any "localhost" for rule

mikeiam · July 8, 2013, 8:40pm

How i can get rule for all localhost connection?
127.0.0.1 → 127.0.0.1
any other local IP → any other local IP
…
ext. IP → ext. IP

some apps take 127, some ext.IP, some virtual (from wifi or vmware)
and some IP can change
it is very annoying to specify all the network adapters!

i dont want any loopback traffic, but for some apps i want create rule for all local

for example Kerio have “Firewall Host” for all interface
and i can use “Firewall Host” → “Firewall Host” without knowledge about all my IP and how it are changing

PS
i try “localhost” as Host name, but this is not work

WxMan1 · July 8, 2013, 9:55pm

Local loopback referes to the host itself. There’s no reason to block it. Depending on the design of an app, it may access system resources via RPC, i.e., remote procedure call, via loopback.

I’ve created a zone called [local_0] and [local_127] for IP addr 0.0.0.0 and 127.0.0.1 respectively.

I allow TCP out from in [local_0] to in [local_127] (or vice versa) as is necesary by app. The specific ports are usually arbitrary. But in some circumstances they’re particular, e.g, for BOINC screen-saver, BOINCMNGR, destination port is specifically 31416 (source port ANY)

IExplorer wants TCP out from in [local_0] to [local_127] source port ANY dest port in [Adobe RTMP] (sort port ANY)
and TCP out from in [local_0] to in [local_127] sourc port ANY dest port [HTTP ports]

Adoboe RTMP ports: 843 / 1935
HTTP ports: 80, 81, 443, 8080

CFP.exe, i.e., CIS FW, wants TCP out from in [local_0] to in [local_127] sorce port ANY to dest port 80 (of all CIS components its the only one requiring a rule for hat particular IP connection)

0.0.0.0 refers to this network compared to 127.0.0.1 refering to this host. I have a network zone defined [NIC] that refers to the host IP, i.e., 192.168.0.64, and [gateway] is 192.168.0.1. Its so much easier to implement rules using network zones, rather than typing IP addr in manually each and every stinkin’ time.

I shouldn’t need rules for traffic 192.168.0.65 to 192.168.66. If SYSTEM was intercepting that a global rule to block IP from ANY to not in [NIC] src port ANY to dest port ANY. My system shouldn’t be bothered by my children’s PC interacting.

To allow traffic in from any node on the LAN, create a [network] zone and add all the host IP addr on the LAN into it. Then creae a rule: allow IP from in [network] to in [NIC] src port ANY to dest port ANY. That allows traffic into the host IP, ic NIC.

To allow all nodes on LAN access to local host, then allow IP in [network] to in [local_127] src port ANY dest port ANY should work.

The above assumes static IP w/ in the DHCP specified domain range. IF you’re using DHCP on the LAN, [network] can be defined as IP address w/mask: 192.168.x.0 / 255.255.0.0, where x = network address. In that case nodes on the network can have different host IP address.

When a DHCP fails, APIPA allocates IP addresses in the private range 169.254.0.1 to 169.254.255.254. TO cover that rule, I’d create a zone called [APIPA] using IP mask: 169.254.0.0 / 255.255.0.0

If you have devices having an IP in the cloud, e.g., smartphone w/ ISP assigned IP address (public facing IP) - trying to get into your local network, that’s a major securty risk.

mikeiam · July 8, 2013, 10:15pm

There's no reason to block it.

proxy

I have a network zone defined [NIC] that refers to the host IP

create a [network] zone and add all the host IP addr on the LAN into it.

i dont want edit zone everytime something change setting

IF you're using DHCP on the LAN, [network] can be defined as IP address w/mask: 192.168.x.0 / 255.255.0.0, where x = network address. In that case nodes on the network can have different host IP address.

securty risk.

DHCP good example that i cant assign just localhost adress in rule without numbers!

Dennis2 · July 9, 2013, 7:21am

Yes I will admit Kerio was a nice easy to set Firewall and I do miss it

Block TCP Out from 0.0.0.0 to IP 127.0.0.1 Where the source port is any and Destination port is 4444

This rule works in CIS 5.12 and should work in CIS V6

Place this rule in the application you want to block at the top of that application rule list, the Out from is not important you can leave blank and change the destination port to the one your proxy is using maybe 8080

You can log this rule to check if it is working at first.

Dennis

mikeiam · July 9, 2013, 8:42am

to IP 127.0.0.1

some apps take other ip for local connection for one day I found two such - one for 192.168.*** and one for Internet IP and 127 dont work for it

Dennis2 · July 9, 2013, 9:56am

Sorry you have to adapt your rule to suit these maybe use IP/Mac range instead if the last two change.

Is there no way in settings that you can force the proxy to use certain IP/Mac and Port.

Dennis

mikeiam · July 9, 2013, 10:14am

i dont want create rules for proxy, but for some untrusted app access only for local connection (except proxy port)

maybe developers can do in the future “firewall host” implemetation for source / dest ;D

Dennis2 · July 9, 2013, 10:42am

Yes I know this would be a lot easier

But I am afraid the chance is small of a wish like this.

For the moment your only choice is to create block and allow rules for applications, you could create a group for these applications then create one set of rules in Firewall Application Rules.

mikeiam · July 9, 2013, 10:55am

some easy solution for me (but you still need to know your computer configuration)
use Host Name and PC network name
this work with any local connection

mikeiam · July 9, 2013, 10:56am

and it is very strange that the developers have thrown out the common name localhost

WxMan1 · July 9, 2013, 10:51pm

What difference does proxy have to do with it? Proxy is external to the LAN and handles NAT on the LAN. localhost is 127.0.0 for any node on any arbitrary subnet of any arbitrary network ID. Each host see’s itself as 127.0.0.1 regardless of host IP address. And it see’s the network its on as 0.0.0.0.

CIS defined network zone for [NIC], or [network], as 192.168.1.0 / 255.255.255.0 will allow DHCP host IP address assignment for all possible nodes on the network subnet 192.168.1.0 (network address 0 and broadcast address 255 exclusive). Each node on the subnet uses 127.0.0.1 as its loopback address.

If more than 252 nodes are needed on a network, then a supernet mask needs to be employed so as to establish extended network prefix. But that’s irrelevant; a subnet mask of 255.255.192.0 gives 2 subnets with 16382 hosts per subnet. EACH HOST’s localhost address is 127.0.0.1. And each host’s localhost loopback w/ respect to the network the host is on is 0.0.0.0 (regardless of the subnet its on).

mikeiam · July 9, 2013, 11:02pm

localhost is 127.0.0 for any node on any arbitrary subnet of any arbitrary network ID. Each host see's itself as 127.0.0.1 regardless of host IP address.

No I see it in the requests of COMODO i have rule for 127->127 and it dont work for other local IPs

WxMan1 · July 9, 2013, 11:36pm

What’s not working from other local IP’s on the LAN?

You shouldn’t be seeing any reference to 127.0.0.1 except for the host IP. If the host IP is 192.168.0.64, then host IP 192.168.0.128 localhost IS 127.0.0.1 and has got nothing to do with 127.0.0.1 for host IP 192.168.0.64. 127.0.0.1 is non-routable. IT IS the localhost loopback for each host IP’s own host IP address. 127.0.0.1 is another form of ‘me’, or ‘this host’.

I have a T-shirt that says:

There’s no place like 127.0.0.1

Any IP protocols out (or in) 127.0.0.1 originate and terminate on the host IP address. Its nonsensical for IP protocol ANY out from 192.168.0.64 to 127.0.0.1 (or vice-versa). Its either IP protocol ANY from 0.0.0.0, i.e., this network, to 127.0.0.1 (this host), or vice versa.

I don’t even think IP any in from 192.168.0.128 to 127.0.0.1 - if host IP is 192.168.0.64 - (or viceversa) is legit. If 192.168.0.128 wants to access resource on 192.168.0.64, then CIS will interecept that specific IP protocol traffic between those host IP address. That may necessitate IP protocol traffic from 0.0.0.0 having some source port to 127.0.0.1 having some destination port that matches the incoming / outgoing host IP address source and destination ports.

mikeiam · July 10, 2013, 12:00am

I did not say anything about the other computers on the network, I’m interested only local connections setup

Its nonsensical for IP protocol ANY out from 192.168.0.64 to 127.0.0.1 (or vice-versa).

we are talking about different things i have 3-4 NIC on PC (some virtuals from VMWare, Vurtual from wifi and etc.) Virtual NICs IP change very easy (i can reconfig VMWare)

i cant understand but some apps try to connect to local from VMware NIC,
some from Internet IP

And i must have local zone (or rule-set) in CIS with all NICs IP for no-problem local connection. for example:
127.0.0.1 to 127.0.0.1
192.168.0.64 to 192.168.0.64 vmware1
192.168.2.64 to 192.168.2.64 virtualbox
192.168.54.64 to 192.168.54.64 wifi
…
Ext IP to Ext IP

I have to remember to update them in case of any changes in system. it is very annoying

In Kerio is only one rule forever “Firewall Host to Firewal Host”
and you can forget about it!