Host Name option in AM rules?

Ok! pulling hair out time here ???

It’s like this. I have thunderbird set-up to use specific rules for each mail server I connect to. As an example, GMail:

thunderbird.exe - pop.gmail.com - 995 - TCP Out.

As you can see, I am using the host name option to define the destination, however I cannot get this option to remain stable. Let me explain.

I set Alert frequency to Very High and connect to gmail. It picks up the IP Address and the port. I then edit the rule, replacing the IP with the host name. So far so good. Next time I connect, the IP changes, so I get another prompt. I edit the rule to the host name and the two rules are merged.

This happens a lot because gmail and their ilk use a large number of addresses for their front end servers.

Ok, so I think to myself, what if I lower the Alert Frequency down a notch. BZZZZ! Rule gets changed to ANY 995. The host name gets wiped, and if I put it back, it gets wiped again next time, assuming I hit remember.

Maybe it’s me, but I can’t seem to find a way, to set the Alert Frequency, to allow just a host name and a port and be done with it.

Any ideas are warmly welcomed

Toggie

Oh well, this is a big range, so you need to restrict it using your log as reference.

OrgName: Google Inc.
NetRange: 66.249.64.0 - 66.249.95.255
CIDR: 66.249.64.0/19

Your problem is interesting…
Would you mind to do a little research for me?

That issue is caused by Dns roundrobin…

If you stick with the host name rule the problem remain?
When you choose a host name the rule saves the host name and the ip.

This problem is useful to know if the host name is resolved once or on every connection or once between reboots…

Maybe resolving is handled differently in application monitor than in network monitor.
Whereas application monitor resolves the name one time until the application is unloaded while network monitor resolves the name one time until logoff.

Feel free to post your results in this thread.

Oh well, this is a big range, so you need to restrict it using your log as reference.

OrgName: Google Inc.
NetRange: 66.249.64.0 - 66.249.95.255
CIDR: 66.249.64.0/19

That’s precisely the problem. I choose to go with the ‘host name’ because the range of possible addresses used by the various email vendors is so large. The problem is even worse with hotmail.

When you choose a host name the rule saves the host name and the ip.

Yes. Essentially, every time a new IP is identified, a new rule is created, specifically for that address. If I modify the new rule to include the host name, the rule is then merged with any existing rules.

This problem is useful to know if the host name is resolved once or on every connection or once between reboots...

I would imagine it depends on what’s cached and how frequently the cache is cleared/updated.

Maybe resolving is handled differently in application monitor than in network monitor. Whereas application monitor resolves the name one time until the application is unloaded while network monitor resolves the name one time until logoff.

I can’t see there being a difference in the way two different components of the same package will handle host name resolution.

Personally I’d rather not use host name resolution due the the overhead imposed, but as I mentioned at the beginning, unless it’s possible to specifically identify the address range used by the email vendors I can see no other option.

Toggie

I feel like I’m having deja vu all over again, Toggie.

Now, we know that High doesn’t include IP address, but in my mind IP and Hostname should equate to the same thing… I guess in CFP’s mind it doesn’t. (:AGY) I don’t see why it would keep prompting on Very High.

Makes it look like the only workaround is the IP range. Will your ISP/webmail provider give that out? Surely they would…

LM

I feel like I'm having deja vu all over again, Toggie.

You too

but in my mind IP and Host name should equate to the same thing

The more I think about this, the less certain I am about that. In some ways, CFP is doing exactly what it should. When the Alert Frequency is set to Very High. it’s prompting for a new rule when the IP address changes, even though the host name remains the same.

With Alert Frequency set to High, the IP address check is bypassed, but what your left with is an ANY entry in the Destination field. If I then edit the rule, to include the host name, CFP will simply create a new ANY rule next time out.

Maybe I’m missing something…

I don't see why it would keep prompting on Very High.

I guess it’s because the IP changes frequently. due to DNS load balancing.

Makes it look like the only workaround is the IP range. Will your ISP/webmail provider give that out? Surely they would...

That’s how it seems to me, but as I said, the problem is with services like GMail and particularly Hotmail.

I’ll keep playing with it…

On a technical level, that may be. From a user level, it would seem to me that it should equate to the same thing…

But try this - find one for which you know the IP range. Set that in the AM rule, instead of using a hostname (may have to be for something other than gmail, but where the IP still changes). For testing purposes, you may even use a very broad range that may encompass more than you need… the point is, when you access it on Very High, will it still trigger on the IP address (provided it’s still in that range).

This is the key obstacle, I think. Can’t tone down the AF, or the rules are overwritten with the more general entry; can’t get around that.

Try setting the broad IP range (just for testing) and see if you still get an alert.

LM

I can't see there being a difference in the way two different components of the same package will handle host name resolution.

Never mind, I made only a speculation. But all this is related to performance…
When I use host:www.google.com actually a range is specified in application monitor or network monitor… The point is if the firewall use the range or not. If it use the range when host field is specified it is important to know how this range is updated.

Back on topic…
I tested a way to solve your issue but I’m not sure if it works for you.

The rough way to solve your issue is to log connections to pop.gmail.com using a topmost allow & log rule in network monitor with host pop.gmail.com or google ip range

Then analyze the data of 30 or more connections to guess the ip range or the ip list.
They could have assigned a range of IPs to that service or semi random-ip in their huge network range… I would use this way to track the IP.

I thought of a “smart” way too (humour intended) and tested it on pool.ntp.org (this address is mapped on 973 servers) I got some encouraging results but It is not a perfect method…

nslookup pool.ntp.org. (the final dot is important) give a list of about 10 different IPs .
the IPs are the same during this test session (I did try ipconfig /dnsflush but I had no different results).

So you could try nslookup pop.gmail.com. but using this I got 1 Ip only…

nslookup www.google.com. gives 3 IPs to me.

This could be caused by my Geo Location+ Dns roundrobin so you need to test this…

BTW: I switched to very high and used host rule (host:www.google.com) but I got no alert, maybe I need to reboot to have the behaviour you described. would you mind to try Host:www.google.com to see if it is mapped as a range?

LM wrote:

On a technical level, that may be. From a user level, it would seem to me that it should equate to the same thing...

I agree.

...will it still trigger on the IP address (provided it's still in that range).

I seem to remember, when I tried this before, it didn’t trigger an event. I will, however, test this again.

This is the key obstacle, I think. Can't tone down the AF, or the rules are overwritten with the more general entry; can't get around that.

I guess this is what I keep coming back to. The rule creation mechanism needs to be more granular, so that a host name entry will work, without triggering an event for each different IP.

gibran wrote:

Never mind, I made only a speculation. But all this is related to performance... When I use host:www.google.com actually a range is specified in application monitor or network monitor... The point is if the firewall use the range or not. If it use the range when host field is specified it is important to know how this range is updated.

I haven’t tried the generic host name in testing, but I would imagine the results will be the same, as something like google.com is going to resolve to many different addresses.

The rough way to solve your issue is to log connections to pop.gmail.com using a topmost allow & log rule in network monitor with host pop.gmail.com or google ip range

Then analyze the data of 30 or more connections to guess the ip range or the ip list.
They could have assigned a range of IPs to that service or semi random-ip in their huge network range… I would use this way to track the IP.

I started to do something like that, but the address range is just too vast. The problem may also be compounded by geographical considerations.

(I did try ipconfig /dnsflush but I had no different results).

I don’t use the Windows DNS cache, I have the DNS Client Service disabled. I assume CFP does its own caching?

So you could try nslookup pop.gmail.com. but using this I got 1 Ip only...

I would assume that is a cache entry, as I always get the IP address of the last server I connected to.

BTW: I switched to very high and used host rule (host:www.google.com) but I got no alert, maybe I need to reboot to have the behaviour you described. would you mind to try Host:www.google.com to see if it is mapped as a range?

I’ll try this and see what happens, I’m curious…

One final thing. I said in an earlier post:

Yes. Essentially, every time a new IP is identified, a new rule is created, specifically for that address. If I modify the new rule to include the host name, the rule is then merged with any existing rules.

After further testing, this appears to be false! As an example I have a rule for pop.google.

tb.exe - pop.google.com [66.249.93.109 - 66.249.93.211] - 995 - TCP - Out - Allow

After checking my mail this afternoon I received a new prompt for 66.249.91.16. I modified the rule to include the host name but, CFP, after doing, what I can only assume was a host name lookup, removed the rule and it was not merged into the existing rule. Curious…

Toggie

Maybe in this case DNS-roundrobin is not involved and load balancing is done some other way…

nslookup www.google.com. gives 3 different IPs to me.
nslookup pool.ntp.org. give a list of about 10 different IPs.

considering thath pool.ntp.org is composed of 973 server that was 1% encouraging because the query resulted in 10 different IP.

Just a small update on this

I’ve found that by using an abbreviated host name for the likes of gmail and yahoo mail works. i.e.

pop.gmail.com resolves to a single address and thus will prompt every time a different address is found.

google.com resolves to the entire scope used by google! Far too large, but no more prompts.

The same is true for yahoo:

mail.yahoo.com - single address
yahoo.com - entire scope

Hotmail.com is weird! For some strange reason, when I edit the automatically created rule to include the host name, the rule is removed! Pooof gone!

I also used the IP address range option (gleamed from the trials above) and that too prevented any further prompts.

So it seems the way host name resolution is performed, is different, based on which portion of the name is used.

Toggie

Sounds kinda like how NoScript uses the different levels of domain names, for how much/how deep you want the approval (or disapproval) to go.

LM