tiny personal firewall with a LAN

[neutral]

hello all, long time lurker, first time poster. i just want to say this forum is absolutely amazing...so much great information going on. but, i digress.

first off, my hardware:
server: http://65.14.213.126/
computer: http://65.14.213.126/computer.html

from the above, it should be fairly easy to determine how the
LAN is setup in my house, to make a long story short:

cable line goes to CABLE MODEM [surfboard]
NIC #1 [external] on SERVER connects to cable modem [via cat5]
NIC #2 [internal] on SERVER connects to 10/100 hub
NIC #1 on COMPUTER connects to 10/100 hub

issue: my server has been naked for a long time, my fault entirely. i was hacked by chinese hackers not too long ago. [they put some default.asp, default.html, index.asp, index.htm files on my C drive and in all the subdirs of Inetpub, thing is my server was configured to only serve up .html pages] anyways, i swore to put some kind of security measures in place, and through looking, reading, and researching, i decided to go with tiny personal firewall. ironically, in the interim of researching, they
just hacked in on 6/16 @ 10:46 EST i deleted all files they put in place, although i regret that, now i do not have anything to show to you.

back to TPF...i set it up, put the rules listed here [http://server47.hypermart.net/tinyfirewall/rules.html] in place, that did not already exist by default, and went off to do my tests at grc.com and dslreports.com and etc.

i got fantabulastic scores, according to them. but now, my computer on the LAN cannot conncet to the internet. no web, no aim, no ftp, no network drives, no anything.

what would be the optimal way to set the rules so that the internal computer can connect to everything needed, yet still remain secure?

here are some connections trying to occur that i am unclear about:
In UDP cc******-* [0.0.0.0:68]->localhost:67 Owner: C:\WINNT\SYSTEM32\SVCHOST.EXE
[the computer externally is trying to talk to itself internally? name update?]

In UDP 169.254.215.230:138->localhost:138 Owner: SYSTEM
In UDP 169.254.215.230:137->localhost:137 Owner: SYSTEM
[got this when the COMPUTER IP was DHCP and not static. UDP Datagram to the system to let it know it was on the network?]

i am assuming since these are not going through [Blocked by rules] then the COMPUTER cannot report to the SERVER that it is on the network, and vice versa.

this is all speculation on my part of course. i am no idiot when it comes to computers and networking [or maybe i am ]. i know that what is holding up COMPUTER is the UDP Datagrams it needs to send to SERVER to inform it of its network status. unfortunately, the rule i have set, prevent this from happening, as it interperts this as Incoming [albiet internally], and even when i have the Network Address/Mask, Range, Single Address in Trustfed Addresses, the rules still say no.

so, i reiterate, how to set up my firewall, so that it lets the computer do normal network/internet things, web, email, ftp, aim, etc, but yet still remain secure externally?

thanking you all in advance! glad to finally be part of the forums

mike d

[Kirby Smith]

I'll leave it to the Tiny mavens to answer you directly. However, it seems to me that if you used a router, each computer could be individually configured with Tiny. And the router should perform useful blocking functions also. With the Nexland ISB Soho for example (the only one I know anything about) you can filter differently for each attached computer.

kirby

[fredra]

Hi neutral
Let me see if I can help you here....
First, go here to see if that will address your question. That page is rather informative as it was setup by the TINY USERS GROUP.
If that doesn't help, please pm me or come back and one of us, maybe juggernaut or someone else will be able to assist you.
Let me know if this helps...ok

[Juggernaut]

I might be able to help you later once I get home. I'll let you know

[Juggernaut]

I checked out the site that you went to to create u'r rule sets and noticed that they had a lot of extra rules that could be summed up much more quickly by "combining" rules. Instead of creating 4 different rules - 1 to block INCOMING TCP, 1 to block INCOMING UDP, 1 to block OUTGOING TCP and 1 to block OUTGOING UDP - you can create 1 rule that blocks UDP/TCP and INCOMING/OUTGOING for a certain application. By having less rules for each application (if possible mind you) it makes it easier to sort through and see where the problem may be.

The way that Tiny and the rulesets work is that the higher on the list a rule is, it takes priority over the ones below it. This means that you could create a rule for a certain application that blocks ALL INCOMING/OUTGOING TCP/UDP traffic (blocking ALL net access for that program) and then create a rule directly above it that allows the program to access the certain thing that you want it to. This way, when Tiny is looking for a rule for that program, it will see the one that gives it access first but if it doesn't meet the requirement, it will continue down to the next rule that will block all access. This makes very secure since you can give a program access to one thing, while completely blocking that program from accessing anything else. Understand?

Now you mentioned that the problem you were having was that Tiny was blocking the COMPUTER from sending a UDP Datagram to the SERVER machine, even though you have the computer in the Trusted Address list. I bet you have a single rule that blocks access for that program, but it's set up for Trusted Address so you thought it would work, since you have the IP Address of the COMPUTER in the Trusted Addresses right? The way Tiny reads it is it will BLOCK access to the Trusted Address instead of making it like an exception. So what you should do is create a rule that blocks all access to that program (SYSTEM I believe?) and then create a rule directly above that one that gives the specific access that the COMPUTER needs (allow the Trusted Address to access the certain port it needs to). *Make sure that you only put in the address of the COMPUTER in your Trusted Address to make it more secure* I personally don't even use the Trusted Address.

Doing what I mentioned above would make Tiny first see that the Trusted Address (your COMPUTER's Address) will be able to access what it needs to from SYSTEM, and then the next rule will BLOCK everything else that doesn't meet the requirements.

If you need more help, feel free to ask. I know this can seem kinda tricky when u'r first getting started, but it'll eventually make sense.

[Juggernaut]

Here is a screenshot from my rulesets for anyone that wants to see how mine is set up. My cable is DHCP and I'm on Win2K which is why the first rule for "Services and Controller App" has a specific address in there...it is my DNS Server so my computer can access the net. Notice that after it, I have BLOCK ALL INCOMING UDP/TCP traffic for that program? And after that I have allowed my Local port 68 to access 255.255.255.255 on port 67 ONLY and ONLY for that one application? My computer needs this to access the net.

I also have it set up to ask me when anything else needs to access the net. If I already have a rule in there for that program, I *may* be able to just edit that rule to give it access or simply create a new rule underneath it to allow it the certain access. I try to keep the rules down so that it doesn't get too cluttered.

Go to http://www.angelfire.com/goth/Nothing/TinyConfig1.jpg to see the screenshot. It's on Angelfire and it doesn't like it when I posted it in here.

*Edited it again cuz it didn't like it embedded either. If it doesn't work, just copy and paste the link directly in your browser window.

[fredra]

Thanks for helping jug:2cool:

[neutral]

i just want to thank Juggernaut, for going into such great depth, and detail, and for even posting a screenshot as well.

i finally got the issues sorted out, after delelting all the rules, and then setting them back up again. most rules were put in place thanks to Juggernauts advice and screenshot, a couple others were custom fit to my needs. but now, any computer assigned on my network, can map to network drives [with access], connect to the internet, and do all the normal things. here are a couple screenshots for whomever is interested:

http://65.14.213.126/images/firewall/tinyrules1.gif
http://65.14.213.126/images/firewall/tinyrules2.gif

i am still in the process of streamlining it, but as far as online port scan test and the like, aside from the ports i have want open [2 other ports i am still not sure about that are open [389 and 1002 ??], which is only a couple, everything else is filtered or closed/blocked.


thanks again everyone
miked

[Juggernaut]

Hey man, no problem...glad it's working for you now...one thing tho, I was looking at u'r screenshots...I'd recommend you move all the rules for the system commands (ie. SYSTEM, Generic Host Processor, Services and Controller App, etc.) up on the list and move the actual "programs" that need to access the net below them (ie. Internet Explorer). Notice on my screenshot that all the rules for all the system commands were first on the list...I didn't bother posting the bottom half of my Rule List because that is all my programs that access the net (ie. Internet Explorer, my FTP program, Games, etc.). This will increase your security greatly (and may fix that program with those two ports being open).

You can keep the same order if u'd like, just move them up (or move IE and any other non-system program down). If you don't, Internet Explorer rule will take precedence over all the rules below it..that means it will take priority over all those SYSTEM, Generic Host Process, Services and Controller App, etc.

[neutral]

yeah, i was noticing that too, i will do that later on. only so much i can take care of from work on VNC thanks again.

by the way, 389 is an LDAP port, but i am still clueless about port 1002. it is an unknown as far as i know....hmm

[Juggernaut]

If you need to use LDAP for your network, you could create a rule that allows access to the IP of u'r second computer and then create another rule underneath it to block it from everyone.