First thing I did after installing Outpost was try some of the leak tests. AWFT passed all except test 3. But I knew it should pass them all. So I made some changes according to the Outpost security faq. In the end I could get it to get a perfect score in AWFT, and everything else I tested except for thermite. However, I ran into some problems along the way I can't figure out.
My home network has 1 computer (Win XP Pro) connected to a DSL modem and a switch (connected to 3 other computers). That computer is using XP's ICS to share the DSL line. It's running XP's firewall. That computer is called "router" and has IP address 192.168.0.1. However, what I found when I entered "router" as the domain in Outpost rules, Outpost detected 2 IPs: 192.168.0.1 and 192.168.0.200. (Outpost is installed on 192.168.0.4) I had also gotten warnings about traffic going to 192.168.0.200 before, which I blocked not knowing what it was. (2 of the 4 computers are mine, but the other 2 aren't...) I still don't know why this computer has 2 IP addresses. It can be accessed fully from either IP address, although the name "router" seems to resolve differently for different applications. Pinging in does gives 192.168.0.1. But in Outlook it's 192.168.0.200. So the rules I set up in Outlook for getting mail from the mail server on it specified 192.168.0.1 and didn't work.
The only place I could pull 192.168.0.200 out of is that the computer has an incoming VPN connection enabled, and it's set to assign the range of 192.168.0.200 - 192.168.0.201. However, I was under the impression that that would only affect the computer dialing in through the VPN, and not the VPN server. I also didn't think it would be relavent when there is no VPN connection. Are these assumptions all wrong?
Should I be worried about this situation or just accept it and use both IP addresses when defining any rule related to accessing router?
The other issue I had is that though I unchecked the allow local loopback rule in the global rules, I do not get any warning, or blocking, of applications trying to use the local loopback adapter. I then tested trying to ftp or http to my computer from "homer". I don't have any servers on the computer running Outpost, but I would have expected to get a warning or see a log entry about 192.168.0.1 trying to send a packet on port 21 or 80. But I couldn't find any reference to these events in either the allowed or blocked section of the log. So I think I'm not understanding how this works...
There are also a variety of plugin issues, but I'll save that for another thread.
Thanks!
iRic
Welcome to the forums Iric,
You have partially answered your own question - the VPN connection creates a new IP address which then has to be used to access the outside world. This is why Outlook needs to use it (since it is presumably having to contact your ISP's mailserver) while Ping does not (it just needs a reply from that machine).
With regard to incoming traffic, the Attack Detection plugin will detect, report and block such connections so you should check its logs (along with the main Blocked logs) whenever you have an issue with network access.
This depends on what software you are using for your VPN - many create a "virtual network interface" that is always visible. However the results you are getting for the domain "router" indicates that your DNS/WINS setup (more likely to be WINS) has both VPN and non-VPN addresses in it. I would advise that you disable WINS and any internal DNS (most likely running on the ICS server) since it is just going to complicate things further and using IP addresses instead of computer names when creating rules.
What your post does not make clear is where Outpost is running. Is it on the ICS machine (in which case having WinXP's firewall running too is a bad idea - multiple software firewalls on one machine can cause conflict and are not supported here) or on a client?
If you have any concerns about any reported traffic, please enclose a copy from the Outpost logs (but first right-click on the log window, select Columns and check all the categories to ensure full details are given).
As for the incoming traffic, try referring to your computer by its IP address rather than its name to ensure that a local DNS/WINS misconfiguration is not sending packets to a different machine (one of the potential "complications" of WINS/DNS).
Outpost is NOT running on the ICS machine (which is running XP's firewall). Outpost is running on a client machine. The client machine's DNS is set to the ICS machine (192.168.0.1, "router"). There's no address set for WINS. I honestly have no idea what WINS is. But nothing for WINS comes up with ipconfig /all. From the client machine, Outpost identifies 192.168.0.1 and 192.168.0.200 for the computer name "router". The VPN server running on the ICS machine is the built in XP dialup server (new network connection / set up an advanced connection / Accept incoming connections / Allow virtual private connections) which allows 1 VPN client to connect at a time. If I disable that connection, the 192.168.0.200 IP disappears. It comes back the first time a VPN client connects and remains active when the client disconnects. However, using either the I.P. or "router.mshome.net" fixes the problem.
How would I disable internal DNS and what would I put in the client computer connection settings? The ISP's DNS?
For some reason after a few reboots, Outpost started properly reporting connection attempts to the local machine from the local machine and from other machines. There are a number of programs that seem to want to communicate to the localhost, outlook, ie6 and mozilla firefox among them. What are these programs trying to accomplish?
Thanks,
iRic
OK. Thanks for all your help!
iRic
Hi,
Thanks for the response.
I think I didn't explain it well. The VPN server on my home network's router is to allow me to access my home network securely from other locations (like work) through the VPN, not the other way around. I also connect to work from home using a VPN connection, but that connection isn't related to 192.168.0.200, as it creates an IP local to the network at work.
What I don't understand is why 192.168.0.200 would be a live IP when there are no incoming VPN connections. I also don't understand why this IP should appear on my home network, rather than just being a virtual IP for the VPN client outside the network.
As far as I can tell, there's also no reason any connection from the home network should have to go through 192.168.0.200, even if there was a live VPN connection. I have a mail server set up on the "router" computer, which uses pop to retrieve mail from outside mail servers and sort them according to my rules. My computer then uses "router" as the mail server. None of these connections should be going through a VPN, as far as I know.
When I tracert to say, www.microsoft.com, the first hop is to 192.168.0.1 (identified as "router.mshome.net")
tracert to "router" also goes to 192.168.0.1
tracert to 192.168.0.200 does not provide a domain name
As far as incoming traffic, there are no events in the Attack Detection log. I set up trust for netbios to the router, but did not give it the full trust permission, so I should think any unexpected attempt to connect to a local port should show up somewhere in the log, but I just can't find it.
Thanks again,
iRic
WINS (Windows Internet Naming Service) performs a similar service to DNS (name to IP-address translation) but works with NetBIOS names. Check Windows 2000 Server Windows Internet Naming Service (WINS) Overview (http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/wins.asp) for more details but it should be unnecessary in your case.
The appearing/disappearing 192.168.0.200 address is normal behaviour - an IP address can only exist if the interface it is mapped to is active.
You can effectively disable internal DNS by altering your client PC settings to use the ISP DNS servers directly - however making changes like this with ICS is best avoided since any mistakes may cause ICS to stop working.
However ICS and VPN do have problems co-existing which may explain some of your problems. Check Knowledge Base Article 234773 - Establishing a VPN Connection with an ICS Host (http://support.microsoft.com/?kbid=234773) for more details.
As for localhost connections, Firefox does this on startup (which can be blocked without ill-effect) and will only need further access if you are using a local proxy ad/webfilter (like Proxomitron (www.proxomitron.info) for example).
Email clients do not normally need localhost access unless you are using certain antivirus software (Norton AV specifically) which runs as a local host in order to scan emails. The best way to find out what is going on is to take a note of the port number and checking the Open Ports section of the Outpost window to see which application is using it.
 Earnings Reports a Tonic for Ailing 'Net Stocks
 NatWest and InterTrust Form Global Alliance To Provide E-Commerce On the Internet
|
HOME