common router firewall outbound settings?

[nudone]

(this is more of a hardware question, but as i'm trying to avoid 'software' firewalls i've posted it in this section.)

i've spent today removing and installing several firewalls. they are the free versions recommended everywhere. none work perfectly on my system it seems. so, i wish to abandon them completely and stop wasting time hoping they'll work correctly.

right. i have an adsl router. it has a firewall built in. brilliant. well, it would be if i had the slightest idea of what to put into the outbound rules - at the moment it's set to let everything out. kind of pointless isn't it. i've seen plenty of complaints about the windows inbuilt firewall letting everything out, but i get the impression that's exactly what all the adsl router firewalls are doing around the world too.

so, is there a list of common settings to allow through such a router firewall - settings that will cover the usual programs that are run on an xp machine?

it looks like i'm going to have to specify exact ports or port ranges (and tcp and udp). how on earth am i supposed to know that - just what is the point of having a firewall built into a router when there's no way of knowing what to put into it.

okay, i'm sure there will be information for certain apps i can find, but what about all those mysterious 'svchost' things and all that rubbish. suddenly i've just realised how absolutely pathetic internet security is.

anyway, if there is a list of common settings to use then i'll be very grateful if you let me know. thanks.

[tinjaw]

It is the thing that should be covered in a longer article and not a reply posting, but I'll summarize now and can maybe do a follow up piece later.

Firewalls no longer serve the purpose they once did. The used to be useful because:
 1) They blocked sockets connecting from the outside in to your computer. - This used to be a problem because software developers didn't plan for computers being exposed to hostile network traffic. Now days, they have mostly taken this into consideration and no longer open they door unless they are expecting somebody. So firewalls no longer need to stop them from reaching the door.
 2) They blocked malicious software from getting from the inside out. - Malicious software developers assumed that you would let anybody leave that wanted to. So they would freely connect to other computers and do bad things. (see 1 above) So firewalls started blocking things from getting out unless you let them. But then these malicious software developers countered by searching you computers to find out how you get out to surf the net and download your email, and they now pretend to be those types of software and so firewalls let them out.

So firewalls don't really do much these days except allow you to easily illuminate some of the malicious traffic.

If you want to make this easier to handle, set up a SOCKS 5 proxy, put everything you do through it and only let the proxy speak directly to the Net. Then all you need to do is configure the firewall to let only traffic from the proxy out, and only let in the traffic that they proxy has requested.

And that is about it for firewalls. However, these days, firewalls are only a small part of the picture. You need to have a strong HIPS running on each host. And that is the subject best left for another post.

[f0dder]

I stopped using personal firewalls a while ago - they were too much bother compared to the security they give, and there's ways to penetrate their outbound filtering as well.

Don't get me wrong, it's nice to catch apps that phone home, it's nice to have cryptographic hashing to check that an executable that you've allowed outbound access haven't changed, etc... but that just wasn't worth it for me.

Instead, I rely on my router. Not even on firewalling in there, but simply NAT and port forwarding (which can be seen as a form of firewall, I guess). I think the only static rule I have is forwarding of the IDENT port, and uPNP for things like µTorrent, MSN, etc.

While I wouldn't enable uPNP at a company, it'ss quite fine for home use, and makes things a lot less painful. Really. On a home network, if malware gets a chance to run, you're pretty much dead and the ability of malware to do some port mapping is without consequence. Which leads me to...

Outbound filtering on a home network is also pretty useless, as nothing stops a piece of malware from using port 80 (ie, HTTP) for it's malicious deeds. If you want effective outbound filtering, you need protocol filtering as well, ports by itself doesn't help much.

I do have Windows Firewall turned on, though - to avoid the scenario where a friend visits me with an infected laptop.

So, to summarize my setup: by default, all outgoing ports are allowed, and all incoming ports are silently dropped. A few ports have static mappings, and uPNP is turned on to allow dynamic mappings. No firewalling except the most basic windows firewall. Good antivirus to keep malware from running (I like KAV, since it also does some behavioral blocking beyond the traditional antivirus heuristics).

[nudone]

thanks, tinjaw and f0dder.

i've just woken up this morning and the first thought that popped into my head was how will my router firewall know which programs are good or bad if all it does it use port numbers in the rules. well, obviously, like you've said - it won't.

my current setup is almost identical to what you've have running, f0dder. the firewall has a few rules for specific incoming ports (utorrent, emule) and absolutely everything is allowed out. also, the xp firewall is running and i've gone for that aol (kaspersky) free firewall to look after the virus side of things.

i'm not sure if i'm happy with this or not. it was reassuring to see the popups from zone alarm for out going requests but i guess most of (if not all of it) was from harmless apps just wanting to call home.

i shall try and learn to accept this current situation rather than keep installing firewalls in the hope that they are stable enough for my system.

tinjaw, when you have time, it will be nice to hear what you were going to say about HIPS. i did install comodo firewall as this is something it is renowned for - but it always seems to crash after a few hours use (i've tried twice on two separate installs of xp so i've given up with it).

i thought there would be a simple piece of software out there that does this HIPS thing and little else. i'm not really interested in defining port numbers and tcp/udp. i just want to be able to say yes/no to "can this program access the outside world". that seems like a simple thing to expect to me and i'd have thought it a simple thing to implement, i.e. monitor util watches open programs for attempts to connect and lets them through or blocks them completely. how hard is that.

i obviously don't understand the complexity of what's involved (can't autohotkey do this kind of thing  ).

[f0dder]

i've just woken up this morning and the first thought that popped into my head was how will my router firewall know which programs are good or bad if all it does it use port numbers in the rules. well, obviously, like you've said - it won't.

-nudone

Unless you spend a decent amount of cash and get something that filters by content rather than just ports... but that costs, and isn't really necessary for a home network IMHO.

Btw, uTorrent supports UPNP, so you don't need a static mapping for that - but okay, some people feel UPNP is über-insecure and evil, etc...

it was reassuring to see the popups from zone alarm for out going requests but i guess most of (if not all of it) was from harmless apps just wanting to call home.

-nudone

And that's basically all you were going to see - at least last time I looked, the PFW leak tests weren't very uplifting. Okay, while PFW wouldn't stop intentional data smuggling they still make it harder to use your box to directly infect other boxes on the net (since that requires specific ports), but IMHO it's more important focusing on not getting malware on your computer than trying to stop it from spreading

I do miss the "hey, this app is trying to phone home!" false sense of security, but I don't miss PFW popping up while starting a game, which turns out to be badly coded and unable to handle being switched out of

I also don't miss how some PFWs seem unable to handle a massive amount of connections (ie., torrents or other p2p traffic). Nvidia's NAM for their NForce chipset is renowned for BSODs and memory leaks.

[nudone]

like you say, if it's a false sense of security, then why bother.

i'm going to see how long i can run this current setup before something really bad happens like a major infection or my credit card details are stolen - i use roboform for all that kind of thing so i'm assuming it's safe enough.

[f0dder]

Just keep in mind that RoboForm, unless it does something really unique, is still vulnerable to keylogging etc., so you do want to have some decent antivirus and check for spyware every now and then.

I currently run without any AV software... might be a bit stupid even though I don't really visit any "shady" sites; all it takes is one firefox exploit placed somewhere that gets through AdBlock, and *b00m*.

[mouser]

A firewall is really not going to stop any outbound traffic.  If you are curious in what programs try to connect out or catching them when they do, software is the only way.

A hardware router firewall can be useful as people said above, to protect you from a "Denial of Service" type flooding attack perhaps (but no individuals get that), and can protect you from some incoming stuff - but it's just not the stuff that an individual is normally at risk from.  The built in firewalls in routers really seem to be for functions that are almost entirely different from a software firewall.

[nudone]

i understand that when typing the information into roboform when setting it up could obviously be monitored by a keylogger, but i'm hoping that when it pastes the information into a page for you that a keylogger won't catch that. i don't know how these kinds of things work. wishful thinking on my part i guess.

[f0dder]

i understand that when typing the information into roboform when setting it up could obviously be monitored by a keylogger, but i'm hoping that when it pastes the information into a page for you that a keylogger won't catch that. i don't know how these kinds of things work. wishful thinking on my part i guess.

-nudone (January 22, 2007, 04:59 AM)

Probably does a SetWindowText/sends a WM_SETTEXT message - I dunno how it would do it otherwise. Would be pretty trivial to do a hook that intercepts those... a bit less trivial to filter only the interesting messages out and avoid getting flooded (there's a LOT of WM_SETTEXT going on ), but still pretty doable.

So if you're trojanized, you're screwed. But that's really goes without saying, imho.

[nudone]

oh dear. not very good then.

[nudone]

any thoughts on 'currports' http://www.nirsoft.net/utils/cports.html

i.e. run it, see what's in the list. then you'd know what's accessing the net and hopefully spot something nasty. i see that there is a problem in identifying something 'nasty'.

edit:
oh, i've just run it. there are loads of unknowns. not very helpful then.

[tinjaw]

I know absolutely nothing about System Safety Monitor, but for today only it is free on Giveaway of the Day. It might be worth looking into.

System Safety Monitor (SSM) is a Host Based Intrusion Prevention System which will protect your system from all known and unknown malware, rootkits and “zero-day” attacks.

SSM proactively keeps track of all running programs’ behavior and blocks malicious or suspicious actions.

Learning mode will help you to easily configure the required security rules.

New user friendly GUI design.

Compatible with most of well known security software.

[nudone]

that's great. well, i'll download it and wait and see what the opinion is from everyone else. if it's just another program that gives you a false sense of security i'll not carry on with it.