How to block IP address
- Thread starter subtle
- Start date
Good question -- it doesnt matter. Each process is handled independently (welcome to my world of firewall security). What this means, in english is when you change the filename/process-descriptor block that counts as a new process and the firewall says "OMG do you want to allow this application to run" (this is before the application even bothers trying to connect) ... of course you can even override this and default it to block anything new. And naturally this extends to different versions of the same program... so some real examples:
Suppose we have some programs
[1] C:\UTIl\CPUz\CPUz.exe (version 1.28)
[2] C:\UTIl\CPUz\CPUzRenamed.exe (version 1.28)
[3] C:\UTIL\CPUz\CPUz.exe (version 1.31)
[4] D:\CPUz\CPUz.exe (version 1.28)
Our current rules are as follows:
- program [1] is allowed to run
- program [4] is allowed to run and is allowed outbound access to the internet
This is what happens
[1] ... we double click and it runs no problem, if there is a need to connect to internet then the firewall says "omg this program is connecting from IP
ort to IPort using PROTOCOL in this DIRECTION, do you want to allow?" (we can default allow/block as well)[2] ... some kid thought he was clever, the firewall notes this is a different program and says piss off (or we can have it ask us)
[3] ... this is a different program, firewall says piss off
[4] ... this program is allowed and thus can start freely, we've also allowed it outbound access to the net (but no inbound)
So yeah, it's not as easy to circumvent as it might appear without examples
Edit: the process lockdown goes further technically and you can define if you want a given program to be able to launch another program etc (a good way to deal with installers that try and silently install stuff)
@Geoff: did you really think i'd post something with such a big hole in it?
Last edited:
Geoff
VIP Member
The default block would certainly work, but there are lots of other instances where he may want a new process to access the internet, but would be able to because of automatic blocking.
*Heres another situation I have. What if you have say, divxplayer blocked, and anything else new blocked as well. Then what if the child changed the name from divxplayer, to... aim (which were assuming is installed and allowed to run)?
*Heres another situation I have. What if you have say, divxplayer blocked, and anything else new blocked as well. Then what if the child changed the name from divxplayer, to... aim (which were assuming is installed and allowed to run)?
Of course not, you're smarter then that
So, anything installed after protocol block won't be able to access the internet?
If so, that's not good solution for me. He'll get suspicious and start searching for problem (especially that firewall will tell him why this is happening).
The best solution will be if only skype have no access (so it's look like there is something wrong with skype).
I was searching for solution and I found that it'll work (name change).
http://forums.isaserver.org/m_2002000643/mpage_1/tm.htm
but I guess this is different scenario.
Geoff
VIP Member
The program that your talking about Praetor isnt your basic Norton firewall, but rather an advanced type of firewall which most likely costs quite a bit of money (unless they have free ones).
Most firewalls that block a program by process name, can be circumvented by changing the exe, programs that block based on path can simply copy the program directory to the desktop and make some pretty easy registry edits, and programs that block by port are even worse, since most apps the user can change the port.
The point is, if someone wants to find a way around something, they can easily. Even by installing a keylogger or something to get your password when you log into it. But it should help prevent him from using it.
Most firewalls that block a program by process name, can be circumvented by changing the exe, programs that block based on path can simply copy the program directory to the desktop and make some pretty easy registry edits, and programs that block by port are even worse, since most apps the user can change the port.
The point is, if someone wants to find a way around something, they can easily. Even by installing a keylogger or something to get your password when you log into it. But it should help prevent him from using it.
What i have in mind is something liek Sygate or Kerio however it CAN be implemtned with somethign basic as ZoneAlarm -- it's just more of a pain cuz ZA isnt designed to work like that. Sygate/Kerio dont cost that much lol.
EDIT: Actually now that i recall, KPF is free for personal use (i.e., releases before they got bought by Sunbelt)
With some work you can make most firewalls lock down using all those parameters concurrently rather than sequentially.
If you want to lock down against that then BIOS password, case lock and deepfreeze
(under the reasonable assumption that nobodys gonna hack the case open)
Last edited: