Re: ZoneAlarm VS. Tiny Firewall
From: Keyhole (Need2KnowBasic@Need2KnowBasic.gov)Date: 02/03/02
- Next message: Ken Palmateer: "Re: What does this mean?"
- Previous message: Ron: "Re: Question about Broadband Routers"
- In reply to: Mark: "ZoneAlarm VS. Tiny Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Keyhole" <Need2KnowBasic@Need2KnowBasic.gov> Date: Sun, 03 Feb 2002 15:02:35 GMT
Mark, I use TPF because it doesn't HOG up the computer's resources like ZA plus why pay for ZA Pro for extra features when you can get it free at TPF (password protected user settings) to keep others from messing with the firewall settings. Other things I like about TPF is to create rules to block out the ad banners (doubleclick.net) and when using outlook express, I create a rule to deny access to the internet when viewing HTML emails. Here the detail rules to set up TPF:
TPF FAQ Answers to this section
Top of Form 1
Search the faq:
Bottom of Form 1
GENERAL RULE SETS
Back to History and Updates <faqmanager.cgi?file=historyupdates&toc=faq>
Forward to RULE CREATION FOR APPLICATIONS <faqmanager.cgi?file=apprules&toc=faq>
1. What are some basic set of rules for TPF?
(Notify) means => Display alert box (checkbox).
(Logged) means => Log when this tule match (checkbox).
Notes:
Rule 1 is the default rule of Tiny Firewall for loopback.
Rule 2 - 3 are your NetBIOS blocks. Enter them as displayed. Even if you have removed NetBIOS from your Network applet, these will serve to "Notify" you of any attempts. (Of course, this assumes you are NOT legitimately using NetBIOS on your system.)
Rule 4 - 5 allow any application to connect to your Domain Name Servers. If your ISP uses 4 different servers, yours may add and use more or less.
Rule 6 - 10 are the balance of the ICMP rules. Enter them as displayed.
Rule 11 blocks and logs every requests issued to your computer on common ports : FTP, HTTP, POP3, SMTP, Telnet, NetBios, etc.
Rule 12 - 15 are more (AtGuard Default) rules. But you can use for Tiny Firewall now. Once the Trojan Port Blocking rules are activated, these can be deactivated or deleted as they provide duplicate coverage.
Rule 16 - 17 are the Low and High Trojan Port Blocking rules. Make sure they are set to Log all occurrences. Later you can examine your logs for any programs that
are legitimately trying to use these ports. High/Low Trojan Port Blocking rules are not required. But they do "enhance" security, at the cost of increased nuisance.
Rule 18 - 21 are the "application specific" rules. In general, you'll write one or two rules for each application that you want to access the internet.
Rule 22 blocks and logs every unwanted UDP/TCP requests issued from your PC (could be a trojan, a worm...), this rule disables the learning option (unknown outgoing request).
Rule 23 is the "Block Everything" rule. Enter it as shown but don't enable it until all of the "kinks" are out of your ruleset. Let the Rule Assistant (ask for action when no rule is found) work for you to show you
where problems are occurring.
= = = = = = = = = = = = = = = =
RULE 1:
Description: Loopback
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: 127.0.0.1
Port type: Any
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 2:
Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 3:
Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY
= = = = = = = = = = = = = = = =
RULE 4:
Description: ISP Domain Name Server Any App UDP
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: (Your ISP DNS) IP number
Port type: Single
Port number: 53
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 5:
Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action DENY
= = = = = = = = = = = = = = = =
RULE 6:
Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo
Remote Endpoint: Any
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 7:
Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 8:
Description: In Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo
Remote Endpoint: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 9:
Description: Out Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 10:
Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Echo Reply, Destination Unreachable, Source
Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
StampReply, Info
Request, Info Reply, Address, Adress Reply, Router
Advertisement, Router
Solicitation (ALL)
Remote Endpoint: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 11:
Description: Block Common Ports (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports:
113,79,21,80,443,8080,143,110,25,23,22,42,53,98
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 12:
Description: Back Orifice Block (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 54320,54321,31337
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 13:
Description: Netbus Block (Logged)
Protocol: TCP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 12456,12345,12346,20034
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 14:
Description: Bootpc (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 68
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 15:
Description: RPCSS (Logged)
Protocol: UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 135
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 16:
Description: Block Low Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 1
Last port number: 79
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 17:
Description: Block High Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 5000
Last port number: 65535
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 18:
Description: Internet Explorer-Web browsing
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => iexplore.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 80,8080,3128,443,20,21
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 19:
Description: Outlook Express
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => msimn.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 25,110,119,143
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 20:
Description: ICQ Web Access Block
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => icq.exe
Remote Address Type: Any
Port type: Single port
List of ports: 80
Action DENY
= = = = = = = = = = = = = = = =
RULE 21:
Description: ICQ Application
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => icq.exe
Remote Address Type: Any
Port type: Single port
List of ports: 5190
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 22:
Description: Block Outbound Unauthorized Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY
= = = = = = = = = = = = = = = =
RULE 23:
Description: Block Inbound Unknown Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY
If you are on a LAN you might need to allow NetBIOS to and from computers on your LAN. You should insert two rules before rule 2 and 3:
RULE 2a:
Description: Trusted Inbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Any
Action PERMIT
= = = = = = = = = = = = = = = =
RULE 3b:
Description: Trusted Outbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Port/Range
First Port: 137
Last Port: 139
Action PERMIT
= = = = = = = = = = = = = = = =
And you should enter your local IP addresses in the Trusted Address Group list.
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
2. ICMP router solicitation to 224.0.0.2?
The ICMP router discovery messages are called "Router Advertisements" and "Router Solicitations". Each router periodically multicasts a Router Advertisement from each of its multicast interfaces, announcing the IP address(es) of that interface. Hosts discover the addresses of their neighboring routers simply by listening for advertisements. When a host attached to a multicast link starts up, it may multicast a Router Solicitation to ask for immediate advertisements, rather than waiting for the next periodic ones to arrive; if (and only if) no advertisements are forthcoming, the host may retransmit the solicitation a small number of times, but then must desist from sending any more solicitations. Any routers that subsequently start up, or that were not discovered because of packet loss or temporary link partitioning, are eventually discovered by reception of their periodic (unsolicited) advertisements. So don't worry to permit this. source: Tomas Soukup
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
3. How do I backup the rules?
persfw.conf - contains rules stat.conf - status window settings persfw.key is not needed (will be renewed if its missing) If you also want to backup log, you will need filter.log.idx and filter.log files (both!). source: Tomas Soukup
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
4. Do I need the loopback rule in my rule set?
The default installation of TPF includes a few predefined filter rules for a more convenient administration. Although you are allowed to remove these rules, you must not remove the Loopback rule because it allows TPF to communicate with your operating system. By removing this rule you will no longer be able to access the administration. source: tinysoftware
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
5. How do I get the time intervals to work?
Open Administration.
Click Advanced.
Select a rule and click Edit.
There HAS to be a list box titled "Rule valid" which is set to "Always"
initially. It's near the bottom of this dialog box, over the "Action" group
box and the Log/Alert checkboxes you already described.
Just change it from "Always" to "In this interval only."
source: baley
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
6. Does the placement of a rule ahead of another rule gives it priority over the second?
Yes, Tiny tests each request for connection against the rules from the top down until it finds one that matches. No further rules are checked.
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
7. What are the Hotmail servers?
64.4.52.7 64.4.53.7 64.4.54.7 64.4.43.7 64.4.44.7 64.4.45.7
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
8. How do I move rules up and down?
You can move rules by using the arrows at the rigth side of the rules screen. You can also "insert" rules above the selected one by selecting "insert" button.
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
9. What does the "network mask" do?
The network mask is basically a way for you to allow/or deny multiple ip's without having to specify each of them.
The way it works (to my knowledge) is like this:
Say you wanted a rule that would allow any IP that started with 111.222.111.xxx
What you would do would be to create a rule allowing 111.222.111.0 and a netmask of 255.255.255.0
Now when you get an IP you want to test to see if it matches your rule, you take this IP and do a binary AND of it against the netmask. You then compare this value to the IP in the rule (111.222.111.0). If it's a
match then the rule matches.
An example:
a) The Rule's IP: 111.222.111.0
b)The Rule's Netmask: 255.255.255.0
c) The IP to be tested: 111.222.111.5
First c) is ANDed with b):
111.222.111.5 AND 255.255.255.0
which means: (111 AND 255).(222 AND 255).(111 AND 255).(5 AND 0) (AND is a bitwise and operation. Look up boolean algebra if you're not familiar with it)
The result is: 111.222.111.0
which is compared with a) and so it matches.
If you're not familiar with binary/boolean algebra then this might sound like double dutch I understand ;)
source: Rukh
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
10. how do I modify the loopback rule to deal with apps using local proxy?
Allow "persfw.exe" to accept inbound connections from 127.0.0.1 (any port) to local port 44334.
Allow "pfwadmin.exe" to make outbound connections to 127.0.0.1 port 44334 from any local port.
Now you can disable the loopback rule and TPF will still work, but it will ask you any time an app tries to connect to a local port.
Alternately, just delete the loopback rule and wait for persfw.exe and pfadmin.exe to ask for permission
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
11. Rules for DHCP
All you need is two or three rules depending on you, since I have a
hardware router some of this rule might sound odd for you. First
find out your DHCP server. In Windows 9x/ME, Start-->Run-->type
in "winipcfg /all" (without quotations). In Windows 2000, Start--
>Programs-->Accessories-->Command Prompt--type in "ipconfig /all"
(without quotations).
Rule #1:
Description: DHCP In/Out
Protocol: UDP
Direction: Both
Local End Port:68
Application: ANY (or your DHCP program)
Remote End Port: 67
Remote Address: DHCP Server IP
Rule Valid: Always
Action: Permit
Logging: None
Rule #2:
Description: DHCP
Protocol: UDP
Direction: Outgoing
Local End Port:68
Application: ANY (or your DHCP program)
Remote End Port: 67
Remote Address: 255.255.255.255
Rule Valid: Always
Action: Permit
Logging: None
After this try to release and renew your IP with Rule Learning thing on just to make sure the rules work.
source: zyklon
note on some servers it won't let you insert the DHCP sever ip address
"It was not possible to insert my DHCP server's IP address for a destination. My workstation does a broadcast to 255.255.255.255:67 so a rule for a specific address was being cuaght by one of the trojan rules. :)
The rule should be any address, port 67."
source: Scott Tyson
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
12. How to block x10 popup windows?
Place this rule physically before any rule that allows your browser to access any unlisted website. I list all of my block rules well ahead of my permit rules. This way Tiny Personal Firewall will
only pass the sites that are not previously blocked.
Protocol: TCP
Direction: Both
Local Port: Any Port
Application: (your browser's location and filename)
Remote Endpoint:
Address Type: Network/Range
First Address: 64.85.92.0
Last Address: 64.85.92.63
Port Type: Single
Port Number: 80
Rule Valid: Always
Action: DENY
Logging: Check both boxes if you want to see how many ads this is
going to block. Check the "Log when this rule is matched" box to
only read about the blocked ads in your firewall log. After a while
you will probably want to uncheck the box to popup an alert, cause
they will drive you nuttier than the ads they are blocking!
Lastly, you might consider creating this rule as the last rule in
your ruleset:
Permit all TCP and UDP, in both directions, on all endpoint ports,
for your browser(s), with logging checked (but not the popup alert).
This will create a running log of ALL IPs that are called from your
browser as it loads various websites. Clear the log every day after
you read it, making notes of the IPs of know ad servers. That is how
I found the IPs for X10, along with the help of a Whois
source: Bob "Wiz" Feinberg
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
13. how to set up EnterNet 300 with W98 SE, TPF 2.0.15.b2
Description: EnterNet 300
Protocol: UDP
Direction: Both
Port type: Single
Port number: 68
Local App.: enternet.exe
Remote Address Type: Single
Host address: 1.1.1.1
Port type: Single
Port number: 67
Action PERMIT
Description: EnterNet 300
Protocol: UDP
Direction: Outgoing
Port type: Port/Range
First Port: 1024
Last Port: 4999
Local App.: enternet.exe
Remote Address Type: Single
Host address: 10.0.0.1
Port type: Single
Port number: 7
Action PERMIT
Description: EnterNet 300
Protocol: UDP
Direction: Outgoing
Port type: Single
Port number: 68
Local App.: enternet.exe
Remote Address Type: Single
Host address: 255.255.255.255
Port type: Single
Port number: 67
Action PERMIT
source: Bill
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
14. Is there a way to filter out specific IP addresses WITHOUT dening the entire program (netmeeting, for example)to be allowed to run?
TPF uses a rule list which is examined from the top down to the bottom. by creating a rule "deny" above your existing "allow all" rule, you can do any or all of the following
* Block a single address (or range of addresses) from connecting to a named
program
* Block a single address (or range of addresses) from connecting to a
numbered port
* Block a single address (or range of addresses) from connecting at all
This sounds complex, but really isn't.
if you go to your rule list by
1. double-clicking the system tray icon (in the bottom left of the screen)
2. clicking the "advanced" button
you can modify your existing "allow all" rule into a "deny only what I want
to deny" rule. this is the easiest method, as TPF will prompt you to create
another rule for that program when you next use it.
so - locate the rule for that package (netmeeting in this case) and double
click it.
from the top.
"Description" is a short text description of the rule - it defaults to the
name of the program, but you can edit it to make more sense for your new
rule. Try changing the text to "Netmeeting - deny those I wish to block out"
"Protocol" is the protocol for the rule. this is probably currently "TCP".
change this to "TCP and UDP" with the pulldown arrow
"Direction" determines if this applies to the program calling out, other
machines calling in, or both. change it to "both directions"
"local endpoint" this is the port number that the program will use on your
machine. set it to "Any Port"
"Application" This should already be completed to point to Netmeeting -
leave it alone for now. if you wanted to block the users totally from your
machine (instead of just from Netmeeting) you would change this to "any"
Remote Endpoint:
This comes in two flavours - Address and Port
"Remote Endpoint (Address)" - You should change this to either "single
address" (if you are blocking a single IP address) or Network Range (if you
want to block a entire section of IP addresses) A box will appear below this
selector to either type the IP address (do *not* type any leading zeros on
the numbers - so an ip address of 122.054.231.045 should be typed as
122.54.231.45 - there is a good reason for this but nothing you really
should care about) or two boxes for start/stop IP addresses (if you go for
range)
"Remote Endpoint (port)" leave set to "any"
"Rule Valid" lets you set times for the rule to be in action. just leave at
"always" for now
"Action" set to Deny - this changes the rule from "allow this to happen" to
"block this from happening"
Checkboxes - Logging will write a line to a special file whenever this rule
is triggered. Alert will pop a box to the screen when the rule is triggered.
check the box opposite the description if you want either (or both) of these
things to happen, otherwise leave them blank
ok, now hit "ok". you should now have a rule that blocks an IP or block of
IPs from connecting to or being connected to by the program netmeeting.
remember, the highest rule on the list that CAN apply will be used to allow
or deny the connection - you can move the rules up and down so they are in
the order you want them, but you must when planning your rules think from
the top of the list down - if you Deny something that is already permitted
by an earlier rule, your deny will never be used.
source: David Howe
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
15. What do the different terms mean(Description, Protocol, Remote Endpoint, Rule Valid and so on) in the popup window when creating a rule for tiny firewall
"Description" is a short text description of the rule - it defaults to the name of the program, but you can edit it to make more sense for your new rule.
"Protocol" is the protocol for the rule.
change this to "TCP and UDP" with the pulldown arrow
"Direction" determines if this applies to the program calling out, other machines calling in, or both.
"local endpoint" this is the port number that the program will use on your
machine.
"Application" This should already be completed to point to "the name of application" - leave it alone for now. if you wanted to block the users totally from your machine (instead of just from "name of application") you would change this to "any"
Remote Endpoint:
This comes in two flavours - Address and Port
"Remote Endpoint (Address)" - You should change this to either "single
address" (if you are blocking a single IP address) or Network Range (if you
want to block a entire section of IP addresses) A box will appear below this
selector to either type the IP address (do *not* type any leading zeros on
the numbers - so an ip address of 122.054.231.045 should be typed as
122.54.231.45 - there is a good reason for this but nothing you really
should care about) or two boxes for start/stop IP addresses (if you go for
range)
"Remote Endpoint (port)" leave set to "any"
"Rule Valid" lets you set times for the rule to be in action. just leave at
"always" for now
"Action" set to Deny - this changes the rule from "allow this to happen" to
"block this from happening"
Checkboxes - Logging will write a line to a special file whenever this rule
is triggered. Alert will pop a box to the screen when the rule is triggered.
check the box opposite the description if you want either (or both) of these
things to happen, otherwise leave them blank
remember, the highest rule on the list that CAN apply will be used to allow
or deny the connection - you can move the rules up and down so they are in
the order you want them, but you must when planning your rules think from
the top of the list down - if you Deny something that is already permitted
by an earlier rule, your deny will never be used.
source: David Howe
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
16. Are there any rules that will lock my computer at night if I leave my connection on all the time?
Here's a simple tip that will lock down your computer at night if you
leave your connection on all the time.
Description: Block All 12am to 7am
Protocol UDP and TCP
Direction: Both
Local Port: Any
Remote Address: Any
Remote Port: Any
Application: Any application
Rule valid: In this interval only
00:00-06:59 (Mon,Tue,Wed,Thu,Fri,Sat,Sun)
Action: DENY
Put this rule at the very top of the list and set it to log. I told
you it was simple. :) BTW: If you set the time to 07:00, it won't
unblock until 07:01.
source: diskydo
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
17. Is there a way to print out my ruleset?
Unfortunately, it cann't be done directly thru TPF. You'll likely need to do screen captures.
Or use Ctrl key and the print screen key to "print" out the current window
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
18. Is there a way to export my rules to a file and then import them on another computer?
Yep just copy persfw.conf and you've got the rules backed up.
Note: Make sure you close TPF before copying persfw.conf back into your TPF directory otherwise Tiny will overwrite the file with what ever rules it currently has loaded into memory.
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=genrules&toc=faq> ]
Any questions? tpf support group <http://groups.yahoo.com/group/tinyfirewall>
TPF FAQ Answers to this section
Top of Form 1
Search the faq:
Bottom of Form 1
RULE CREATION FOR APPLICATIONS
Back to GENERAL RULE SETS <faqmanager.cgi?file=genrules&toc=faq>
Forward to Logging/Log file <faqmanager.cgi?file=log&toc=faq>
1. How do I sent up MSN messenger with TPF?
UDP (In and Out), Remote port 6901. Address: Any. Local port and address: Any. TCP (Out), Any Port, Any Address (Normally, the remote port has a range (i.e. 1863, and many others, but sometimes too long a list, so I just set to any port and only for trustful address, but you need to monitor what will be the trustful address, for each country you talk to, that will have different address and you might set a rule for trustful at the end of the day). SOURCE: fookong_yap
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
2. How do I get webwasher or Proxomitron or any other web proxy to work with TPF?
Description: web proxies permit
Protocol: TCP and UDP
Direction: out
Local Port: Any
Local App.: location of ww or prox.
Remote Address Type:
Host address: any
Port type: Any
Action PERMIT
Description: web proxies block
Protocol: TCP and UDP
Direction: in
Local Port: Any
Local App.: location of ww or prox.
Remote Address Type: any
Host address: any
Port type: Any
Action block
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
3. What are the rules for windows media player and Proxomitron to work together?
Rule 1 (Allow WMP to Proxomitron)
Protocol : TCP (Out)
local Port : Any
Remote address/Port : 127.0.0.1/8080
Application : WMP
Rule 2
Protocol : TCP (Out)
Local Port : Any
Remote address/port : Any / 1755
Application : WMP
Rule 3
Protocol : UDP (Both direction)
Local Port : 7000, 7001
Remote Address/ Port : Any /Any
I assume that you know how to set the rule to block all application to access Proxomitron After rule 1 and loopback rules.
You may add in more remote port at the rule 2, if needed. You may also restrict rule 3 by adding the remote port no. that your WMP
usually connectting to.
The above is the 3 basic rules that allow your WMP working properly, without bypass your TPF and Proxomitron.
source: fookong_yap
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
4. Whats a good set of rules for mIRC?
Well you will want one rule for allowing TCP out from mIRC to any server.
If you only ever connect to one server ip then obviously you can limit the
destination address.
You will also probably want to allow identd access.
To do this, make sure that mIRC has it's identd server running (or you
have some other identd server running).
Then for each irc server you connect to add a rule like this:
Allow TCP Incoming from to your local port
113
You can be a little more paranoid if you want and modify that rule
to only allow access (TCP, out) to ports 6667-6669. This range
appears to work well in my limited IRC usage.
The downside is that all outgoing direct connections (chat, file
transfer) will require explicit permission.
Make sure you deny any other identd requests (TCP incoming to port
113). Your catchall deny rule at the end will pick it up if nothing else.
source: yahooid and Rukh
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
5. Whats a good set of rules for ICQ that don't open all ports?
Description: ICQ
Protocol: UDP
Direction: Both directions
Local endpoint
Port type: Port/Range
First port number: 1024
Last port number: 5000
Application: (to wherever your icq.exe is located)
Remote endpoint
Address type: Network/Range
First address: 205.188.153.0
Last address: 205.188.153.255
Port type: Single port
Port number: 4000
Rule valid: Always
Action: Permit
---------------------Rule End----------------------------
The above rule is to connect to ICQ. The range of 1024-5000 for
local port range can be applied to most rules actually, not just this
one. You can be more strict on the address range, but this will do
for the time being, besides it's not allowing a large address range.
---------------------Rule Start--------------------------
Description: ICQ 2
Protocol: TCP
Direction: Outgoing
Local endpoint
Port type: Port/Range
First port number: 1024
Last port number: 5000
Application: (to wherever your icq.exe is located)
Remote endpoint
Address type: Any address
Port type: Any port
Rule valid: Always
Action: Permit
---------------------Rule End----------------------------
This rule is for file transfers, chat rooms, maybe other things but I
know of at least those two. I looked at limiting the remote port
range but it didn't seem to stay in any kind of predictable range.
For file transfers I had the port number's jump from in the 2000
range to the 20 000 range. Remote address is to whoever you're doing
a file transfer with so limiting it can not really be done.
If you want to try file transfers, chats and whatever else on your
own computer then look here
http://lvgeek.net/features/01/04/28/033232.shtml this will tell you
how you can make it so you can open multiple instances of ICQ. Then
just create yourself a new identity on ICQ and open up two instances
of ICQ and you can test things for yourself.
source: ygfjhg
slightly different ruleset for ICQ2000b v4.65. Amongst other
things it seems to include a different connection port during startup. I
don't know what the latest version is... I don't rely on this software
and so don't update too frequently :)
Here are the rules I'm using, differences highlighted:
---------------------Rule Start--------------------------
Description: ICQ
Protocol: TCP <---
Direction: Outgoing <---
Local endpoint
Port type: Port/Range
First port number: 1024
Last port number: 5000
Application: (to wherever your icq.exe is located)
Remote endpoint
Address type: Network/Mask <---
Network Address: 205.188.0.0 <---
Network Mask: 255.255.0.0 <---
Port type: Single port
Port number: 5190 <---
Rule valid: Always
Action: Permit
---------------------Rule End----------------------------
The netmask was required because I found ICQ connecting outside the
narrower range suggested by jcarm. That entire B block is owned by AOL.
There's also a second version of this rule with network address:
62.12.0.0 and netmask 255.255.0.0. Again this entire block is owned by
AOL and ICQ tries to connect there.
It's possible that these address ranges are too broad, so I'd appreciate
any enlightenment.
Finally I've got a block rule (above both of these) that seems to be the
one that grabs updated ads and graphics during logon:
---------------------Rule Start--------------------------
Description: ICQ
Protocol: TCP
Direction: Outgoing
Local endpoint
Port type: Port/Range
First port number: 1024
Last port number: 5000
Application: (to wherever your icq.exe is located)
Remote endpoint
Address type: Single address
Host Address: 205.188.250.25
Port type: Single port
Port number: 80
Rule valid: Always
Action: Deny
---------------------Rule End----------------------------
I don't have any specific rules for normal use of ICQ: I'm happy for it
to popup connect requests when something unusual happens.
source: HTH
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
6. rules for netmeeting?
Rule 1 (permit)
Protocol : TCP
Direction : Both
Application : Windows Netmeeting (browse the location)
Local End Port : 1024 - 4998 (range)
Remote address/ Port : Any
Rule 2 (permit)
Protocol : UDP
Direction : Both
Application : Windows Netmeeting
Local End Port : Any
Remote Address /Port : Any address/ 1024, 65534 (list)
Please note that there is no way you can set up a specific remote
address for Netmeeting, because you would not know what will be the
IP address from other party, if the other party is using Dynamic
IP.
You can still put in the Remote address if there is only few person
in your contact list and they are having a fixed IP address. To
simplify it, just add the address in the list of custom address
group
and set the remote adress to custom address group.
You may add in more remote port number, if needed.
source: fookong_yap
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
7. ruleset for realplayer?
REAL PLAYER
Skip down to the rules, if you don't want to know all of this info.
For Real Player, there are 3 different connections possible with the client.
The Control "Channel" initiates the streaming feed, and also is used by
the transport controls (stop, pause, etc.). This is an outgoing TCP
connection.
The media is piped into a Data "Channel." The preferred protocol is
UDP, but you can specify otherwise in Real's Network options. This is an
incoming connection.
There is also a separate streaming specification for Multicast. It is
also incoming UDP (by default). I have not been able to test this one yet,
so no guarantee as to whether it works.
==================The Rules=======================
The safest way to start is to tell Real Player which ports to stream
on. Open up Real Player, and go to the network options. In there, you can
specify a range of ports for Real to use. Choose a range of 2 or 3 ports
that aren't common (for legitimate or illegitimate services). You'll then
use these ports in your rules. In my setup, I am allowing UDP, since I'm
limiting to a small range of "unused" ports. Okay, here are the rules.
REAL PLAYER CONTROL
Protocol: TCP
Direction: Outgoing
Local Port (list): 80, 554, 7070*
App: Only Real Player
Remote Address: any
Remote Port (list): 80, 554, 7070*
PERMIT
*these ports are just what I've seen from a variety of RealServers.
REAL PLAYER DATA
Protocol: UDP
Direction: Incoming
Local Port (range): xxxx - zzzz**
App: Only Real Player
Remote Address: any
Remote Port: any
PERMIT
**use the ports you specified in Real Player configuration.
REAL PLAYER MULTICAST
Protocol: UDP
Direction: Incoming
Local Port (list): 554, 7070, xxxx, yyyy, zzzz**
App: Only Real Player
Remote Address: any
Remote Port: 554, 7070
PERMIT
this one, again, is untested.
For more information on how it all works, check out Real Networks website.
The Real Server documentation has most of the info for protocols and ports.
Hope this helps, and that it's not too long-winded.
source: Wayne
-----
or another ruleset to use for realplayer provided by Kelemen
This one is simpler to use then the one above
Name: Real Player Rule
Protocol: TCP
Direction: Outgoing
Local end: any port, Certain app/Realplayer
Remote end: any addr, list of port: 80,554,1090,7070
Always, Permit, Don't display, Don't log
In Real: view/prefs/proxy just tag the "use my browsers settings"
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
8. rule set for windows media player
WINDOWS MEDIA PLAYER
Much simpler than Real Player:
Protocol: UDP/TCP
Direction: Outgoing
Local Port: any port
App: Only Media Player
Remote Address: any
Remote Port (list): 80, 1755, 8080
PERMIT
--source: Wayne
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
9. rule set for audiogalaxy
Description: Audiogalaxy File Sharing Client Protocol:
TCP Direction: Outgoing
Local Port Range: 1024-5000
App: Audiogalaxy
Remote Address: 127.0.0.1
Remote Port: 5000 Permit
---------------------------------------------------------
Description: Audiogalaxy File Sharing Client
Protocol: TCP
Direction: Outgoing
Local Port Range: 1024-5000
App: Audiogalaxy Remote Address Range: 64.245.58.0 - 64.245.59.255
Remote Port List: 21, 41178 Permit & Log
---------------------------------------------------------
Description: Audiogalaxy File Sharing Client Protocol:
TCP Direction: Incoming
Local Port List: 21, 41178
App: Audiogalaxy
Remote Address Range: 64.254.58.0 - 64.254.59.255
Remote Port: Any Permit & Log
---------------------------------------------------------
Description: Audiogalaxy File Sharing Client
Protocol: TCP Direction: Outgoing
Local Port Range: 1024-5000
App: Audiogalaxy Remote Address: Any
Remote Port Range: 41000-41999 Permit & Log
---------------------------------------------------------
Description: Audiogalaxy File Sharing Client
Protocol: TCP
Direction: Incoming
Local Port Range: 41000-41999
App: Audiogalaxy
Remote Address: Any
Port Range: 1024-5000 Permit & Log --------------------------------------------------------
Source: "ygfjhg"
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
10. Windows xp internet time rule
UDP - Both directions LOCAL: ANY PORT / ONLY THIS APP: C:\WINNT\SYSTEM32\SVCHOST.EXE REMOTE: SINGLE ADDRESS: 192.43.244.18 / SINGLE PORT: 123 192.43.244.18 applies to time.nist.gov (Internet time at 'time and date properties')
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
11. Windows 2K internet time rule
UDP - Both directions LOCAL: ANY PORT / ONLY THIS APP: C:\WINNT\SYSTEM32\SERVICES.EXE REMOTE: SINGLE ADDRESS: 192.43.244.18 / SINGLE PORT: 123 192.43.244.18 applies to time.nist.gov (Internet time at 'time and date properties')
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
12. musiccity's morpheus ruleset
Morpheus HTTP Rule Protocol: TCP (Out) Local: any port Remote: any address:port 80, 81, 82, 83, 443, 1080, 8080, 8088, 11523 Morpheus File Transfer Protocol: TCP (Out) Local: any port Remote: any address: port 1214
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
13. paltalk ruleset
Incoming or 'listening' ports TCP 2090 file transfer UDP 2090 voice stream TCP 2091 video listening port UDP 2091 control stream TCP 2095 file transfer - (older versions) Outbound ports TCP 5001-5020 text messaging TCP 8100-8700 firewall / network mode group voice UDP 8100-8700 group voice UDP 1024-2500 voice stream - user configurable UDP 1024-2500 control stream - user configurable ... so, as a first cut at the rules, I would try... Allow; TCP and UDP; Both Dir; 2090,2091; "PalTalk.exe" (or whatever the process is called) Allow; TCP; Outgoing; 5001-5020; "PalTalk.exe" Allow; TCP; Outgoing; 8100-8700; "PalTalk.exe" Allow; UDP; Both Dir; 8100-8700; "PalTalk.exe" Allow; UDP; Both Dir; 1024-2500 (or actual ports you have configured in PalTalk); "PalTalk.exe" The reason I suggest separate rules for TCP and UDP on ports 8100-8700 is to keep from unnecessarily opening that range to incoming TCP connects, since they are not used by PalTalk. -- source: Ray
[ Contents <faqmanager.cgi?toc=faq> | Top <faqmanager.cgi?file=apprules&toc=faq> ]
Any questions? Email here <mailto:b_kass@yahoo.com>
tpf support group <http://groups.yahoo.com/group/tinyfirewall>
- Next message: Ken Palmateer: "Re: What does this mean?"
- Previous message: Ron: "Re: Question about Broadband Routers"
- In reply to: Mark: "ZoneAlarm VS. Tiny Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
