Advanced rules for Proxomitron essential or not ?

[Guest]

[hilmi]

Toggie, I was not testing Proxomitron for leak test. But when I started using proxo it started getting thru, maybe I did stg wrong. That's what I was asking about. Sure I would like to use it, but if it is somehow insecure then I'd prefer to leave it out. FYI I had UDP and TCP skip loop-back unchecked all the time.

Hilmi

[Mr. Bean]

Toggie, now that your other thread is marked resolved, do you think it would benefit proxomitron users to follow your specialized rules?

[Quill]

Toggie, I was not testing Proxomitron for leak test. But when I started using proxo it started getting thru, maybe I did stg wrong. That's what I was asking about. Sure I would like to use it, but if it is somehow insecure then I'd prefer to leave it out. FYI I had UDP and TCP skip loop-back unchecked all the time.

Hilmi

Hilmi, I'm not exactly sure what you mean by "But when I started using proxo it started getting thru"? Do you mean you were getting prompts from CPF to allow Proxomitron to connect?

If you had 'Skip Loopback' for TCP and UDP unchecked you will receive requests from any application that requires loopback, unless there are loopback rules defined for that application.

Toggie

[Quill]

Toggie, now that your other thread is marked resolved, do you think it would benefit proxomitron users to follow your specialized rules?

I can't take any credit for these rules, as most were found here on the forums. However, I am trying to put together, not just rules for Proxomitron, but for a series of applications. To that end I have started another thread here:

http://forums.comodo.com/index.php/topic,6720.0.html

Once I gather the information I require I'll gladly write a complete guide that may benefit other users.

Toggie

[Quill]

Yup, it's difficult to decide. I have about 16 allow entries in AppMon only for IE (eg. launching from Opera and other 'Parents'). Making separate loopback rules for everything would be a grind.
I think however, that just disabling (unticking) the 'Skip loopback' for TCP option is sufficient, albeit not perfect, as the vast majority of outbound problems occur via the TCP protocol (as mentioned in Comodo user manual).
I only get alerts when some components have changed due to updating programs, patches to IE 7 etc.
I still don't know what to make of PC Flank leaktest. The tap drips but the url does not reflect what I typed ??
Proxomitron is too good/great an application to simply discard.
Not being a firewall expert, (more's the pity), tell me if I am talking nonsense.   

I can appreciate that creating loopback rules is tiresome, but you may only need a few, dependant upon which applications you use. As I said in my other thread, the rules I have for Proxo are:

Proxomitron.exe 127.0.0.1 8080 TCP In Allow
Proxomitron.exe 127.0.0.1 1024-4999 TCP Out Allow
Proxomitron.exe ANY 80,443 TCP In Allow
Proxomitron.exe (MY ISP DNS1) 53 UDP Out Allow
Proxomitron.exe (MY ISP DNS2) 53 UDP Out Allow

In addition I have two rules in Network Monitor (still testing these though):

Allow TCP In/Out [ANY] 127.0.0.1 1024-4999 1024-4999
Allow UDP In/Out [ANY] 127.0.0.1 1024-4999 1024-4999

Personally I wouldn't use anything but Proxomitron with Sidki's filter set, plus a few personal mods. Its the cleanest way to surf that I have found.  Of course Firefox helps too 


Toggie

[ocky]

If you had 'Skip Loopback' for TCP and UDP unchecked you will receive requests from any application that requires loopback, unless there are loopback rules defined for that application.
Toggie

Yes, exactly. This is what I am confused about. In view of the above why then bother with the advanced loopback rules - unless one doesn't want to be bothered with alerts. In my case the occasional alert for a freshly installed or updated application wanting connectivity is no problem.
I guess I am looking for the lazy mans way of setting up Comodo PF.   

Thanks for your detailed contributions Toggie !

[Quill]

Yes, exactly. This is what I am confused about. In view of the above why then bother with the advanced loopback rules - unless one doesn't want to be bothered with alerts. In my case the occassional alert for a freshly installed or updated application wanting connectivity is no problem.
I guess I am looking for the lazy mans way of setting up Comodo PF.   

There is nothing wrong with doing it your way. I guess I'm just a little bit of a control freak  I also like to keep things nice and neat.

Having been testing and analysing over the last few days, I now have 72 individual rules for Avast!!!
That really bugs me 

Thanks for your detailed contributions Toggie !

Your welcome, I hope some of it helps.

[hilmi]

Toggie,

First instance I did the pcflank test I did get alerts. When I denied the first one i could not access the internet site for pcflank to see the test results. And then I tried again but i got confused with the alerts and allowed the alert which was asking for a connection 127.0.0.1:8080. After that every time i ran pcflank test, there were no alerts and pcflank test just kept running thru.
Reading thru here, I understand you run proxomitron and you don't fail the pcflank test. So I will install and try again and let you know.

Thanks

Hilmi

[Quill]

Toggie,

First instance I did the pcflank test I did get alerts. When I denied the first one i could not access the internet site for pcflank to see the test results. And then I tried again but i got confused with the alerts and allowed the alert which was asking for a connection 127.0.0.1:8080. After that every time i ran pcflank test, there were no alerts and pcflank test just kept running thru.
Reading thru here, I understand you run proxomitron and you don't fail the pcflank test. So I will install and try again and let you know.

Thanks

Hilmi

When you received the prompt for 127.0.0.1:8080 (that by the way is the default config for Proxomitron. It 'listens' on 8080 for connections from your browser.) I assume you told CPF to allow and remember. That being so, you will not receive any further prompts unless something changes.

Remember, Proxomitron is nothing more than way to block unwanted web nastyness, such as banners, ads, rogue scripts etc. It also allows one to change the way pages are viewed by inserting  CSS into a page.

I have tried the PCFlank (and other) tests and from the results all seems well on my system whilst running CPF, Firefox and Proxomitron.

Toggie 

[ocky]

Toggie,

First instance I did the pcflank test I did get alerts. When I denied the first one i could not access the internet site for pcflank to see the test results.
 Hilmi

Exactly the same here. Does this not indicate that all is well ? after all CPF prevented the text being sent due to denying the connection. Are we missing something obvious ? I did the following after downloading the executable:-
1.  Start IE as you normally would.
2.  Enter some text. Click Next.
3.  Deny the alert 'iexplore.exe wants to connect to 127.0.0.1 Port 8080 TCP' (Proxomitron localhost)
4.  Dripping tap - Failed.
5.  Paste supplied url into browser address bar for checking results.
6.  Browser cannot display web page.

The leaktest is geared to be used with IE.

Anybody prepared to stick their neck out and assure us that despite the dripping tap, we are safe ??   

[Little Mac]

Any time you do a leaktest, your firewall should prompt you to allow or deny the connection.  Given that you are doing a leaktest, you must deny the connection, or else you will fail the test...

When you thus deny the connection, you will of course not be able to access the website to see the results.  Before running another leaktest, you need to reboot your computer.

When you are doing a leaktest like this, you're not testing proxomitron, or your browser; you're testing your firewall against unauthorized outbound connections.  Depending on the specific test, it will try to exploit something, whether that's your browser, email client, etc in order to connect.  If you allow the connection in order to see the results, you will of course have failed the test.  If you allow with remember, you will create a rule allowing the connection on a regular basis, and will need to manually remove that rule in order to restore your level of security.

LM

[ocky]

Any time you do a leaktest, your firewall should prompt you to allow or deny the connection.  Given that you are doing a leaktest, you must deny the connection, or else you will fail the test...

When you thus deny the connection, you will of course not be able to access the website to see the results.  LM

Thanks, LM, for setting minds at ease. I denied the connection (a no-brainer even for me  ), and as stated in my previous post could not access the website, hence I surmised everything OK. Of course the leaktest should be rewritten to not show the dripping tap in this case, as it tends to confuse.
Regards.

[Triplejolt]

Just a friendly tip
Don't forget to sweep through your computer with your antivirus program and rootkit prevention program after using these test-tools. Some _may_ leave a nasty surprise for you, even though most tools are what they appear to be

[ocky]

Just a friendly tip
Don't forget to sweep through your computer with your antivirus program and rootkit prevention program after using these test-tools. Some _may_ leave a nasty surprise for you, even though most tools are what they appear to be

Now youv'e given me a helluva jolt, Triplejolt 
A peaceful evening's testing of all available leaktests has been ruined. 
From now on let the other forum members scramble to do the leaktests.
Seriously, have you ever had a problem, and if so doing which test and how
did the "surprise" manifest itself ? Should be of interest to us.

Go well, and thanks for your concern.

[Triplejolt]

It was a while back, I gotta admit that. I think I was using ZApro at the time and thought I'd give it a real challenge. This Firewall test utility had no problem penetrating it, and left me a Subseven to play with afterwards. Didn't really know what it was so I left it there to see what happened. Didn't take very long before my drive spun up and the NIC utilization bar peaked. I immediately unplugged the computer and started removing the infernal thing. The tool came from Astalavista.net, so I should've seen it coming

[Tags:]