Jump to content
Tuts 4 You

How to block in & out traffic?


LCF-AT

Recommended Posts

Hi guys,

I have a new little question about networking.This time I would like to know how to block connections I/O?Maybe you would say I have just to edit the hosts file itself but is this enough?Does it block all host addresses I do enter and also all IP addresses I wanna block?Does also all get blocked for 100% or are there some backdoors to connect to any IP / Host XY also if this is marked as blocked in the hosts file?

On internet I just found some examples about blocking facebook like...

127.0.0.1       www.facebook.com
127.0.0.1       facebook.com
or
0.0.0.0       www.facebook.com
0.0.0.0       facebook.com

....does it also work with IP addresses instead?What about IP ranges?

So otherwise are there any small tools I could use to manage the stuff and to allow / disallow I/O addresses etc?So with my FW I cant do this.Some hints would be welcome.

greetz

Link to comment
Share on other sites

Teddy Rogers

Alternative options would be to block access to these sites at router level or, if you have the capability to control and monitor your DNS queries, at your DNS server (local or cloud). Doing it this way works across all devices on the network (and/or mobile devices if cloud based)...

Ted.

  • Like 2
Link to comment
Share on other sites

Windows HOSTS file blocks only a specific domain. No domain wildcards. No higher level domains. Not an IP address. Not an IP range. No specific ports.
There are very few reasons to use it - and judging from your questions you don't have one of those.

 

Windows have had in-built firewall since f*ing forever. You will need to switch to "advanced rules" mode - the GUI will suck but it does everything you mentioned and more.

Tutorial for Windows 7: https://www.petri.com/windows-7-firewall
Tutorial for Windows 10: https://www.faqforge.com/windows/windows-10/how-to-create-advanced-firewall-rules-in-windows-10-firewall/
And there are even "small tools" that are slightly more user-friendly: https://github.com/wokhansoft/WFN or https://www.binisoft.org/wfc.php

  • Like 2
Link to comment
Share on other sites

Hi guys,

thanks for the infos so far.So as I said I am already using a FW (GW) at the moment but this FW is limited and I cant block IPs etc.I only can allow or not allow for any single app/s and thats the problem.So what is my goal you maybe ask.So would like to get more control and overview for my system to know whats really going on.What apps running on my system do communicate with WHO and WHEN and WHAT of course you know.

Example: Lets say I do install any app I found on any source I would like to try.Now after installing the new app tries first to connect to internet (mostly to check for any update & else +/-) and I get the message from my actually FW to allow or deny access to internet by this app.In this case its just a TRUE or FALSE option for this single app without any options and thats the bullshit.Of course I wanna allow the app to have access to internet to check for new versions / update it etc when I want it to keep this app up to date.But on the other hand I wanna just allow that only and disallow other / hidden home callings by using other internet addresses / IPs etc you know.But this I cant setup in the FW and if I just allow access to internet = allow everything.

My goal.So maybe I dont wanna control everything what happens on computer & internet but I would like to control some apps I do install by myself.

1.) First I need to find out which addresses the app does commu with which can be only one or tons of it.The count of diffrent addresses is unknown at this point so this means I need something to monitor or a Firewall what tells me directly when something does happen to allow or deny access for a specific channel.

2.) I need to block specific IP addresses for I/O or domains used by specific apps or blocking for all.

3.) How to manage this?

So I had a look into Windows Firewall and the rules for in & out goings.When I check some allow / block rules in this list then I can also not see how to allow / deny specific addresses IF I have set a rule to allow or block.You know?In this rule tab I can see on the first one below the option to allow or allow if secure or block.Lets say I set the rule on allow for example, ok.Now I click on the Aera tab where I can enter some local IPs & remote IPs.Are they to block or allow etc?Not sure about that.Or can I also just allow & block all in this rule without mixing to allow & block?So I hope you know what I mean and what I am looking for.Just wanna know what I could do before I de-install my actually FW.

greetz

Link to comment
Share on other sites

Hey Ted,

thanks for this info about NetLimiter.I have watched some tuts on YT about that tool and how it works and using it.Seems to work similar like a FW already.I will check this tool out and hope that I can use it next with my FW (GW) etc.Will see it.

I'am already using GlassWire but this FW dosen't have that custom blocker/s rules I can set.I will send feedback later about NL tool.

greetz

Link to comment
Share on other sites

Unplugging the LAN cable, disabling or removing WiFi adapters and airplane mode have the highest success rate here.

In a pinch, it will block all connection I/O for sure.  And if you have a random named process epidemic in your system it's probably the best option.  Or if a clandestine operation is compromised.

If you cannot touch the hardware, fluorescent lights or a generator/dynamic magnetic field or any other strong electromagnetic interference near the LAN cable should render it incommunicado.  Same goes for signal jammers for WiFi in the most likely 2.4GHz range.

Hardware firewalls are always better than software ones though most average routers people have contain only some primitive settings in this area, not like you get with a commercial firewall/router.

Software firewalls from Windows built in to all the commercial ones also an option.

Since we are into reversing though, you could also hook WinSock in a target process to make the connect call always return a cannot connect failure for a given IP.  Higher level connection methods are still built on top of it.  Might require global/system wide hooking teqhniques.  I'm not sure if there is a Windows socket service running these days which could be hooked or stopped but AFAIK the services only do things like DNS lookup or file and print sharing and other protocol level offerings

  • Like 2
Link to comment
Share on other sites

TailsOS looks highly anonymous.  Maximal plausible deniability.

Is there really no way to block a LAN cable by placing something next to it?  Theoretically and anecdotally from bad installations what I mention should work.

  • Like 1
Link to comment
Share on other sites

11 hours ago, Progman said:

If you cannot touch the hardware, fluorescent lights or a generator/dynamic magnetic field or any other strong electromagnetic interference near the LAN cable should render it incommunicado. 

This is sort of the biggest joke I'd ever heard. Care to explain how it works? Or give us any valid references?

  • Like 1
Link to comment
Share on other sites

8 hours ago, Gorina said:

This is sort of the biggest joke I'd ever heard. Care to explain how it works? Or give us any valid references?

if cable is not shielded, this will cause high interference and will jeopardize the connection.

I would suggest torching the house will be a better option.

Edited by Conquest
  • Like 2
  • Haha 1
Link to comment
Share on other sites

Hi guys,

so I did checked that NetLimiter tool now.So it looks good on the first view and tests but I also see some issues using filter & rules which dosent seems to work for 100% with IPs I wanna block.When I create a filter & rule to block IPs for whole internet then it works so far when I just deny or allow it.The ask operation dosent work always calling IPs from browser or outside running app.Thats a little strange.In some cases it dosent work and the ask message by NL comes to late and browser did already load the IP page!=?Somehow stupid. :) Otherwise it also lags a little.Some processes which are already dead keep still alive in NL forever.

Question: So I can add IPs 4 and 6 and also ranges in custom filters of NL but I dont find any way to add names (www.blockthissite.com).Why?Lets say I wanna block google site and now in NL I have to enter all IP4 and IP6 ranges google does use instead just entering the web name once.How to manage this with NL?Or is this not doable to block web site name / domain names etc?

PS: Hey guys, just come down and little and keep cool, so there is nothing to fight about anything alright.

Just have a look at my favorite smiley :slap:mmmhhhhh.I just love it. :)

greetz

  • Like 1
Link to comment
Share on other sites

Okay I admit this is more theoretical than a practical attack - there is a point that this sound far-fetched so let's write the question as:

How can one disable a LAN cable without damaging or unplugging it?

https://networkencyclopedia.com/electromagnetic-interference-emi/

Quote

What is EMI (Electromagnetic Interference)?

EMI is the electrical noise induced in cabling by the presence of nearby electrical equipment such as motors, air conditioners, fluorescent lights, and power lines. Electromagnetic interference (EMI) can interfere with the transmission of signals.

EMI is only a problem with copper cabling. It’s caused when the changing electromagnetic fields generated by one cable induce extraneous currents or interference in adjacent or nearby cables.

The real question here and I practically guarantee that spy agencies and militaries already have this in their play books as common knowledge, is can a practical hand held size device do the job.  Obviously a 1 meter fluorescent bulb or a large motor is not going to be of any practical use - though probably some minor experimentation would find with heavy duty equipment you can block the signal in the cable.

Honestly its not particularly important, I have probably just watched too many Mission Impossible movies so it sparked my curiosity.  But probably there is a way to do this though I suspect you would have to build something to be both quiet and compact, that would have no other purpose or functionality except to disable cables - a rather pointless task unless you are involved in serious stuff in which case this equipment would just be given to you.

I am going to give only evidence and facts like a lawyer in court and not respond to anything but the scientific aspects.  The problem is, when it comes to certain topics like medical stuff, where medicine is grey enough for political and other reasons to be practically a philosophical or religious discussion, it could take and endless amount of back and forth posts for both sides to do justice to an argument.  So we should refrain from getting so involved in the contentious that we are making the discussion largely mundane to most people who read the board.  As for any sort of attacks or dubious argumentation, I will do my best to never start it and stay away from it where it occurs.  I am merely looking at my own short comings.  I should be psychologically hardened enough by now to know not to react.  After all perhaps I should be looking at and fixing my own weaknesses first and otherwise remaining silent.  There is an old saying indeed that "Silence is the best medicine."

  • Like 2
Link to comment
Share on other sites

11 hours ago, LCF-AT said:

Hi guys,

so I did checked that NetLimiter tool now.So it looks good on the first view and tests but I also see some issues using filter & rules which dosent seems to work for 100% with IPs I wanna block.When I create a filter & rule to block IPs for whole internet then it works so far when I just deny or allow it.The ask operation dosent work always calling IPs from browser or outside running app.Thats a little strange.In some cases it dosent work and the ask message by NL comes to late and browser did already load the IP page!=?Somehow stupid. :) Otherwise it also lags a little.Some processes which are already dead keep still alive in NL forever.

Question: So I can add IPs 4 and 6 and also ranges in custom filters of NL but I dont find any way to add names (www.blockthissite.com).Why?Lets say I wanna block google site and now in NL I have to enter all IP4 and IP6 ranges google does use instead just entering the web name once.How to manage this with NL?Or is this not doable to block web site name / domain names etc?

PS: Hey guys, just come down and little and keep cool, so there is nothing to fight about anything alright.

Just have a look at my favorite smiley :slap:mmmhhhhh.I just love it. :)

greetz

 

I don't know much about NetLimiter, but when it comes to flexible rules, I found Comodo Firewall a decent option.

 

https://help.comodo.com/topic-72-1-766-9175-.html

https://help.comodo.com/topic-72-1-766-9173-Application-Rules.html#Creating_and_Modifying_Network_Policie

spacer.png

  • Like 2
Link to comment
Share on other sites

  • 2 years later...

Hi guys,

just have a new question about Firewall & rules. I'am using Glasswire for a while and I see that it seems not to work correctly. In some cases I run a new app and GW does ask me to connect and I press YES / OK to allow the connection with that app and in normal case its working but in some cases it does not work after allowing it. So today I got the problem again and did disable GW for a moment and did run the XY app again and then it was working what means that GW makes some trouble. Now I was trying to find the XY app rules in the WindowsDefender FW rules list in/out going rules but I did NOT found any rule with the XY app name!?! What means that GW did NOT create any rule/s for this app......why?! What could be the reason not to create a rule for an app?

EDIT: I think I found the problem. :) After some looking into GlassWire creates rules (group) compared with other rules created by other groups etc. The problem are the used path names / symbolics. So in my case I was trying to run a "portable app" which does create folders with % sings like this...

.....\%Program Files (x86)%\someapp.exe

... So the question now is how to make it work that GW does create rules also with those special path parts? Otherwise I must create a manually in/out rule for those apps what could be bad. Has anyone an idea how to handle this problem?

greetz

Link to comment
Share on other sites

Hi again,

ok so it seems the problem is not a GW issue so I also can not add a new Firewall rule in Windows Defender Firewall with the path above...

%Program Files (x86)%

....and just get a error called "Error: Wrong Parameter - The app name could not be resloved." Also get problems with other of those environment folder %_THIS_% which are not valid. Thats pretty bad now. I have a working portable but the app needs to connect to internet to work but I can't make any custom rule to allow it. :(

Its just working when using valid environment folder names like this "%ProgramFiles(x86)%" but the portable app does create the other folder name with spaces and I can not mod the portable app. Thats also interesting to know for all who creating portable apps.

Example: In the file above the app was taken from "Program Files (x86)" folder = app installed into. Now when you create a portable app with any tool then it will also create that folder with percents %% (in this case) in portable folder inside when you start the portable app = all working so far, but NOT when your app needs to access internet etc when also using a Firewall because of that not valid folder conflict. Hhmmm. So that means when you do create any portable apps then do not use percent signs %% for folders but most portable app seems to do that. Below a image I made...

Portable_2022-09-29_175900.png.fad6f505adc2e8729a725c0217d2e15a.png

...where you can see which env folders are working to create also valid Firewall rules and which not. The app I wanted to use does create that not valid folder. :( Would be better when those portable creating apps just using @_FolderName_@ signs instead of %%.

greetz

Link to comment
Share on other sites

Hi,

the spaces are not the problem. On image above you can see it "@Program Files (x86)@" which uses spaces is working. The problem are the double percent signs %% in folder names which do declare a Windows Variable. So when I use any double percent %% with any or without name between that Windows Firewall (path reading) is checking this whether is valid or not and in case of not it will not accepted = failed. So you can just try to create any folder called "%%" (just 2 percent signs) and then put any executable file into and try this to add into any Windows Firewall rule (in / out) as path and you get the error message I did post before already. Look...

Portable_B1_2022-09-29_175900.png.f753c72e9e74277c8c33326281da8fc4.png

...above you can see I have created a folder on "C:\%%\" and did put an bones.exe into which I have choosen on Firewall rule and it does change the C:\ path into %SystemDrive% Variable which is a valid one on Windows and for %% it did nothing found = keeps %%. Now when you try to press OK for this rule then I get this error above about wrong parameter because %% could not resloved (no variable found called like this). Just happens in Firewall rules. Otherwise I can execute both paths in Windows Explorer path bar to run the exe files....

%SystemDrive%\@@\Bones.exe
%SystemDrive%\%%\Bones.exe

....both are working in WExplorer but not in Firewall Rules there is just the @@ folder accepted....

Portable_B2_2022-09-29_175900.png.3ff9a803eb3c11d04eff9c3ca1dd5ef5.png

...and thats the problem with the Windows Firewall Rules having issues with (also with GlassWire what tells me that a rule is created and working but its NOT). :) All in all the problem just happens now when trying to use portable apps (found on internet made by any portable app maker tools) who doing that to create folder names with %% signs which are then only working when they are also valid on your system and otherwise they will not work WHEN the app files which are stored into those folders needs to access the internet and you do use a Firewall which blocks all by default. You as normal user do not create any own folders with %% signs. :) Anyway, just a interesting found which could be also interresting for all portable app makers who should prevent using %% signs in their folder names when the portable executabler does create the portable datas etc.

greetz

Link to comment
Share on other sites

Hi again,

so I tried to create a own User / System environment variable called "Program Files (x86)" which works to enter the variable with %% and what does open "C:\Program Files (x86)" folder in explorer. Good so far. Now I got both variables working same...

%ProgramFiles(x86)%	<-- original
%Program Files (x86)%	<-- my added + path below

Both open same folder path
C:\Program Files (x86)

....and now I thought it would work to create a Firewall rule but its still not working. The question is why? I would like to ask where are the variables stored which are not present in the environment variables tab? Like this "ProgramFiles(x86)" variable and others.

Goal: I just need to find a way to bring Windows Defender Firewall to accept custom environment variables but how is the question when its not working with the normal environment variable tab to add / change variables for User & system? I found this infos about environment variables...

https://phoenixnap.com/kb/windows-set-environment-variable

...I also tried to add via CMD but WDFriewall also don't accept it at the end = error message on OK press. Maybe anyone of you could find out why WDF does not accept custom added variable names with valid paths which are working in WExplorer. Look...below you can see the differences....

Portable_B6_2022-09-29_175900.png.3a85fda5d76b5861c4cc5ad03e154ddd.png

....my new added env variable called "%Program Files (x86)%" is not getting accepted in WDFirewall rules but the other variable called "%ProgramFiles(x86)%" is getting accepted what makes me thinking. How to make my variable working in WDFirewall rules? Has anyone a clue how to manage this?

One more thing about the portable app I'am trying to make it work....so I found out the app was made with Cameyo tool and I can load the file and edit it...

Portable_B7_2022-09-29_175900.png.0bedb0ae9ab95b071b938f6310876f14.png

...but brings nothing to change the startup folder = failed to run.

greetz

Link to comment
Share on other sites

whoknows

yeah as you discover, the windows firewall can use the environment variables.

now the problem on your case is that the folder name is equal with an environment variable.

be badass and rename the folder!!

 

 

  • Like 1
Link to comment
Share on other sites

Hi wk,

I can not change the folder name to any other name in the portable app so if I do this and save it then the changed portable app thorws an error 2. Otherwise the problem is also not the same name...

Quote

folder name is equal with an environment variable

....so the variable I made "%Program Files (x86)%" is working in Windows Explorer and you can see it also on my CMD window. The problem is the Windows Firewall which does not accept "any" own created variables. You can also try to create any new variables and it will not accept them!=? Thats the problem. I can also change the variable name from...

Program Files (x86)
to
TestVar

....and trying then to use this variable name %TestVar% in WFirewall rules but it also dosen't work and I get error what means I can not use any own created variables. Just try it out quickly and check whether you get same problem.

Another example: I did create a user & system variabe called TestVar which holds the path "C:\Program Files (x86)". Now I could normally use this variable %TestVar% to enter anywhere in WExplorer etc to open that path. Now I show you something.....

Portable_B8_2022-09-29_175900.png.795f9daf62a40fd8752b00c8739ed039.png

...on left side I'am trying to use my variable in Open / Path / filename window of Firewall rules and it does fail and on the right side I do the same with Windows Notepad and there its getting accepted. Why? Whats the different? Has the Firewall rules section any kind of extra security settings or something like that what does not allow to use own variables or so?

greetz

 

Link to comment
Share on other sites

whoknows

Hi LCF,

solution is   @

on ur firewall use the rule

BLOCK ALL

and maintain the whitelist by hand.

 

Best regards,

whoknows

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...