Re: NPF problem

From: Joseph V. Morris (jvmorris@erols.com)
Date: 07/23/02 

From: "Joseph V. Morris" <jvmorris@erols.com>
Date: Tue, 23 Jul 2002 09:31:35 -0400

John,

"John" <johnsjunk@earthlink.net> wrote in message
news:RJ3%8.14576$_C2.1035391@newsread2.prod.itd.earthlink.net...
| Hi, I have Norton Personal Firewall running on my two PC network. The
| problem is, I can't get the 2nd (newer) computer to play nice with the
first
| without turning the firewall protection off. I added a rule for
allowing
| any kind of packet from the address of the 1st machine, and I made that
rule
| the top dog. Still nothing.
|
| I went to Norton's web site, but they talk about adding to the trusted
Zone,
| which doesn't appear in the 2002 edition.

There certainly is in my copy of NIS/NPF 2002! Open the NIS Console,
select Internet Zone Control from the left-hand pane and the interface to
both the Trusted and Restricted Zone should pop up in the right-hand pane.
(It's possible that you may need to scroll down in the left-hand pane to
find "Internet Zone Control", depending on the resolution to which you've
set your monitor.) Select the tab for the Trusted Zone. Click on the
"Add..." command button in the right-hand display and add the other
machine. (NOTE: You have to do this in the firewalls on ALL machines on
the LAN, not just the one that connects to the Internet.)

Frankly, I don't like to use the Trusted and Restricted Zones features.
They only have one advantage: It's about as easy as it can get to
identify IP addresses (or ranges of addresses) that you TRUST and DON'T
TRUST at all. To my mind, they have three serious disadvantages. First,
there are absolutely no logs of any communications that satisfy the stated
conditions; and there's no way to enable such logging. Second, there's
absolutely no granularity possible: you PERMIT ANY and ALL communications
to/from those IP addresses in the TRUSTED Zone, and you DENY ANY and ALL
communications to/from those IP addresses in the RESTRICTED Zone. Third,
you can't document what is (or was) included in your TRUSTED or RESTRICTED
Zones at any given point in time (at least not in NIS/NPF 3.0x/4.0x).

So, I do exactly what you tried to do. I define the good, old traditional
rules in the ruleset to accomplish the exact same thing. That way, I can
log events if I want to and I can introduce some granularity (if I desire)
into exactly WHAT communications are PERMITted or DENied between IP
addresses in the two 'Zones'. Furthermore, documenting what's in the
'Zones' then happens naturally by simply running Albert Janssen's
AtGuard/NIS Rules Viewer (www.capimonitor.nl) . The "downside" of this
approach, of course, is that you actually have to write the rules and put
them in the appropriate place in your ruleset.

For example, let's say you're envisioning one day having a small home
peer-to-peer LAN of up to five workstations and that you've decided to use
Microsoft's Internet Connection Sharing (ICS) to allow each of these five
workstations to 'share' a single internet connection. Well, then you'd
want to add something like the following two rules to the top of your
ruleset (i.e., at the BEGINNING of the System-Wide Rules from the Internet
Access Control Pane).

Rule PERMIT LAN TCP/UDP
Category: NIS System Keeping
Rule in use: YES
Logging: NO
Protocol: TCP or UDP
Action: Permit
Direction: Either
Application: Any Application
Local service: Any Service
Local Address: Any Address
Remote service: Any Service
Remote Address: (192.168.0.1:192.168.0.5)

Rule PERMIT LAN ICMP
Category: NIS System Keeping
Rule in use: YES
Logging: NO
Protocol: ICMP
Action: Permit
Direction: Either
ICMP Message Type: Any
Local Address: Any Address
Remote Address: (192.168.0.1:192.168.0.5)

These two rules are effectively identical to what putting IP Addresses
192.168.0.1 through 192.168.0.5 in the Trusted Zone accomplishes.

These two rules would need to be installed on ALL machines on which
NIS/NPF is installed and they need to be at the top of the ruleset in
System-Wide rules. (And, of course, remove any such permissions from the
Trusted Zone.)

I think it's fairly obvious from the above illustrative rules how you
could then enable/disable logging (if you so choose) or how you could
further restrict traffic that you might be willing to PERMIT on the LAN. 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
    ICQ #29438199

This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.