxy server. To prevent that, any filters that run as proxy servers should be configured in their settings NOT to listen on any other adapters (if that's possible; I know proxomitron does...) besides localhost, then you connect through "localhost:8080"; it's not a good idea to connect through "myNBname:xxxx" or "192.168.1.2:xxxx". That's all I'm saying, in a nutshell. Most proxies today, I think, are usually set by default to listen to localhost, but I think it's worth checking into and making sure.

What I meant about the firewall and router was simply that you block access from the WAN to the port the browser connects to the proxy server on in the Tools settings. That works whether the settings of the app are detailed enough to pick an address or not. Just closes the port at the firewall. Another good idea is to deny Internet Explorer access at the firewall while the filter is running. That way, it can't sneak packets around the filters - I've caught it trying to initiate connections while Proxomitron's running, here, and yes, it's unchecked for access, so it's blocked. Pardon my rambling... thinking out loud ... sorry...

As far as how a proxy works, it does the same things a hosts file does a different way, better, and it can do more. It can, for example, strip off headers or java code, or selectively allow cookies through and deny others at the same site. Very versatile platform for filtering ads and cookies, but risky, too, if it accepts any outside connections...

I took the liberty of taking a look at Naviscope, and it's a proxy server, so it should be able to do a pretty good job, but needs to be set up right to be most effective and safe. I also noticed that it has a prefetcher, so Judge, I'll have to refer you to your helpfile or someone who uses Naviscope, on those technicals... that could be what's opening a port on your system, so it may have something doing with the way Naviscope works. Somehow, though, I don't think prefetch is much needed on a broadband connection, really. Besides, I can think of no legitimate reason on earth that ports should show as open and accepting connections on any proxy server from the internet side.

woops... sorry, I think I misread... Got it. You run adsubtract, correct, and scanned at naviscope? If so, I'm sorry... AdSubtract acts as a proxy, too. Don't know what ports IT uses, but still, it shouldn't need to listen for connections on the WAN.

--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill
[text was edited by author 2001-06-10 03:09:48]

I used Naviscope for a couple of weeks and then uninstalled it due to the fact that not only appeared to be flaky at doing it's intended job but also had a performance hit of up to 25% speed.

You have broadened my knowledge of local proxies and from that this is how I perceived that Naviscope worked. It forced the default browser of choice to connect to it via local loopback 127.0.0.1, as it should. It then sat permanently "listening" on it's default of port 81 out to the Wan. It could be argued that a browser, whilst in use, sits listening on open ports but normally most people open a browser whilst actively using it and are at their screen should something untoward happen. Naviscope however sits listening for as long as the computer is running.

I did not know enough about the implications of having an open port 81 to feel comfortable with running the program. Inconsistent page rendering, random blocking, or not, of adds on the same page and a 25% performance hit on numerous DSLreports speed tests had me hitting the add/remove to say goodbye.

Pre-fetching is done by searching a page for keywords and finding new pages which match the keyword. One keyword is supplied by default and the user must create an extended list to suit their own requirements. I can just imagine what would happen if a keyword of "microsoft" was added and Microsoft's site was visited.

Traduk

reply to Hutch

To tell you the truth one of my pet peeves about ad blockers, cookie killers etc... has always been the fact that they almost always are some sort of a proxy server. The problem starts when most people simply install them and see them do a good job in killing cookies and ads but unlike you, they hardly think about the vulnerabilities that a proxy server can create. Gwion's advices are quite valid and you really need to make sure those proxy servers are not visible from outside and are only accessible to your localhost. Some products give you the option and some don't and not many people know how to configure their firewall to accomplish this. So the end result could be that they save themselves from cookies but they also open a door to their machine for people to get in. Which one is worse? You be the judge.

In any case using Gwion's advice and ZAP you should be able to deny access to your proxy server from the Internet. If you are not able to close the port my suggestion is that either switch to a more configurable firewall such as Tiny or dump the program all together.
--
You can catch the Devil, but you can't hold him long.

reply to Hutch
Judgedredd:

I have had my ports scanned at »www.secure-design.com/cgi-bin/fwtest.c... With AdSubstract by itself and they found Port 80 to be wide open.

AdSubtract uses port 4444 and not 80. Perhaps you have something else that is keeping pot 80 open. I do know that Naviscope uses port 81, so finding that open is no surprise.

Gwion:

Another good idea is to deny Internet Explorer access at the firewall while the filter is running. That way, it can't sneak packets around the filters - I've caught it trying to initiate connections while Proxomitron's running, here, and yes, it's unchecked for access, so it's blocked.

Can you explain this further?
--
»All your Smurf are belong to Smurf!
»Ad/Cookie Blocking App Reviews

Zhen, not being an expert on Proxo, I don't really know the answer, but did you see this:

said by wayaunega:

---

most filtering software works along the same premise as using a host file in that it detects ads by what ever means and diverts it to a localhost address

---

reply to gwion
I have set ZAP to allow Naviscope Internet access and deny Naviscope Server access. My Browser settings in Lan are to allow Proxy Server. Went back and got scanned again. All Secure again. Thanks for the Advice gwion and the rest of you guys.
--
Confusous says man with hands in pockets is one to watch...Why because he is always on the fiddle.

reply to R2
R2, Proxo filters the actual web page itself. It searches for specific instances of code in the page and kicking it or replacing it before rendering the HTML in your browser. Hence, IPs and URLs are no longer required to filter. Proxo looks at the code, finds the privacy seeking information it is told to find, and kicks it. Very nice.
--
»All your Smurf are belong to Smurf!
»Ad/Cookie Blocking App Reviews

That is what I thought. Thanks.

reply to Zhen-Xjell
Zhenn: I observed a few entries in my Tiny logs where I was running the proxy and saw IE denied on a "blocked ports" rule. I never looked deeply into it; I reasoned that it might just be a good idea to keave IE blocked at the firewall, now that proxomitron is SSL capable (I was not running bypass, which still tunnels through the proxy, anyway, at the time. Here's an excerpt, showing a normal NB block on a local laptop, then showing IE trying to make what looks like its own outgoing connection. It seems to try a socks connection behind the proxy, on other occassions.

1,[2001-Jun-09 23:35:17] Rule 'Block NB WAN': Blocked: In UDP rhiannon [192.168.13.4:137]->localhost:137, Owner: SYSTEM
1,[2001-Jun-09 23:35:17] Rule 'Block NB WAN': Blocked: In UDP rhiannon [192.168.13.4:137]->localhost:137, Owner: SYSTEM
1,[2001-Jun-09 23:35:17] Rule 'Block NB WAN': Blocked: In UDP rhiannon [192.168.13.4:137]->localhost:137, Owner: SYSTEM
*--->1,[2001-Jun-10 00:01:15] Rule 'ANY': Blocked: Out TCP localhost:2179->209.123.109.175:80, Owner: C:\PROGRAM FILES\PLUS!\MICROSOFT INTERNET\IEXPLORE.EXE
*--->1,[2001-Jun-10 00:01:15] Rule 'ANY': Blocked: Out TCP localhost:2180->209.123.109.175:80, Owner: C:\PROGRAM FILES\PLUS!\MICROSOFT INTERNET\IEXPLORE.EXE

What's it mean? haven't checked it out in any detail, yet. I just take a stab in the dark and suggest that IE seems able to "look for" alternate connections, from time to time. Should I worry? I figure, not as long as I have IE unchecked for access at the firewall ... I leave my browsers unchecked and I only allow Proxomitron, and it seems to catch anything trying to slip around the proxy.

R2, Proxo and Internet Junkbuster, probably others, have a blockfile that works a lot like a hosts file, only, as noted, the proxy just drops the connection, so it never gets to where it would need to be null routed (basically what a hosts file does). If you have a proxy based filter that allows you to make IP block lists, you can do anything hosts can do, usually better, at the proxy. A proxy, by itself, by the way, is not a firewall, although some people try and use one that way. Don't. That's not what proxies are designed for. Good advice is to only run one along with a good packet filter "real" firewall, like ZA or Tiny.

Wildcatboy, you're right, they should be more careful, sometimes, to explain how the things work. Proxy servers are just made for the job of filtering, and usually work great. Set up right, they can be a great addition to security. Set up wrong, they can leave a hole in an otherwise great setup that you could drive a truck through. It's one of the best tools to get the job done, but, like so many very powerful tools that do a very good job set correctly, it has 2 edges if it's not, and cuts both ways.

To respond to yet another comment I may or may not have gotten correct (mind's the first thing that goes ), IE should NEVER be "accepting" connections. That is, IE never binds a port to listen during normal operations. Only a server should listen on a port for inbound connections; a browser should only ever generate outbounds. A client should establish connections only as needed. Win uses randomly assigned ports above 1024 to connect out. The server usually listens, on fixed port 80, but port 80 does NOT ever need to be open on a machine that only runs client apps; only an internet server needs that port on the local machine. IE should never be binding and listening to anything, and, if it is (never happened, in my experience) it should be denied at the firewall.

A very good topic for discussion, Judge. Thanks to all. I think these things are largely misunderstood, as far as the under-the-hood tech details, and this thread does more than just answer your questions (I hope) -- it goes a long way to helping educate users in using the things better. Good show!
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill
[text was edited by author 2001-06-10 14:20:00]

reply to Hutch
One of the things I've found about Ad Subtract Pro
(localhost proxy filter) and Spyblocker (Hosts
file utility) is that both will ask Zone Alarm for
server privileges. They both will still work if this
is allowed only in the local zone, but not for the
Internet. I had a security scan done here at
DSLR (basic TCP&UDP, frag, & pod) and got a -0
score using the current settings for Ad Subtract
and Spyblocker. Allowing both of these access as
an Internet server gave me a result of -11 from
an earlier scan. In general, any localhost proxy
shouldn't need to be an Internet server in order
to work.
--
Computers will always do what you tell them
to do, but rarely what you want them to do

reply to gwion
Does Proxo work like a Hosts???

Again my impression (zero experience or first-hand knowledge) is that it does not. Instead, I THINK it is is simply (if "simple" can be used here) a packet modifier that rewrites the packets as they arrive at you computer. This would involve NO redirection (a la Hosts). Instead of RE-directing the computer, the DIRECTIONS themselves are modified.

Again, I have to end with... is this correct?

Here is a config file that can be used which works akin to the HOSTS file, without redirection:

Excerpt:

# The URL killer header filter, if enabled, will kill
# any URLs matched in this list. This will completely
# block access to the given site so be cautious.

So Proxo is not only a web page parser/filter, it also can kill URLs on the spot with parsing the page.

My suggestion to anyone who is interested about Proxo is to download a copy and try it. There are many advantages in using Proxo, and those cannot be realized without using the application.
[text was edited by author 2001-06-10 15:59:27]

reply to Hutch
Gwion:

A proxy, by itself, by the way, is not a firewall, although some people try and use one that way. Don't. That's not what proxies are designed for. Good advice is to only run one along with a good packet filter "real" firewall, like ZA or Tiny.

If you want a real firewall, enterprise strength is the way to go. Purchase Check Point Firewall-1. It filters between communication layers 2 and 3.

But I would like for you to explain why a proxy y itself is not a firewall.
--
»All your Smurf are belong to Smurf!
»Ad/Cookie Blocking App Reviews

Zhen, does it block access via redirection (for example to 127.0.0.1), or via modification of the code in this arriving packet?

I know, download it yourself and see...:(

reply to Hutch
I have tried disabling Proxy settings in my Browser and every web page gets blocked. The way i have ZAP set up now with Allow Access and Deny Server Privaligies seems to work well. Why i posted the original post, was to find out how to confugure Naviscope to keep my firewall stealthed. And now i have. And because i'm LAN connected i do not net pre-fetching on. Why because if i post here i end up with double posts LOL. I REALLY WANTED OTHER USERS OF SUCH PROGRAMS TO SEE. THERE IS A DANGER IN USING THESE TYPES OF PROGRAMS. I AM STILL NEW TO UNDERSTANDING FIREWALL CONFIGURATION. AND THIS ONE HAS TAUGHT ME A GOOD LESSON. ALWAYS TEST YOUR FIREWALL AFTER INSTALLING INTERNET FILTERING PROGRAM. SO YOU CAN SEE IF SUCH PROGRAMS LEAVE YOU VUNERALBE. IF THEY DO. FIND A WAY TO FIX IT FAST. AND NEVER ALLOW PROGRAMS SERVER PRIVALIGES. UNLESS YOU WHAT THEY WANT FOR AND WHY.
--
Confusous says man with hands in pockets is one to watch...Why because he is always on the fiddle.
[text was edited by author 2001-06-10 16:35:51]

[text was edited by author 2001-06-10 16:45:29]

reply to Doctor Four
Thanks i found this out before i read your. Thanks for the advice.