2 but you don't want to have contact with 'www.micro$oft.com'
If you have these two rule-lines in your list just as you see them now, it won't work.
The correct order would be : 2-1. Consider that.
Roughly spoken there are 3 parts in the list :
a at the top all the hostile ports like f.e. trojans, ICQ, Netbios and bootp.
b the 'permit' group with browser, mail, DNS, etc.
c the rest of the things you want to block to be sure
So normally you would shift this new backdoor-rule up above the 'permit'-group. Do OK.
Have fun.
3. stopping ICMP pings using the 3.22 is an addition by Peter Pan
I have done an interesting discovery. Look, since long time I was noticing
that when I entered some sites through a proxy the Atguard rule named
Anti-Hack IRC (Destination Unreachable) was matched, the remote address was that of the server, proxy didn't work on at all. An example:
http://www.socks.nec.com/cgi-bin/download.pl . First, I thought this
was an unknown method to override the proxy. But at last I found the
explanation: every time one attempt to enter a site, an ICMP Echo Request
(exactly a Ping) is automatically sent. I don't know why some servers answer with this Dstination Unreachable, but this is no important.
This is the scenario: the server receives a Ping from our real IP and,
in a few seconds, a URL request from a proxy. In a busy server, having
hundreds of simultaneous request, the relation is so difficult to stablish,
but in a quiet server, it would be evident (in casehat this ICMP packets are logged, really I'm not sure but it wouldn't be strange). As you can see, this is a serious security flaw and ever have seen nothing about this
anywhere.
Solution I found is blocking all ICMP packets but the ones sent to/from
the own ISP. More accurately these are the rules I have fixed (must be set
in this order):
(Adresses of your ISP could be known going to My Computer/Dial-Up Networking,
right-click over the name of your connection and select Properties. In the
second tabServer Type, click TCP/IP Configuration. The IP's set in the fields
Main DNS and Secondary DNS are those of your ISP)
a) Rule permitting either inbound/outbound from/to main address of my ISP.
Name:ICMP ISP main. Action: Permit. Direction: Either. Protocol: ICMP. Type:
Any Type. Address: Host address (main ISP address)
b) Rule permitting either inbound/outbound from/to secondary address of my
ISP. Name: ICMP ISP secondary. Action: Permit. Direction: Either. Protocol:
ICMP. Type: Any Type. Address: Host address (secondary ISP address)
c) Rule blocking ICMP Echo Reply Inbound (All Log options on to see in the
Dashboard when is matched). If someone is pinging me, I want to know, could
be the start of an attack, before port scanning. Name: Ping warning. Action:
Block. Direction: Inbound. Protocol: ICMP. Type: Single Type - Echo Reply.
Address: Any address in both. Logging: Both options checked.
e) At last, rule blocking all ICMP packets. Name: Rest ICMP. Action:
Block. Direction: Either. Protocol: ICMP. Type: Any Type. Address: Any
address in both.
Here's an example of adding a rule in Atguard.
In this case the Backdoor trojan.
--
..goto 'settings'
..take the firewall-tab
..click 'add'
..fill in : name : Backdoor 98 - action: block - direction: either - TCP/UDP
..application: any
..service : remote : any - local : 'single' then fill in 'Backdoor-g-1'
..address : any / any
..logging : enable 'write..' to have it reported in your log-file
enable 'show notif..' if you want the red flag coming up on the right
of the dashboard, if this rule is matched.
(you can wipe the red flag for a next one with R-click on dashb. then 'reset event ..')
Do OK. You will see that this rule is added at the bottom of the list.
--
Now comes another important part : the place of that rule in the list.
If you select the new line, you can move it up and down with the arrows.
This list is read by the prog from top to bottom.
If a rule is matched by the conditions in a line, the rules below that line
are skipped. So the order is very important for a correct function.
Example : you have two conditions:
1 - let your browser do its job
2 - but you don't want to have contact with 'www.micro$oft.com'
If you have these two rule-lines in your list just as you see them now, it won't work.
The correct order would be : 2-1. Consider that.
Roughly spoken there are 3 parts in the list :
a - at the top all the hostile ports like f.e. trojans, ICQ, Netbios and bootp.
b - the 'permit' group with browser, mail, DNS, etc.
c - the rest of the things you want to block to be sure
So normally you would shift this new backdoor-rule up above the 'permit'-group.
Do OK.
Have fun.
TGUARD FIREWALL SETTINGS
1st. Part
I've made a summary of the explanations i'll give normally in chat.
Take a little time to read this faq, and you will see how easy all this is.
PROGRAM INSTALLATION
The program is easily to install, only execute the setup program and
reboot the pc. If you want to install the upgrade, which is available free
for registered users, you have 2 possibilities to do it:
If you have the earlier version installed, download Atguard 3.22
and install over, but the new features will work ok only if no rules
have been created before. So you may delete the created rules by
the earlier version, and install it over, or, uninstall it, reboot, and
install 3.22 after it, so it installs as a clean new one.
(recommended) The registration stays, no prob.
FAST SETTINGS SETUP - Easy to understand
After installed, disable Atguard at the systray (leftclick on
barrier - Settings / Enable Atguard (not checked mode))
Click on barrier / Settings (opens Settings window)
There are 3 main tabs : WEB / FIREWALL / OPTIONS
1)WEB
check "enable filters box"
below is a blank table ( only with default written in it) where all
the java learned url rules will be listed. Any time you can delete or
remove any site.
click on FILTERS button
All 5 boxes should be checked: Add Blocking, Privacy, Active
content, Cookie Assistant,
Java/ActiveX Assistant.
Click on "OK" , brings you back to WEB.
On the right side of the WEB tab, you have 3 sub-tabs:
a) Add Blocking ( leave it as it is)
b) Privacy ( leave it as it is)
c) Active Content (uncheck Miscellaneous - Make animated images
non repeating))
ALL 5 boxes should be unckecked here. Because there are filtered in
FILTERS before. If you check
the boxes here you will be not able to create permit rules if needed.
Else you could not see any
animated gifs: ex. you cannot see my little kitty on the corner site.
And that would be a pity ! ;-))
Doing anything else you click on the second MAIN tab:
2)FIREWALL
check both boxes on top: Enable Firewall, Enable Rule assistant
Below you will see a table with already permitted and blocked
options
There are 10 default options in 3.1 and 12 in 3.2.
Any rule the proggie "learns", will be added in this list. Any time
you may remove, add or
modify manually any rule about Action, Direction, and Protocol.
We leave this as it is, and we go to:
3) OPTIONS
The first two boxes should be checked: Show taskbar icon, and
dashboard icon.
Security box not checked, for common uses.
Enable Atguard not checked.....( we check that later on the systray)
Startup options.
Well here you may check what you want:
Run it manually
Run at system startup = enables when you start windows,
Run at Network startup = enables when connected to the net
Differences: Normally I have it on Network startup, because you
surely would say : for what
have it on in windows without connected to the net?
You are right. But, there is a reason to have it some times on
windows startup.
I will explain: The startup of atguard takes a little time to go
from disable state to enable state.
If you connect to the net, your connection to the net is made
before atguard is enabled,
because, as i said , it takes a time to load. If, in the meantime
that atguard is loading, ( less
than 30 sec) some proggie tries to make contact to an url or
someone tries to contact you,
firewall will not alert you, because it is still not loaded.
But, as i said before....try one, try the other, use which suits
you better ;-)
After done this, click on the "Apply" or "Accept" or "OK" (
depends of the windows languages)
on the main settings window at the bottom to enable all the
settings you have made.
You dont need to reboot the pc for the new settings.
What will you see now? The dashboard on top.
On the dashboard check all the boxes, LESS the first one on the
left ( the barrier): Ads, Cookies,
and Firewall.
There it shows you also the blocked "Refers". Everytime you click
on an active link which sends
you to another url, the ORIGIN site URL goes with it. The target
ALWAYS will know, from where
you are coming, if the refers are not blocked. Atguard does it.
The only way that the target does not know from where you come,
(if you not use Atguard), is
copying the link-url and pasting it in the browsers bar.
Ok...now you are ready to enable Aguard:
On the systray and click on the barrier / Enable Atguard.
But before this, you have to learn how to "learn" the proggie the
rules.
Very easy indeed !! Listen:
Everytime you access an url, you will be asked to permit or block
the access to: url-network
connection, cookies, Java, etc,
I will explain that now in more detail:
There are 4 main rules:
Block always
Permit always
Block once
Permit once
The first two create rules, the second two not.
The first two are used for common use if you go many times to a specific
url, like a chat or bbs, or any
particular site you like. You permit always the network connection, else
you cannot visit the url, and
you may decide if permit or block always cookies or java.
Could be mixed with the permit once or block once too.
This rules will be added on the WEB list window and Firewall window, as
we have seen it before.
Remember, once you have created a rule, you may delete or modify it any
time you want.
The second two let you permit or block any thing for "this time only",
like when you visit a url only
once, you may permit the network connection so you can go there, but
block or permit the cookies
and any java script, but only 'this time". This options do not create a
rule.
Now that we had defined the meanings of the options, we will see what
happens once Atguard is
enabled.
These four options will be seen as a pop-up window every time.
There are sub-options too on
creating rules, and you must remember following:
The rules that you create, have to be the less common possible.
More restricted, better.
I will explain:
This following example will apply to every block-always or permit-always
network communication
rule creation:
If you have a proxy installed, the first pop-up window will ask you
about the proxys connection: create
the rule.
For example: your proxy: let say: www.proxy.com IP: 123.456.789.12
port: 8080
It will popup the Atguard rule-create window, and:
You may "Permit always" the proxy else you have to allow it every
time.
You will see now the:
SUB OPTIONS
The first window that will popup, (after you have clicked on
block always or permit always), is
the aplication to create the rule. (in this case the proxy)
click NEXT
The second one is the program that asks for it:
a) Explorer (you use it with the explorer......check this one)
b) Any (of course not any because you would allow all
aplications)
click NEXT
The third one is the needed service:
a) only this service: port 8080 (example) (of course only this
port: check)
b) Any (of course not any because you would allow all ports)
click NEXT
The fourth one is the DNS:
a)IP www.proxy.com (Check this one..you will use this proxy
IP)
b) Any (of course not any because you would allow all IP's to
access)
click NEXT
The fifth one is: If you want to keep a log:
In this proxy rule I would suggest that no log is necessary,
else you would have a log
bigger than your hd :-)))
In any other case of specific urls you have the option to check it
to keep log.
You need to do this only once because the proxy mantains the IP as a
constant.
Such applies also to any website you visit, because they have also the
IP as a constant.
SPECIAL case: ICQ.(under construction)
Here the checkings are a bit different, it is an exception af
the above rules.
Why? Because the IP's used by ICQ are dynamic, not
constant.
To be continued...
The Dashboard: A mistery?
Surely you are asking now: What all that stuff mean there?
Well, this is one of the most important pasrt, because thru the
dashboard you can control all the
activities. I will describe each one now in detail.
Atguard enable/disable (barrier)
Network Activities: (click on the #) Described in detail below.
Web Network Activities: (click on the #) Described in detail below.
Ads Blocked: Number of blocked banners and images.
Privacy Protection: Number of outbound blocked cookies.
Firewall Activity: The sum of all permitted and blocked inbound
and outbound TCP and UDP
activities.
Now more in detail:
Web Network Activities: (WNA) Here you will see all the open http
activities. (browser
connections). The gauge to the left of this number shows open web
http activities from those
connections. Not necessarily 3 windows open mean 3 http connections,
because some time
after loading the page the connection finished. Others not. Others
could have different
connections to links to other sites, so 1 window can have more then
1 http connection too.
But these WNA are part of the NA detailed below. That means: if WNA
increases, NA increases
in the same amount.
Network Activities: (NA) This the most important statistic on the
firewall. Here you can see all
the network activities in a given moment. The gauge to the left of
this number shows network
activity from those connections. If you click on the number you
will find:
Protocol: TCP or UDP
Executable: The application that is using the network connection
State: The application is typically Listening or Connected/Out.
Other states of very short
duration may be displayed.
Remote: The address or host name of the remote site and the
service or port number.
This information is available for TCP connections only.
Local: The local address or machine name and the service or
port number being used by
the application.
Sent: Number of bytes sent since the connection started.
Received: Number of bytes received since the connection
started.
Time: The amount of time that the connection has been active.
What connections shall I see here when I connect to the net? What is
normal and what is not?
In most cases, Normal are connections: These are: 3 UDP, 1 TCP
(the exes can be different,
because of browsers, AOL, etc..) For IE4:
UDP RNAAPP.exe Local: your-IP, nbname :port
UDP RNAAPP.exe Local: your-IP, nbdatagram :port
UDP Explorer.exe Remote: *Here-is-your-proxy* :port
TCP RNAAPP.exe Local: your-IP, nbsession :port
if you use ICQ, add:
UDP ICQ.exe
TCP ICQ.exe
All in listening state.
Lets have an example of a hacker or netbus or backorifice connection.
You can see it here!!! How?
Under executable you will find the netbus type executable name, then
NETBUS behind. If it is in
listening state, nothing happens. It is awaiting the hacker call. If it
is NOT in listening state, means that
the hacker is on line with you in that moment and you will have the IP
shown there. !!!! (Remote)
Wonderful, isn't it? You have him!! You only need Netinfo or Who is and
you can trace or lookup his
IP.
What's the Difference Between TCP Connection Attempts and UDP
Packets?
A connection attempt is just a TCP packet that is asking to establish
a connection to or from your
computer. The connection may last anywhere from milliseconds to hours.
A UDP packet, on the other
hand, is a single packet used to transmit information without the
promise of any additional
information being transmitted. Your computer can send or receive a
single UDP packet to exchange
information without any connection being established.
Both kinds of packets are being used when you use a web browser to
download a
web page. If you go
to http://www.atguard.com, for example, your computer first sends a UDP
packet out into the world to
try to find out what the 4-byte Internet Protocol address is for the
computer called
"www.atguard.com". The protocol used to do that is called DNS, or Domain
Name Service, and the
queries and replies take place without any persistent TCP connections
being made. Having a rule to
permit this is important or your computer wouldn't be able to talk to
other machines at all. UDP, or
connectionless communication, works well for DNS because the queries
and replies are very small
and can be completed in single packets. Once the web client gets the
4-byte IP address for
www.atguard.com, however, it needs to establish a persistent connection
with the site in order to
fetch the web page and images because there's more data to be moved than
will fit in a single
packet. That's where TCP connections come into play; a TCP "SYN"
(synchronize a connection) packet
is sent to the web server, the server replies with a TCP "ACK"
(acknowledgment). This creates a
connection between the two computers, and the data starts to flow.
By default, when the AtGuard firewall is enabled, inbound and outbound
UDP packets are permitted.
This can always be changed by editing one of the AtGuard firewall rules.
To be continued...
That's all. If you are using anonymous proxies but aren't running a
firewall such Atguard, should consider his use.