dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3233
share rss forum feed


Murray3

join:2001-03-06
Texas

Tiny Personal Firewall Rules & Proxomitron

Click for full size
'cjsmith' and 'thetraveler7' were asking me about my Tiny Ruleset earlier today. I was going to email them a snapshot of how my firewall rules look... but thought I would take the opportunity to make a thread of it, as maybe it might be of help to others?

Here's a snapshot of my rule-set. (I didn't list the entire set)

I wanted to just show how I have Tiny configured with IE and Proxomitron.

Some points to mention about the IE rules...

Internet Explorer via Proxy
Set to allow IE to connect via TCP, via localhost/port 8080.
(This is the port that Proxo is set for).

Internet Explorer (UDP)
Set to allow IE to connect to localhost, but on any port.
I have noticed that IE wanted to connect on varying UDP ports on localhost, which, with the help of gwion, I found out is IE performing cache lookups. Therefore, by allowing it to access any port on localhost, IE now runs fine.

Internet Explorer (SSL)
This rule allows IE to sneak out via port 443... namely Secure Sockets. Proxomitron can be configured to accept SSL connections, but this is one thing I prefer IE to connect to outside of Proxo.

Internet Explorer (Local Web Server)
Ignore this. I am running a web server locally, for developmetn purposes. I'm running the server on port 4000, which is why the rule has that port listed.
This rule will be of no value to others.

Internet Explorer (Local Web Server 2)
As per the previous rule, but with the private IP address of the machine.
Once again, disregard this rule.

Block Internet Explorer
The rule to block all other connection from IE... both TCP and UDP.

There are then a few more non-IE rules, with various EXEs that I allow to pass through Proxo.

Then comes the Proxomitron rule.


This is by no means necessarily the perfect way to have IE/Proxo/Tiny configured... but it works for me.

Feel free to comment. (I'm always willing to take comments to see how I can improve things further).

Edit: Amended the 'Block Port 8080' rule from Inbound to 'Both Directions'. (Thanks gwion )

[text was edited by author 2002-02-14 06:14:28]


KeysCapt
FAQ Master
join:2001-07-11
Carson City, NV
kudos:1
Thanks for posting, Murray. That's an interesting solution to IE's cache access ... I remember the discussion, but hadn't thought of that alternative to the loopback method.


cjsmith
Premium
join:2000-11-03
Villa Rica, GA
reply to Murray3
Thank you Murray, now all I need to do is figure out my DHCP, and DNS rules and I should be on my way...

I will search and see if I can find something when I get home from work.

Cheers!
--
"There's Porky and Bacon!There's Roger and Ham!On Sausage and Truffle.On Cyril and Spam."


Murray3

join:2001-03-06
Texas
said by cjsmith:
Thank you Murray, now all I need to do is figure out my DHCP, and DNS rules and I should be on my way...

I will search and see if I can find something when I get home from work.

Cheers!

Sorry, can't help you out with the DHCP rules, as I don't use it... but here's my DNS rules.



gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1

reply to Murray3
Perfect, Murray, perfect! Nice set. This is the definitive SS for the IE setup. It demonstrates almost the whole range of building an if then loop with rule ordering to control proxy and internet access.

The definition of using a proxy server as a security device is being able to make it a chokepoint for certain types of content. In this case, untrusted HTTP content. The problem is you have to be able to completely route around the proxy, for some connections. For example, an intranet. This does it.

Basic logic:
IF X=TCP to localhost
AND remote port=8080
THEN allow
ELSE
IF X=UDP to localhost
THEN allow
ELSE
IF ...

It goes on that way. As soon as X= a type of packet that is denied, the process stops. It's a fantastic "homework exercise" in rule ordering! If it never finds a match, of course, the very last rule is an "implicit" rule (you never see it):

IF X exists
THEN stop X
AND prompt for input...

Thanks, Murray.

PS- Hey, CJ, here's the basic pair for DHCP:

ALLOW
both directions
UDP
application ANY
single local port 68
single remote port 67
single remote address 192.168.1.1*
nolog - noalert
Notes: *for a router in most default configurations. substitute the IP address of your or your ISP's DHCP server, as appropriate.

ALLOW
OUT
UDP
application ANY
single local port 68
single remote port 67
single remote address 255.255.255.255
nolog - noalert

You might need more than one DNS, if so, just make as many as you need. Set the deny to alert, too, in case you legitimately change servers (Verizon's done it twice, on me )...

--
A man who carries a cat by the tail is getting experience that will always be helpful. He isn't likely to grow dim or doubtful. Chances are, he isn't likely to carry the cat that way again, either. But if he wants to, I say, let him.
--Mark Twain

[text was edited by author 2002-02-13 23:08:10]


Zhen-Xjell
Prolific Bunny
Premium,ExMod 2001-04
join:2000-10-08
Bordentown, NJ
reply to Murray3
Murray, if you don't mind, I'd like to post something like that on my website referencing this thread.


Murray3

join:2001-03-06
Texas
said by Zhen-Xjell:
Murray, if you don't mind, I'd like to post something like that on my website referencing this thread.
Please feel free to do so!


Zhen-Xjell
Prolific Bunny
Premium,ExMod 2001-04
join:2000-10-08
Bordentown, NJ
My pleasure.


gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1
reply to Murray3
Murray, your block 8080... I block both directions. It would seem to me that blocking inbound would still allow you to originate an OUTBOUND connection TO 127.0.0.1:8080, it just wouldn't allow you to ACCEPT an inbound connection FROM localhost:8080... does this make sense???
--
A man who carries a cat by the tail is getting experience that will always be helpful. He isn't likely to grow dim or doubtful. Chances are, he isn't likely to carry the cat that way again, either. But if he wants to, I say, let him. --Mark Twain

Pinback0

join:2001-12-12
UK
reply to Murray3
Aaah, that's better. I had IE TCP and UDP out to the proxy in the same rule, and with it restricted to port 8080 IE was painfully slow. I think it was Gwion (cheers) who pointed out it was a UDP problem, but I had just removed the port restriction rather than create two separate rules. Also, I only let Proxo out on TCP (maybe odd with IE UDP allowed to access Proxo, but it works).. is there a reason Proxo should be allowed out on UDP too?

My Proxo rule is below 'Block Port 8080', and the block rule is for 127.0.0.1 only. May I ask if there's a reason for moving Proxo above the block rule, and whether the block rule itself should be for any address rather than just localhost?

I finally installed Opera recently, sick of the endless parade of IE vulnerabilities (and love it so far). For that I replicated both my IE rules, but tightened the 'Opera to Proxy' to TCP only on port 8080 only, and unlike IE it still works a treat. Is UDP necessary for streaming media type things or something? Is my ignorance shining through?

Checking the TPF log, I see Opera is being blocked to my local router on port 53. Given that it works fine anyway, should I still place a rule to allow Opera access to DNS above 'Opera restriction'?

To think I still used ZA a couple of months back (shudder). Thanks to you all for the great advice on TPF and Proxomitron.


cjsmith
Premium
join:2000-11-03
Villa Rica, GA

reply to Murray3
Thank you Murray for posting this, as I now placed this thread in my favorites. I will be looking at this more closely as time allows. Actually I think that Tiny makes all the difference with my speeds, both page loads, and downloads. I think it is my system giving me the most trouble here as it isn't all that powerful, so I have to keep on top of it daily, cleaned and tweaked regularly.

Believe it or not, I have to run Proxo on my W2K set at high priority under processes within the Task Manager for it to work more efficiently. gwion has disclosed another of his great finds, The Stupid Proxo trick... It works excellent on my system. Proxo's as efficient as ever.

Here is gwions suggestion for running Proxo set on high priority:
    In your Proxo directory, make a cmd file that contains this simple command line:

    start/high proxomitron.exe

    If you like, put a shortcut in your startup menu. Now, if you start Proxo with the cmd file, it runs at high priority, and gets a better timeslice.
_______________________________________

qwion my thanks go out to you as well my friend. I am still learning a great deal, as your wondeful assists, advice, and experience are starting to creep in now... LOL =)

I plan on trying the DHCP rules of which you noted above, although if I am not mistaken I had one rule for DHCP in my earlier ruleset. I will be searching for that as well that I may once again have a tight Proxo/Tiny Ruleset.

Your guys rule!!!
--
"There's Porky and Bacon!
There's Roger and Ham!
On Sausage and Truffle.
On Cyril and Spam."

[text was edited by author 2002-02-14 02:58:15]


Murray3

join:2001-03-06
Texas
reply to gwion
said by gwion:
Murray, your block 8080... I block both directions. It would seem to me that blocking inbound would still allow you to originate an OUTBOUND connection TO 127.0.0.1:8080, it just wouldn't allow you to ACCEPT an inbound connection FROM localhost:8080... does this make sense???
It makes a lot of sense... and thanks! I have made the change to the rule and the screenshot now reflects the amendment. Well spotted.


gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1
reply to Murray3
Thanks, guys. ... Don't forget Zhen, who spent a lot of time setting up a full range of prebuilt filters to work with... Thanks, Zhen.

Anyway, no, the position of the proxo out rule's not critical. It'll be using standard ephemeral ports (above 1024) just like IE, and won't be blocked, itself, from going outbound by the rules. Either placement will work... mine's below loopback... Murray's is above. Both are acceptable, from what I can tell...
--
A man who carries a cat by the tail is getting experience that will always be helpful. He isn't likely to grow dim or doubtful. Chances are, he isn't likely to carry the cat that way again, either. But if he wants to, I say, let him. --Mark Twain


Zhen-Xjell
Prolific Bunny
Premium,ExMod 2001-04
join:2000-10-08
Bordentown, NJ
I haven't forgotten.. I've been working on a two new websites of mine. I expect to go live with them both in the next couple weeks (if I'm lucky, starting this week). The new laudanski.com site will have this information too. Soon as I go live, I'll finish up the 2.50 beta for my Proxo ZXList filterset... it'll go gold.
--
Join a Distributed Computing Team at DSLR Today! Cure AIDS, Cancer, Diabetes, Alzheimer's and more!


cjsmith
Premium
join:2000-11-03
Villa Rica, GA
said by Zhen-Xjell:
I haven't forgotten.. I've been working on a two new websites of mine. I expect to go live with them both in the next couple weeks (if I'm lucky, starting this week). The new laudanski.com site will have this information too.
Wow Zhen-Xjell it really appears now to me that you are going through with it... Great news! I am looking forward to your new look, and upcoming adventures. I am fully assured that the site will be "number one with a bullet!".
quote:
Soon as I go live, I'll finish up the 2.50 beta for my Proxo ZXList filterset... it'll go gold.
Gold? How can it shine any brighter?
--
"There's Porky and Bacon!There's Roger and Ham!On Sausage and Truffle.On Cyril and Spam."

Werner PS

join:2002-04-08
Germany
reply to Murray3
[QUOTE=Murray]'cjsmith' and 'thetraveler7' were asking me about my Tiny Ruleset earlier today. I was going to email them a snapshot of how my firewall rules look... but thought I would take the opportunity to make a thread of it, as maybe it might be of help to others?

Here's a snapshot of my rule-set. (I didn't list the entire set)

Hallo,
the rule:
OutlookExpress via Proxy
Set to allow OE to connect via TCP, via localhost/port 8080.
(This is the port that Proxo is set for).

will not work. It is not possible for me to filter POP, SMTP or news via Proxomitron.

What is your experience with that?

Werner