Advanced rules for Proxomitron essential or not ?

With reference to the above post by Toggie, and being a new Comodo PF user, please advise whether it is essential to make advanced rules for Proxomitron. In AppMon. I simply have: Allow TCPorUDP In, Any, Any and Allow TCPorUDP Out, Any, Any. Skip loopback (TCP) in Advanced>Miscellaneous is not ticked. Proxomitron initially asked and was allowed to act as server.
Is this OK or is my protection compromised ?

Regards.

The more I read about ‘loopback’ in conjunction with Proxomitron, the more I get confused.
For instance leaving the ‘Skip loopback’ option unticked (the default, and recommended when using a proxy server), seems to imply that loopback is allowed (not skipped) which I think means that malware could use the local proxy to get out.

According to the user manual:- “The TCP option is not ticked by default because, in the case of someone using a proxy server, there is a higher chance of attacks being launched using a loopback connection” To me this makes sense only with the loopback option ticked.

Please also read my above post - I am totally in the dark (but I also don’t want to ditch my Proxomitron !)

Thanks for any advice !

Hi Ocky.

I’ll try to explain this in an understandable way without getting too technical :slight_smile:

My advise is to remove those two rules from the Proxomitron application in the Application Monitor. These rules allows traffic to flow unchecked, which isn’t what you’re opting for. The proxomitron application will filter webtraffic based upon content and URL’s, and works like a HTTP proxy. It will not however protect you from malicious code, spyware/malware or rootkits. It’s a good step towards safe surfing, but it isn’t universal :slight_smile:

The Loopback interface are for debugging and connectivity purposes. One way to exploit this is to spoof the loopback address, thus gaining access to the computer. A Loopback spoof is achieved by masking your source IP address to look like the loopback IP. It is very uncommon to see these exploits, so most are satisfied with ticking the “Skip” option. The logs doesn’t get hit as often either :slight_smile:

As always when it comes to security, it’s a question of compromises. Do you want more security or better performance? My advise is to tick the “Skip loopback…” option and remove the two proxomitron application rules.
Should you notice something odd, you can always untick this option later :slight_smile:

Hope this answers your questions.

Thanks for your guidance Triplejolt !

All you say makes sense, but why does the user manual state this :- “The TCP option is not ticked by default because, in the case of someone using a proxy server, there is a higher chance of attacks being launched using a loopback connection

Oh boy, this is a tough nut to ■■■■■ for a noob, who has ditched Sygate because of the loopback vulnerability.
Is it safer to remove the Proxomitron rules but to leave the ‘Skip loopback’ option unticked rather than enabling it as you suggest ?
Edit:- Have just tried this, when the ‘Skip loopback’ option is off there will be a prompt asking permission for Proxomitron to connect to localhost. Selecting Allow and Remember will of course put the Proxomitron entries back into AppMon.
All I need to know is what is the safer way of dealing with Proxomitron, bearing in mind what is stated in the user manual.

I’ll throw this in for good measure, ocky, as Triplejolt walks you thru your situation. This is info about proxomitron rules, posted by another user.

https://forums.comodo.com/index.php/topic,4040.0.html

LM

Thanks, I have seen this post, hence my subject title as to whether essential or not. I am now very confused - should I go by what Triplejolt suggests, or make advanced rules as per your referral, and what about the user manual recommendation. Please see also my edit to previous post ( you were faster ) copied below:-

“Oh boy, this is a tough nut to ■■■■■ for a noob, who has ditched Sygate because of the loopback vulnerability.
Is it safer to remove the Proxomitron rules but to leave the ‘Skip loopback’ option unticked rather than enabling it as you suggest ?
Edit:- Have just tried this, when the ‘Skip loopback’ option is off there will be a prompt asking permission for Proxomitron to connect to localhost. Selecting Allow and Remember will of course put the Proxomitron entries back into AppMon.
All I need to know is what is the safer way of dealing with Proxomitron, bearing in mind what is stated in the user manual.”
BTW am behind a router and mainly use Opera browser.

Regards.

I’m not familiar with the workings of proxomitron, ocky, but I am with CFP; I’ll try to help answer your question.

With the Skip Loopback unchecked, it means that CFP will monitor loopback connections and alert you regarding them; thus you will need to create network monitor (and possibly application monitor) rules to allow the loopback connections.

With the Skip Loopback checked, it means that CFP will not monitor or alert you regarding loopback connections; thus, applications that use those connections will be freely allowed to do so, unless you specifically forbid it with your rules.

As proxomitron is an application that needs to connect to the internet, you will have to create application monitor rule(s) to allow it to connect. Please note: application monitor rules do not supersede relevant network monitor rules; thus, proxomitron is only allowed to communicate by the application monitor (allowed, and any specifics for that application, such as protocol, IP, Port, etc); this communication is carried out in conjunction with the network monitor rules.

One of the default network monitor rules allows TCP/UDP Out Any, Any, Any, Any; this is to allow you to browse, check email, etc. This will also allow proxomitron to connect as it needs. However, if you do not “Skip” the loopback connections, CFP will alert you (the advanced setting does supercede the other rules).

I cannot swear to this, but I believe the Help file comment about the TCP/Loopback/proxy vulnerability refers to an actual physical remote proxy server, rather than a localhost internal webfilter like proxomitron.

LM

Hi guys,
I tried proxomitron just recently, but pcflank leaktest got thru everytime i ran it. I dont know if there is a way to pass that test. Otherwise it is very insecure to use it, so I donot use proxo any more.
Any suggestions please.

Hilmi

Hilmi. Proxomitron is not a firewall, and so testing it against those kinds of tests are pointless.

What Proxomitron does, wonderfully, is protect us from ad’s, banners, nasty scripts, iframes and all manner of other ■■■■ that web sites would otherwise impose on us.

Best bet is to take yourself over to castlecops.com and READ the threads on proxomitron.

I had a similar problem with Comodo and Proxomitron.
https://forums.comodo.com/index.php/topic,1695.msg12583.html#msg12583

Okay then, based on Egemen’s response to user4 it looks like my thought was incorrect, and it does refer to such things as Proxomitron, and is a security risk.

LM

I think this is a very important issue as a lot of people use local proxies of one sort or another. The question is, how do we counter this issue. I guess we will need to create a comprehensive set of ‘loopback’ rules for the applications that need this feature. This was the same subject I asked about here:

https://forums.comodo.com/index.php/topic,6622.msg48725.html#msg48725

Unfortunately the issue remains unresolved.

Isn’t disabling the skip loopback option for both TCP and UDP enough? That way you can create rules based on the pop ups that will appear.
For example, after disabling UDP Comodo started asking permission for clicking links in the “About menu” of programs. It did not do that with UDP enabled. Doesn’t disabling those options close any “holes” there might be, automatically, similar to this example?

Hello user4

Clearly, if there are security considerations for applications that make use of the ‘loopback’ function, un-checking the ‘Skip Loopback’ options for both TCP and UDP is desirable.

The problem is, that with ‘Skip Loopback’ disabled CPF will produce innumerable prompts for these applications for each loopback request. To prevent this, specific rules must be created for each application that uses loopback.

Toggie.

Yup, it’s difficult to decide. I have about 16 allow entries in AppMon only for IE (eg. launching from Opera and other ‘Parents’). Making separate loopback rules for everything would be a grind.
I think however, that just disabling (unticking) the ‘Skip loopback’ for TCP option is sufficient, albeit not perfect, as the vast majority of outbound problems occur via the TCP protocol (as mentioned in Comodo user manual).
I only get alerts when some components have changed due to updating programs, patches to IE 7 etc.
I still don’t know what to make of PC Flank leaktest. The tap drips but the url does not reflect what I typed ??
Proxomitron is too good/great an application to simply discard.
Not being a firewall expert, (more’s the pity), tell me if I am talking nonsense. :wink:

Toggie, I was not testing Proxomitron for leak test. But when I started using proxo it started getting thru, maybe I did stg wrong. That’s what I was asking about. Sure I would like to use it, but if it is somehow insecure then I’d prefer to leave it out. FYI I had UDP and TCP skip loop-back unchecked all the time.

Hilmi

Toggie, now that your other thread is marked resolved, do you think it would benefit proxomitron users to follow your specialized rules?

Hilmi, I’m not exactly sure what you mean by “But when I started using proxo it started getting thru”? Do you mean you were getting prompts from CPF to allow Proxomitron to connect?

If you had ‘Skip Loopback’ for TCP and UDP unchecked you will receive requests from any application that requires loopback, unless there are loopback rules defined for that application.

Toggie

I can’t take any credit for these rules, as most were found here on the forums. However, I am trying to put together, not just rules for Proxomitron, but for a series of applications. To that end I have started another thread here:

https://forums.comodo.com/index.php/topic,6720.0.html

Once I gather the information I require I’ll gladly write a complete guide that may benefit other users.

Toggie

I can appreciate that creating loopback rules is tiresome, but you may only need a few, dependant upon which applications you use. As I said in my other thread, the rules I have for Proxo are:

Proxomitron.exe 127.0.0.1 8080 TCP In Allow
Proxomitron.exe 127.0.0.1 1024-4999 TCP Out Allow
Proxomitron.exe ANY 80,443 TCP In Allow
Proxomitron.exe (MY ISP DNS1) 53 UDP Out Allow
Proxomitron.exe (MY ISP DNS2) 53 UDP Out Allow

In addition I have two rules in Network Monitor (still testing these though):

Allow TCP In/Out [ANY] 127.0.0.1 1024-4999 1024-4999
Allow UDP In/Out [ANY] 127.0.0.1 1024-4999 1024-4999

Personally I wouldn’t use anything but Proxomitron with Sidki’s filter set, plus a few personal mods. Its the cleanest way to surf that I have found. Of course Firefox helps too :wink:

Toggie