1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Firewall settings

Discussion in 'Virus & Other Malware Removal' started by r01axb, Jan 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    When I set my Firewall to block all incoming traffic, browsing slows down a great deal, why is that? I read where a regular home user does not need to allow any incoming traffic.

    Thank you.
     
  2. Luthorcrow

    Luthorcrow

    Joined:
    Jun 1, 2002
    Messages:
    335
    What FW are you using? Which build? What OS? CPU+Memory config?

    I personally don't notice a slow down with my firewall (Sygate Pro 5 1170) but I have read others (including those using Sygate) experiencing slow downs. Keep in mind you now have a middle man inspecting all of the packets that enter and exit your your system. It is bound to have a resouce hit. Depending on your set-up that might be greater or smaller.

    If you is really bad you could look around for a FW that has a smaller footprint, look Kerio/Tiny/Lock 'n' Stop and Stop or if you, if you haven't yet spent cash on your FW, you could get a FW/Router and take the packet inpsection off your desktop and possible speed things up a bit if it that is actually what is slowing down your PC.
    Free
    http://www.kerio.com/us/kpf_home.html
    Cost
    http://www.looknstop.com/En/index2.htm
    http://www.tinysoftware.com/home/tiny2?la=EN
    FW/Router
    http://www.linksys.com/
    http://www.netgear.com/
    Those are just a few thoughts.
     
  3. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    I'm using Sygate 5 1170, with Windows 98se 192mb ram,
    I'm now allowing incoming traffic on a few ports: 80,443
    with this surfing is normal, I guess if you allow outgoing traffic on 80,443 you also have to allow incoming.
     
  4. Luthorcrow

    Luthorcrow

    Joined:
    Jun 1, 2002
    Messages:
    335
    What a second, chief! What you just stated, if you have actuall set it to allow incoming traffic, is not correct. In fact, that setting would partially defeat the whole purpose of the firewall. Before I go on let me point in the right direction for help:

    Go to the support forum for Sygate Pro at this link
    http://forums.sygatetech.com/

    A good overview of features and use
    http://personal.atl.bellsouth.net/i/k/ikpe/

    If you go the Sygate forum you can get pretty much any question answered. But let's probe your post a little. Whey you say you are allowing incoming traffic, you mean one of these two things right?

    1. When you go to Applications, click on your browser, and select Advanced the box for Act As Server is checked marked?

    2. You have created an Advanced Rule that allows either incoming traffic on 80/443 for your browser or have a rule that allows for both in the same rule?

    If so you have exposed yourself to anyone with a port scanner. Unless your PC actually is a server then you would never want to either select Act As Server for any app or allow incoming traffic on any application. There are some rare exceptions to this rule that involve your ISP/internal network.

    Here is why. When your firewall is set-up to allow outgoing traffic only here is what it does. It sends out a packet to a given remote source A. It will only allow a correct response from A to your packet. If A attempts to sending a packet that was not iniated by you, it get's blocked. If anyone other than a source your are sending packets to attempts to send a packet to you on that same port, it will be blocked because it was not expected. This is basics of how any packet filter works whether software or hardware firewall.

    Even P2P file sharing programs like Kazaa do not need to allow for incomming packets.

    Anyway, although your solution seems to be working for you, it defeats the purpose of the firewall. Checkout Sygate Forums and I am sure somone can get to a better more secure solution. Also, you didn't mention what CPU you are running? Are you running an older CPU such as a PII?
     
  5. r01axb

    r01axb Thread Starter

    Joined:
    Feb 23, 2002
    Messages:
    227
    By default sygate has allow as server - checked, I didnt know until I clicked on the applications and then advance, I unchecked all of them.
    When I say I allowed incoming traffic, I mean I set up an advanced rule for IE not to allow traffic on TCP ports 0-79,81-109,111-442,444-8079,8081-65535.
    So your saying that no incoming traffic should be allowed not even with file sharing programs like kazza and Winmx?
    And another thing when I close an application like outlook It still appears in the sygate running applications window, does this happen to you?
     
  6. Luthorcrow

    Luthorcrow

    Joined:
    Jun 1, 2002
    Messages:
    335
    Yes, that is true and the excuse used by Sygate is that is the default setting of Windows, but in my opinion that is a poor excuse and is contary to good security. So yes, on install or upgrade you have to go through and manually uncheck Act As Server for all of the applications that are listed in the Applications settings and as new applications are opened that attempt to access the internet. It is the one thing about the program that I hate.


    Ok, it probably be useful if you post the rule you created so we could review it. There are two basic approachs to FW rules: Allow-all (allows all packets that are not specifically listed in a rule to be denied) and Deny-all (all no packets except those that are allowed by a rule). Sygate by default is Deny-all FW. This means it will only allow traffic that you have either created a specific allow rule or if it is allowed by your Application settings. Keep in mind the Application settings are really just really general rule sets. Also, when creating your rules remember that Sygate like most rules based firewalls works In Order or the first rule is applied before the 2nd and 3rd and etc. That is why you have the arrow keys on the advanced rules for moving rules that you create to change the order.

    Now, before I go on let me say Pak or Spacecowboy at the Sygate forum are by far more advanced rule makers than I, but looking at your rule above seems to me you are taking the Allow-All approach, in that you are specifing what should not be allowed rather than the what should be. That said there is an easier way to acheive what it looks you are attempting.

    1. Creat a rule or rules for what you want to be permitted
    2. Make the last rule for any application a Block All rule
    3. Once you are sure you rule set is good, go the Application settings and uncheck all boxes. This will ensure that the only your Advanced rules are applied. Otherwise Sygate will go to the Application settings after going through your rule sets.

    Now for your specific rule, what you have described so far doesn't specify anything about the direction of traffic being allowed or denied so I can't tell how would effect incoming/outgoing traffic. But these are the conditions that would allow incoming traffic (keep in mind this doesn't mean all incoming traffic--just unsolicited incoming traffic).

    1. Act As Server is selected in Application Settings for that particular appplication (make sure to check all of the windows service as well)

    2. Your advanced rule has "Action: Allow This Traffic" selected, "Traffic Direction" is selected as either incoming or both.

    So yes, it is not necessary to specifically create rules for which ports should not receive incoming traffic. You should create rules for what outgoing traffic is allowed and then end it with a seperate block all rule. This block all rule is probably not necessary but it creates a bit of extra insurance to ensure that only those conditions you have set are actually happening.

    Here is an example of one of my rule sets for Kazaalite:
    Rule 1
    Rule Summary:
    This rule will allow outgoing traffic to all hosts on TCP remote port(s) 1024-4999,80 and TCP local port(s) 1024-4999,80. This rule will be applied to all network interface cards. This traffic will be recorded in the 'Packet Log'. The following applications will be affected in this rule: Kazaa Lite.

    Rule 2
    Rule Summary:
    This rule will block both incoming and outgoing traffic from/to all hosts on all ports and protocols. This rule will be applied to all network interface cards. The following applications will be affected in this rule: Kazaa Lite.

    Now I could tighten that rule by restricting the remote ports to only 1214 and 80 (default for Kazaa). The trick to creating rules is reviewing your logs. Your Traffic and Packet logs are key for this. It now only gives you the basic road map for how to create the rule to start with but how to fix it if it is too tight. Also for applications such as an auto update function of a particular app, you can use the logs to see what the IP addresses are that the app is dialing back to and use this to restrict the rule down to only those specific IPs. Again, it is matter of trail and error and reviewing your logs.

    Also you could get a jump start by going to PC Flank. They have rule sets for most common applications. Just keep in mind that their rule sets are a bit liberal. Also again, the Sygate forum should be good for gettting other examples.

    http://www.pcflank.com/index.htm

    Also, make sure to select "Record this traffic in the Packet Log" on the front of all of your rules. Otherwise the appplication of that rule will not be recorded. I hope that helps.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/116133

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice