Difference between revisions of "Firewalling"

From twofo wiki
Jump to navigation Jump to search
m
 
(41 intermediate revisions by 2 users not shown)
Line 5: Line 5:




Firewalling off campus out is intended as an extra layer of security, and does cannot guarantee you safety from ITS. We do believe that is is by far the best thing you can do though and recommend it to everybody.
Firewalling off campus out is intended as an extra layer of security, and doesn't guarantee your safety from ITS. We do believe that is is by far the best thing you can do though and recommend it to everybody.




Guides for blocking blocking external connections to DC++ in various firewalls and operating systems are below.  If you are looking for a quick and easy firewall to block connections, then we recommend one of Comodo, Sygate or Kerio as these are light on system resources and are unlikely to interfere with your computer as a whole.
Guides for blocking blocking external connections to DC++ in various firewalls and operating systems are below.  If you are looking for a quick and easy firewall to block connections, then we recommend one of Comodo, Sygate or Kerio as these are light on system resources and are unlikely to interfere with your computer as a whole.


=Windows=


NB.  Firewalls listed under Windows Vista will work for Windows XP as well with the exception of the Vista firewall itself.
==[[Vista_7_Firewall | Windows Firewall]]==
 
= Windows 7 =
 
As far as is known so far, all the firewalls and scripts that work for Windows Vista ought to work on Windows 7 in much the same manner.  If anybody tries this and finds it not to be the case could you leave a message on the hub and (if feeling particularly inquisitive) any solutions you may have found.
 
= Windows Vista = 
Unless otherwise stated, the following firewalls will work on Windows Vista/XP/2000
 
==[[Vista32 | Windows (Vista) Firewall 32bit]]==
[[Vista32 | (32 bit guide produced by Rampage)]]
 
This only applies to the '''Vista''' firewall, and '''DOES NOT''' work on XP.


First you will most likely need to disable any DC++ rules in the firewall, then you can either run the commands above, or get the install.bat file below which will run them all at once.  So all you need to do is download the scripts right click on the appropriate one and 'run as Administrator'.
First you will most likely need to disable any DC++ rules in the firewall, then you can either run the commands above, or get the install.bat file below which will run them all at once.  So all you need to do is download the scripts right click on the appropriate one and 'run as Administrator'.


Also ensure that the DC++ executable file is located at '''"C:\Program Files\DC++\DCPlusPlus.exe"'''. If this is not the case the commands/scripts have to be modified accordingly.  If you are using the preconfigured client from this wiki then you will either need to extract it to Program Files or change the rules to reflect the new location of teh DCPlusPlus.exe file.
Also ensure that the DC++ executable file is located at '''"C:\Users\YourName\DC++\DCPlusPlus.exe"'''. If this is not the case the commands/scripts have to be modified accordingly.  If you are using the preconfigured client from this wiki then you will either need to extract it to Program Files or change the rules to reflect the new location of the DCPlusPlus.exe file.  If you go to '''C:\Users\YourName\DC++''' you should see the list of files for DC itself (DCPlusPlus.exe, favourites.xml etc etc) and '''NOT''' the DC++ and stunnel folders.


[http://www.twofo.co.uk/resources/vista_install.bat 32 bit Install Firewall Rules]
<span style="color:red;font-weight: bold"><span style="font-size:large">READ THIS: </span>Really, you cannot just run these scripts and expect it to work, you have to read the above and make the necessary changes!</span>


[http://www.twofo.co.uk/resources/vista_uninstall.bat 32 bit Uninstall Firewall Rules]
[http://www.twofo.co.uk/resources/vista_7_install.bat Install Firewall Rules]


Please ask one of the Operators to test that the firewall is working.
[http://www.twofo.co.uk/resources/vista_7_uninstall.bat Uninstall Firewall Rules]


==[[Vista64 | Windows (Vista) Firewall 64bit]]==
You can test whether this is working in DC++ itself by going to Help -> About DC++.  At the bottom of the window that shows up is a section saying latest version.  If this shows some form of error then the external blocking is correctly set up.  If it shows a DC++ version number then it is not.
[[Vista64 | (64 bit guide produced by Slinky)]]


Identical procedure to the 32 bit version, however slightly different rules to account for the different installation directory for the 64 bit version of Vista, specifically '''"C:\Program Files (x86)\DC++\DCPlusPlus.exe"'''If you have installed DC++ to a directory other than this you will need to input the rules manually from the guide, obviously changing the path where appropriate.  This will be the case if you used the pre-configured DC++ client off twofo.  If you need help just ask on the hub and somebody ought to be relatively nearby to lend a hand.
These have been recently modified to allow for changes to the Warwick networkFeedback would be appreciated as to whether they work or not, just ask on the hub if they don't and we'll try to figure it out.


[http://www.twofo.co.uk/resources/vista_install-64.bat 64 bit Install Firewall Rules]
==[[Comodo3 | Comodo Personal Firewall 3]]==
 
[[Comodo3 | (guide produced by Rampage)]]
[http://www.twofo.co.uk/resources/vista_uninstall-64.bat 64 bit Uninstall Firewall Rules]
 
==[http://www.twofo.co.uk/resources/Comodo3.pdf Comodo Personal Firewall 3]==
[http://www.twofo.co.uk/resources/Comodo3.pdf (guide produced by Rampage)]


'''Free firewall'''<br>
'''Free firewall'''<br>
Version 3 is Windows Vista compatible
Version 3 is Windows Vista compatible


There is also a guide available for Comodo Personal Firewall Version 2.4 [http://www.twofo.co.uk/resources/Comodo.pdf here].<br>
There is also a guide available for Comodo Personal Firewall Version 2.4 [[Comodo | here]].<br>
You can download Comodo Personal firewall from http://personalfirewall.comodo.com.
You can download Comodo Personal firewall from http://personalfirewall.comodo.com.


==[http://www.twofo.co.uk/resources/ESS.pdf Eset Smart Security (NOD32)]==
==[[ESET | Eset Smart Security (NOD32)]]==
[http://www.twofo.co.uk/resources/ESS.pdf (guide produced by Rampage)]
[[ESET | (guide produced by Rampage)]]


Windows Vista compatible, please ask on the hub for someone to test it for you. Guide Needs testing, if you find it is up to scratch please contact astropoint or Rampage and this will be finalised. If something needs editing please contact Rampage.
Windows Vista compatible, please ask on the hub for someone to test it for you. Guide Needs testing, if you find it is up to scratch please contact astropoint or Rampage and this will be finalised. If something needs editing please contact Rampage.


==[http://www.twofo.co.uk/resources/Kaspersky.pdf Kaspersky v7]==
==[[Kaspersky7 | Kaspersky v7]]==
[http://www.twofo.co.uk/resources/Kaspersky.pdf (guide produced by astropoint)]
[[Kaspersky7 | (guide produced by astropoint)]]


Kaspersky v8 (2009) seem to have removed alot of the functionality of v7 in regards to specific blocking of applications to certain IP ranges as is required on campus.  If anybody can work out how to do it on the newer versions please tell an op and we can try to knock together a guide.
Kaspersky v8 (2009) seem to have removed alot of the functionality of v7 in regards to specific blocking of applications to certain IP ranges as is required on campus.  If anybody can work out how to do it on the newer versions please tell an op and we can try to knock together a guide.


==[http://www.twofo.co.uk/resources/CAPF.pdf CA Personal Firewall]==
<!--
[http://www.twofo.co.uk/resources/CAPF.pdf (guide produced by Rampage)]
==[[CA | CA Personal Firewall]]==
[[CA | (guide produced by Rampage)]]


Some people seem to have trouble running this firewall on vista even though it is technically compatible.  Try Comodo if you experience issues
Some people seem to have trouble running this firewall on vista even though it is technically compatible.  Try Comodo if you experience issues
Line 72: Line 57:


Expert firewall
Expert firewall
-->


==[http://www.twofo.co.uk/resources/Norton.pdf Norton Personal Firewall]==
==[[Norton | Norton Personal Firewall]]==
[http://www.twofo.co.uk/resources/Norton.pdf (guide produced by astropoint)]
[[Norton | (guide produced by astropoint)]]


Guide was produced for Norton 2005, but the basic structure of the rules etc hasn't changed so should be applicable to more recent versions.
Guide was produced for Norton 2005, but the basic structure of the rules etc hasn't changed so should be applicable to more recent versions.  However if somebody is willing to help update it somewhat it would be appreciated; contact astropoint.


==[http://www.twofo.co.uk/resources/Mcafee.pdf McAfee]==
==[[McAfee | McAfee]]==
[http://www.twofo.co.uk/resources/Mcafee.pdf (guide produced by 2448-1111)]
[[McAfee | (guide produced by 2448-1111)]]


''Warning:'' This puts the whole of the Resnet into the firewall's "Trusted Zone" which is a really bad idea on the whole.  So if somebody comes up with a way of allowing IPs JUST to DC++, pm astro/astropoint and I'll try to update the guide.
''Warning:'' This puts the whole of the Resnet into the firewall's "Trusted Zone" which is a really bad idea on the whole.  So if somebody comes up with a way of allowing IPs JUST to DC++, pm astro/astropoint and I'll try to update the guide.


=Windows XP=   
=Windows XP=   
Due to the coming discontinuation of support for Windows XP, firewall options for this are no longer listed.  If you are really desperate then ask and somebody will help you through setting it up (and advise you to upgrade to something else ASAP).
<!--
Unless otherwise stated, the following firewalls will work on Windows XP/2000.  Note that almost all Vista compatible firewalls also work on XP so check above in case your firewall is listed there
Unless otherwise stated, the following firewalls will work on Windows XP/2000.  Note that almost all Vista compatible firewalls also work on XP so check above in case your firewall is listed there


Line 107: Line 95:
Now download the preconfigured TDIFW from the http://www.twofo.co.uk/resources/tdifw.zip , unzip the contents onto your '''C:''' drive, run the file ''''install'''' and restart your computer. That is all you need! Please check with an Operator to confirm whether the firewall is working. (When Off Campus you can just uninstall the firewall from the unzipped folder in C drive or disable the service.)
Now download the preconfigured TDIFW from the http://www.twofo.co.uk/resources/tdifw.zip , unzip the contents onto your '''C:''' drive, run the file ''''install'''' and restart your computer. That is all you need! Please check with an Operator to confirm whether the firewall is working. (When Off Campus you can just uninstall the firewall from the unzipped folder in C drive or disable the service.)


==[http://www.twofo.co.uk/resources/Kerio2.pdf Sunbelt (Kerio)]==
==[[Kerio | Sunbelt (Kerio)]]==
[http://www.twofo.co.uk/resources/Kerio2.pdf (guide produced by astropoint)]
[[Kerio | (guide produced by astropoint)]]


'''Free (ish) Firewall''' Is shareware, but the required components continue to work after the trial license expires.
'''Free (ish) Firewall''' Is shareware, but the required components continue to work after the trial license expires.
Line 116: Line 104:
Download from http://www.vnunet.com/vnunet/downloads/2128767/kerio-personal-firewall
Download from http://www.vnunet.com/vnunet/downloads/2128767/kerio-personal-firewall


==[http://www.twofo.co.uk/resources/ZoneAlarm2.pdf ZoneAlarm]==
==[[ZoneAlarm | ZoneAlarm]]==
[http://www.twofo.co.uk/resources/ZoneAlarm2.pdf (guide produced by Huck)]
[[ZoneAlarm | (guide produced by Huck)]]


This is '''NOT''' the free version of the firewall.  As far as we know the free version of the firewall cannot block external connections properly.  However this is as yet untested on the vista compatible version (7.1)
This is '''NOT''' the free version of the firewall.  As far as we know the free version of the firewall cannot block external connections properly.  However this is as yet untested on the vista compatible version (7.1)


==[http://www.twofo.co.uk/resources/Tiny.pdf Tiny]==
==[[Tiny | Tiny]]==
[http://www.twofo.co.uk/resources/Tiny.pdf (guide produced by Rampage)]
[[Tiny | (guide produced by Rampage)]]


==XP Firewall==
==XP Firewall==


It is not possible to use the Windows XP firewall to properly block external connections to DC++ as far as we know.  Please choose one of the above firewalls instead.
It is not possible to use the Windows XP firewall to properly block external connections to DC++ as far as we know.  Please choose one of the above firewalls instead.
 
-->


=Linux=
=Linux=
Line 136: Line 124:


A guide for setting up the Linux firewall, iptables, to block external connections.  (produced by xyzzy originally. Resurrected by mooo)
A guide for setting up the Linux firewall, iptables, to block external connections.  (produced by xyzzy originally. Resurrected by mooo)
==[[EiskaltDCpp | EiskaltDC++ ipfilter]]==
(Courtesy of Rampage)<br>
EiskaltDC++ is a cross platform client which has an 'ipfilter' module built into the client. This module can be used to block off campus connections or vice versa. This has not been extensively checked so please do report back your findings.


=Mac=
=Mac=
Line 147: Line 139:
[[IPFW| (guide produced by Rampage)]]
[[IPFW| (guide produced by Rampage)]]


A guide for setting up the Mac OS Firewall, ipfw, to block external connections. (Needs 'better' testing)
A simple and fast guide for setting up the Mac OS Firewall, ipfw, to block external connections.


Confirm with an Operator to check that it is working.
==[[EiskaltDCpp | EiskaltDC++ ipfilter]]==
(Courtesy of Rampage)<br>
EiskaltDC++ is a cross platform client which has an 'ipfilter' module built into the client. This module can be used to block off campus connections or vice versa. This has not been extensively checked so please do report back your findings.
 
Confirm with an Operator to check that the firewall rules are working.


=Starting from scratch=
=Starting from scratch=


If you want to do this from scratch, you need to find how to get your firewall to only allow Resnet IPs (137.205.0.0 - 137.205.254.254 or 137.205.0.0/16 or 137.205.0.0/255.255.0.0) and the loopback address for stunnel (127.0.0.1) and blocking all other IPs from connection.  Conversely you could allow all IPs then block 0.0.0.0 - 126.254.254.254, 127.0.0.2 - 137.204.254.254 and 137.206.0.0 - 254.254.254.254 specifically.
If you want to do this from scratch, you need to find how to get your firewall to only allow Resnet IPs (137.205.0.0 - 137.205.254.254 (137.205.0.0/16 or 137.205.0.0/255.255.0.0) and 172.16.0.0 - 172.31.255.255 (172.16.0.0/12 or 172.16.0.0/255.240.0.0)) and the loopback address for stunnel (127.0.0.1) and blocking all other IPs from connection.   
 
Conversely you could allow all IPs then block 0.0.0.0 - 126.254.254.254, 127.0.0.2 - 137.204.254.254, 137.206.0.0 - 172.15.255.255 and 172.32.0.0 - 255.255.255.255 specifically.


Also, if you do this on a firewall not listed here then please contact an op with at least a basic set of instructions to be uploaded here.
Also, if you do this on a firewall not listed here then please contact an op with at least a basic set of instructions to be uploaded here.

Latest revision as of 15:52, 30 September 2013

Firewalling out Off Campus Connections

Due to the restrictions and threats of disconnections by ITS on campus, it is worth thinking about blocking all external connections to DC++ on campus. This does NOT guarantee safety from ITS on campus, but it will stop you using any external bandwidth and hopefully keep you a bit more under the radar. Almost all the time, connections between on campus and off campus people are impossible due to the traffic shaper, so even without any kind of firewall rules in place you should not be transferring to or from somebody off campus. However, the connection attempts will be detected, logged and subsequently blocked by the traffic shaper even if you do not see any transfers in DC++ (although sometimes connections slip through the traffic shaper causing even more problems for you).


Firewalling off campus out is intended as an extra layer of security, and doesn't guarantee your safety from ITS. We do believe that is is by far the best thing you can do though and recommend it to everybody.


Guides for blocking blocking external connections to DC++ in various firewalls and operating systems are below. If you are looking for a quick and easy firewall to block connections, then we recommend one of Comodo, Sygate or Kerio as these are light on system resources and are unlikely to interfere with your computer as a whole.

Windows

Windows Firewall

First you will most likely need to disable any DC++ rules in the firewall, then you can either run the commands above, or get the install.bat file below which will run them all at once. So all you need to do is download the scripts right click on the appropriate one and 'run as Administrator'.

Also ensure that the DC++ executable file is located at "C:\Users\YourName\DC++\DCPlusPlus.exe". If this is not the case the commands/scripts have to be modified accordingly. If you are using the preconfigured client from this wiki then you will either need to extract it to Program Files or change the rules to reflect the new location of the DCPlusPlus.exe file. If you go to C:\Users\YourName\DC++ you should see the list of files for DC itself (DCPlusPlus.exe, favourites.xml etc etc) and NOT the DC++ and stunnel folders.

READ THIS: Really, you cannot just run these scripts and expect it to work, you have to read the above and make the necessary changes!

Install Firewall Rules

Uninstall Firewall Rules

You can test whether this is working in DC++ itself by going to Help -> About DC++. At the bottom of the window that shows up is a section saying latest version. If this shows some form of error then the external blocking is correctly set up. If it shows a DC++ version number then it is not.

These have been recently modified to allow for changes to the Warwick network. Feedback would be appreciated as to whether they work or not, just ask on the hub if they don't and we'll try to figure it out.

Comodo Personal Firewall 3

(guide produced by Rampage)

Free firewall
Version 3 is Windows Vista compatible

There is also a guide available for Comodo Personal Firewall Version 2.4 here.
You can download Comodo Personal firewall from http://personalfirewall.comodo.com.

Eset Smart Security (NOD32)

(guide produced by Rampage)

Windows Vista compatible, please ask on the hub for someone to test it for you. Guide Needs testing, if you find it is up to scratch please contact astropoint or Rampage and this will be finalised. If something needs editing please contact Rampage.

Kaspersky v7

(guide produced by astropoint)

Kaspersky v8 (2009) seem to have removed alot of the functionality of v7 in regards to specific blocking of applications to certain IP ranges as is required on campus. If anybody can work out how to do it on the newer versions please tell an op and we can try to knock together a guide.


Norton Personal Firewall

(guide produced by astropoint)

Guide was produced for Norton 2005, but the basic structure of the rules etc hasn't changed so should be applicable to more recent versions. However if somebody is willing to help update it somewhat it would be appreciated; contact astropoint.

McAfee

(guide produced by 2448-1111)

Warning: This puts the whole of the Resnet into the firewall's "Trusted Zone" which is a really bad idea on the whole. So if somebody comes up with a way of allowing IPs JUST to DC++, pm astro/astropoint and I'll try to update the guide.

Windows XP

Due to the coming discontinuation of support for Windows XP, firewall options for this are no longer listed. If you are really desperate then ask and somebody will help you through setting it up (and advise you to upgrade to something else ASAP).

Linux

IPTables

New guide (courtesy of mooo, improved by Rampage)
Original guide (courtesy of xyzzy) This is the original version of the guide. Might be worth reading if the newer one isn't working, or you need some extra help configuring Fedora specific settings.

A guide for setting up the Linux firewall, iptables, to block external connections. (produced by xyzzy originally. Resurrected by mooo)

EiskaltDC++ ipfilter

(Courtesy of Rampage)
EiskaltDC++ is a cross platform client which has an 'ipfilter' module built into the client. This module can be used to block off campus connections or vice versa. This has not been extensively checked so please do report back your findings.

Mac

Little Snitch

(guide produced by nish81)

A GUI firewall for MACs that can be used to block external connections. Confirmation this works on other Macs would be useful if somebody wishes to try it.

IPFW

(guide produced by Rampage)

A simple and fast guide for setting up the Mac OS Firewall, ipfw, to block external connections.

EiskaltDC++ ipfilter

(Courtesy of Rampage)
EiskaltDC++ is a cross platform client which has an 'ipfilter' module built into the client. This module can be used to block off campus connections or vice versa. This has not been extensively checked so please do report back your findings.

Confirm with an Operator to check that the firewall rules are working.

Starting from scratch

If you want to do this from scratch, you need to find how to get your firewall to only allow Resnet IPs (137.205.0.0 - 137.205.254.254 (137.205.0.0/16 or 137.205.0.0/255.255.0.0) and 172.16.0.0 - 172.31.255.255 (172.16.0.0/12 or 172.16.0.0/255.240.0.0)) and the loopback address for stunnel (127.0.0.1) and blocking all other IPs from connection.

Conversely you could allow all IPs then block 0.0.0.0 - 126.254.254.254, 127.0.0.2 - 137.204.254.254, 137.206.0.0 - 172.15.255.255 and 172.32.0.0 - 255.255.255.255 specifically.

Also, if you do this on a firewall not listed here then please contact an op with at least a basic set of instructions to be uploaded here.

If there are any other problems any of the guides themselves, please contact astropoint/astro on the hub or on the forums and I shall try to correct them. Or, if you feel you can produce a guide for any other firewall, please do so and pass it onto me and I shall upload it onto here.