Security → Re: Ad Filtering Programs keep Ports open

Zhenn: I observed a few entries in my Tiny logs where I was running the proxy and saw IE denied on a "blocked ports" rule. I never looked deeply into it; I reasoned that it might just be a good idea to keave IE blocked at the firewall, now that proxomitron is SSL capable (I was not running bypass, which still tunnels through the proxy, anyway, at the time. Here's an excerpt, showing a normal NB block on a local laptop, then showing IE trying to make what looks like its own outgoing connection. It seems to try a socks connection behind the proxy, on other occassions.

1,[2001-Jun-09 23:35:17] Rule 'Block NB WAN': Blocked: In UDP rhiannon [192.168.13.4:137]->localhost:137, Owner: SYSTEM
1,[2001-Jun-09 23:35:17] Rule 'Block NB WAN': Blocked: In UDP rhiannon [192.168.13.4:137]->localhost:137, Owner: SYSTEM
1,[2001-Jun-09 23:35:17] Rule 'Block NB WAN': Blocked: In UDP rhiannon [192.168.13.4:137]->localhost:137, Owner: SYSTEM
*--->1,[2001-Jun-10 00:01:15] Rule 'ANY': Blocked: Out TCP localhost:2179->209.123.109.175:80, Owner: C:\PROGRAM FILES\PLUS!\MICROSOFT INTERNET\IEXPLORE.EXE
*--->1,[2001-Jun-10 00:01:15] Rule 'ANY': Blocked: Out TCP localhost:2180->209.123.109.175:80, Owner: C:\PROGRAM FILES\PLUS!\MICROSOFT INTERNET\IEXPLORE.EXE

What's it mean? haven't checked it out in any detail, yet. I just take a stab in the dark and suggest that IE seems able to "look for" alternate connections, from time to time. Should I worry? I figure, not as long as I have IE unchecked for access at the firewall ... I leave my browsers unchecked and I only allow Proxomitron, and it seems to catch anything trying to slip around the proxy.

R2, Proxo and Internet Junkbuster, probably others, have a blockfile that works a lot like a hosts file, only, as noted, the proxy just drops the connection, so it never gets to where it would need to be null routed (basically what a hosts file does). If you have a proxy based filter that allows you to make IP block lists, you can do anything hosts can do, usually better, at the proxy. A proxy, by itself, by the way, is not a firewall, although some people try and use one that way. Don't. That's not what proxies are designed for. Good advice is to only run one along with a good packet filter "real" firewall, like ZA or Tiny.

Wildcatboy, you're right, they should be more careful, sometimes, to explain how the things work. Proxy servers are just made for the job of filtering, and usually work great. Set up right, they can be a great addition to security. Set up wrong, they can leave a hole in an otherwise great setup that you could drive a truck through. It's one of the best tools to get the job done, but, like so many very powerful tools that do a very good job set correctly, it has 2 edges if it's not, and cuts both ways.

To respond to yet another comment I may or may not have gotten correct (mind's the first thing that goes ), IE should NEVER be "accepting" connections. That is, IE never binds a port to listen during normal operations. Only a server should listen on a port for inbound connections; a browser should only ever generate outbounds. A client should establish connections only as needed. Win uses randomly assigned ports above 1024 to connect out. The server usually listens, on fixed port 80, but port 80 does NOT ever need to be open on a machine that only runs client apps; only an internet server needs that port on the local machine. IE should never be binding and listening to anything, and, if it is (never happened, in my experience) it should be denied at the firewall.

A very good topic for discussion, Judge. Thanks to all. I think these things are largely misunderstood, as far as the under-the-hood tech details, and this thread does more than just answer your questions (I hope) -- it goes a long way to helping educate users in using the things better. Good show!

Does Proxo work like a Hosts???

Again my impression (zero experience or first-hand knowledge) is that it does not. Instead, I THINK it is is simply (if "simple" can be used here) a packet modifier that rewrites the packets as they arrive at you computer. This would involve NO redirection (a la Hosts). Instead of RE-directing the computer, the DIRECTIONS themselves are modified.

Again, I have to end with... is this correct?

Here is a config file that can be used which works akin to the HOSTS file, without redirection:

Excerpt:

# The URL killer header filter, if enabled, will kill
# any URLs matched in this list. This will completely
# block access to the given site so be cautious.

So Proxo is not only a web page parser/filter, it also can kill URLs on the spot with parsing the page.

My suggestion to anyone who is interested about Proxo is to download a copy and try it. There are many advantages in using Proxo, and those cannot be realized without using the application.
[text was edited by author 2001-06-10 15:59:27]

But, if you are behind a firewall (router) and have a software firewall you should be pretty safe. You see the scan is stopping at your router it never gets to your PC and if it did your software firewall will/should protect you. the sky is not falling

That's the misconception that we are trying to address. If you have a firewall and you are running a proxy server that opens a port and listens, your firewall will allow it because you allow the program to work. Therefore you are not safe even though you have a firewall. The only way to be safe is to make sure the listening port will only listens to your localhost or you LAN and not to the outside world.

And to answer Z-X's question, you also need to make sure your browser doesn't act on behalf of your Proxy to accept connections from outside. In other words if IE manages to gain server access, then it will accept connections on behalf of your proxy and it defeats your efforts to close your Proxy port. To make it safer you need to make sure you deny IE to act as a server and make it ask permission for the connections it wants to accept. Now there's still a problem when you let IE ask permission, because once you say yes to it IE will be allowed to accept any connections from that point on, as long as your session is open. By denying it completely to act as a server all those connections will automatically be denied.

Thank you for clearing this up WCB, now I understand what is being discussed. I didn't read between the lines.

Thanks Wildcatboy. I couldn't explain it the way you did. Why because i'm still learning how too. ie: A Firewall configuring dummy. I still have a long way to go.

Great explanation. Based strictly on the basics covered in this discussion, Here's the "3 point summary:"

You expose yourself to three basic risks with a proxy:

1. You inadvertently open the listening port to the internet, allowing others to connect to your proxy and run their connections through your address;

2. You allow the browser to continue to access the internet on its own through the firewall, so it can still send or receive a packet AROUND the proxy server; and,

3. You set up an app other than a browser to connect through the proxy without first deciding whether or not you want granular control over what it sends and receives. The proxy is a tunnel through the firewall. Anything passing through it only gets filtered by the proxy, because the firewall "trusts" the proxy server... the proxy server "wraps" the browser request inside its own packet, which appears to the firewall only to be coming from the proxy, not the app that's connecting through the proxy. When you allow the proxy, you automatically allow "everything" that passes through it.

The solutions are, as Wildcatboy said, the subject of this discussion. There are other risks, of course, but those are the big three we should all be aware of.

Just a little aside... I don't know why IE asks for server access on ZA, but a simple answer is it doesn't need it, and it should be denied. All IE needs is standard client permissions "allow outbound," proxy or no proxy. Nor does the proxy need server permission to the internet; it only needs to act as a server on localhost. It's permission to access the internet is the same as IE, "allow outbound, any port." It's permission relative to localhost, though, is allow inbound and outbound on port [proxy's listening port]. Configuring individual firewalls will differ, but the effect should be the same.