PDA

View Full Version : local loopback and hosts file



bigT
10-19-2004, 06:47
Ok help me to understand if you will. I created a hosts file that i use to block sites and route it back to my local loopback 127.0.0.1 In any event, when reading the secure connection recommendations for outpost it states to turn off localloopback and do it at the application level which is what i ahve done. Here is my question how can I get the host sites to resolve to the localloopback if its globally blocked? Do I add it to firefox cause if so it is not appearing to work. Thanks for the help
bigT

Paranoid2000
10-19-2004, 08:51
Disabling the Loopback rule in Outpost will not affect the hosts file at all - it simply prevents programs from communicating with each other via Windows' network subsystem without a specific rule to permit them (which prevents any malware on your system from exploiting local proxy software to gain Internet access).

bigT
10-19-2004, 10:29
Maybe I'm missing something or I asked it wrong here is more specifically what I'm asking how to resolve. If i disable the local (global loopback) it shows up in the blocks as system localloopback as it should thats all fine. But the problem is this
I have the host files mapped to 127.0.0.1
so if i go to www.ihatespam.com it goes to the loopback of 127.0.0.1
well since the loopback is blocked then firefox popups up saying hey bud i can't connect to that site. Where if i allow the loopback then i get no popups at all. thats what i'm trying to fix. thanks

Paranoid2000
10-19-2004, 12:51
You can create a rule in Firefox allowing it to access 127.0.0.1, but its normal ruleset should already cover this. Have you created a global rule blocking access to 127.0.0.1 and made it a priority rule? If so, I would suggest removing it - it should not be necessary.

bigT
10-19-2004, 15:22
that has been done same problem.
only way i can solve the problem is put a check it allow loopback under global rules. cause i have loopback enabled in firefox, but whats strange it firefox allows it but then i look at the blocklist and it says like ad.doubleclick.net or whatever and it says system tcp inbound localhost block all activity

only reason i'm even concerned about it blocking is because if it blocks to loopback i get annoying popups in firefox when it blocks a site off the ad list.
where if loopback is enabled it resolves instantly and i get no timeout errors.

Paranoid2000
10-19-2004, 15:27
Some people need to create a rule for incoming traffic from 127.0.0.1 for Firefox. See Outpost 2.5 - what to expect (http://outpostfirewall.com/forum/showthread.php?t=11836) - Known Issues.

bigT
10-20-2004, 13:55
Okay, I just added the Global loopback back until this issue is sorted. Thanks for the help. I have done everything you have recommended and I really enjoyed your guide and recommendations. Firefox isn't blocking LocalLoopback which is good cause I did as you said however websites that go thru the host files that I'm using appear to use system and system does have it blocked. Anyway, thanks and I'll check back if i find something that fixes this problem. ONce again thanks.

bigT
10-20-2004, 17:08
Okay this has been buggin me so I will ask sorry for the repeat just wanna make sure i'm clear on this.

Are you saying that if i use a host file with firefox and disable about the global allow local loopback rule that i will get the annoying can not connect popups constantly? EVEN IF i add the incoming and outgoing localloopbacks to firefox? Sorry to be a pest just trying to understand cause I constantly get the alerts saying it coudln't connect to ads.clicknet.org or whatever which is in my host files as 127.0.0.1
and i look in the block list and i get the following.

12:17:24 AM SYSTEM IN REFUSED TCP localhost 2129 Block All Activity

minoka
10-21-2004, 00:50
Hi bigT,

I use fx .0.10.1 and have a hosts file.
1) System Global Rules: Allow loopback is UNCHECKED, Allow LocalHost UDP Connection is CHECKED
2) Application Firefox rules: normal browser rules. I do not have an allow inbound localhost rule (for some reason my fx works that way, but do have one for outbound localhost no remote port specified).. I'd like to mention that, in my case, whether outbound local host (in fx rules) is allowed or blocked seems to make no difference. You may need both the inbound and outbound localhost rules to be allowed.

Have you tried uninstalling fx (saving your profile just in case), then re-installing it?

P.S. I do not believe the guide says to turn off loopback at the application level, only in the System Global rules.

bigT
10-21-2004, 07:24
No I don't have it turned off at the application level I have only the applications that need localloopback granted. I have step one exactly like yo have it. Step two i have like you have but I have one for inbound as well. I show NO INDICATION OF FIREFOX blocking anything in relation to loopback only System. But when the system loopback is blocked firefox gives me this annoying pop saying it can't connect cause its pulling the dns from of the site i'm trying to go to from the host file which resolves as the local looopback.

minoka
10-21-2004, 07:56
I do not have the problem you describe and I do NOT have a global loopback rule at all. I just deleted it from the list, I could have left it unchecked. Have you modified this rule from allow to block? I am asking because of the word 'blocked' you used. The guide says to either disable it (by clearing the checkmark next to the name of the rule in the list) or delete it.

bigT
10-21-2004, 16:05
Well am going on the assumption that when you take the check out of allow the opposite of allow is to block. That is why I use block. So when you use the HOST FILES you get no connection alerts from firefox? Very interesting. I don't think its firefox I think its how the host files work. The host files (not sure on this but just theory of mine) work as global system so if they resolve to the local loopback and the check mark is taken out of the global rule of allow loopback then it gets blocked. Once it gets blocked then firefox sees it as an invalid address and prompts the alert.

minoka
10-22-2004, 00:31
From what I have been reading, for example here (www.mvps.org/winhelp2002/hosts.htm), the HOSTS file is checked before any dns resolution is made , so it should not have anything to to with a firewall.
I know my hosts file is blocking stuff because I use eDexter (www.pyrenean.com/edexter.php) in conjunction with it and it keeps a log of what is being 'blocked'.
I guess we need more info (by Agnitum) on how this whole loopback thing works.
Meanwhile, could your hosts file be bad? Have you tried re-installing fx?
With or without eDexter, I get no alerts from Firefox (unless, of course, I type a blocked site's url directly in the address bar) and none from OP.

I will try and get a clarification on the global Allow Loopback rule (or any rule) because I do not think that unchecking the rule means it is blocked.

minoka
10-22-2004, 03:51
About the allow loopback system rule:

If you are in Rules Wizard mode and you uncheck the global rule for allowing loopback, it does not mean Deny. You will simply be asked on a "per application" basis to create a rule for loopback. (Thanks go to David for this clarification.)

bigT
10-22-2004, 05:11
Ok and you just basically answered my question in your previous post where you stated unless of course I type a blocked site's url directly in the address bar. Well I'm not typing it directly in the adress bar but still get the annoying popoup. like for instance if i go to suprnova.org i get cjc1.java.net or whatever its called popup saying it can't connect to that. but if i allow loopback on the global scale it works fine (and yes firefox has both inbound and outbound loopback enabled) and i have no rule in global to block.

minoka
10-22-2004, 06:24
I understand exactly what you are describing and that has to be very annoying indeed. I am wondering if this pb has something to do with firefox, some extensions or configuration. Have you tried a new profile? or re-installing fx? What version of fx are you using?
I'll try and search the mozillazine forums...

EDIT: forgot to ask:
what happens if you exit and shutdowm OP temporarily? Are you sure your hosts file is ok?
Running out of ideas, but have you checked for malware ?

Paranoid2000
10-22-2004, 07:18
BigT,

Please check your Outpost Blocked logs - if Firefox has any traffic to loopback blocked, these should give the reason why. Also check that this address is not showing as being blocked by the Attack Detection plugin.

minoka
10-23-2004, 00:15
Hi bigT,
Have you tried another browser? If so, do you still get the prompts for sites 'blocked' by your Hosts file?

bigT
10-23-2004, 12:36
Sorry for the Delay in response was Hunting since its Opening Weekend :) IN any event:

Please check your Outpost Blocked logs - if Firefox has any traffic to loopback blocked, these should give the reason why. Also check that this address is not showing as being blocked by the Attack Detection plugin.
I looked in the log and I see no mention of firefox traffic being blocked by outpost local host is only listed as being blocked with system.
The attack Detection plugin
Checks clear. I have the settings set to low and nothing checked in there.

Minoka in regard to using another browser I tested it with IE and instead of getting the annoying popup I do still get the block on the system level
8:27:43 PM SYSTEM IN REFUSED TCP localhost 2353 Block All Activity

Thanks again

minoka
10-24-2004, 02:48
Hi bigT,

When you created your hosts file, did you make sure the first line is
127.0.0.1 localhost
I assume you did, but it does not cost anything to double-check!
I am truly out of ideas (and assume you tried some or all of my suggestions), let's hope someone comes to the rescue...

Paranoid2000
10-24-2004, 02:57
BigT,

Are you using any local proxy software (like Proxomitron, WebWasher or AdSubtract) with Firefox? If so, then all the comments about creating a rule to allow outgoing access to the loopback address apply to the application rules for these also.

As for your log entry, for incoming connections it is the local port that is important - please right-click on the main log window, select Columns... and check the Local Port entry to display this. Then check Outpost's Open Ports section to see which application has that port and was therefore the intended destination.

bigT
10-24-2004, 05:48
Paranoid I have tried 2 times to do exactly what you stated. Here are the results. The funny thing is I see no open port for HTTP I checked open ports several times to make sure I wasn't over looking it.


1:42:56 PM SYSTEM IN REFUSED TCP localhost 3858 HTTP Block All Activity
1:42:54 PM SYSTEM IN REFUSED TCP localhost 3855 HTTP Block All Activity
1:42:35 PM SYSTEM IN REFUSED TCP localhost 3852 HTTP Block All Activity
1:42:33 PM SYSTEM IN REFUSED TCP localhost 3845 HTTP Block All Activity
Open ports show nothing for http 80-83

Also thanks for your help guys i appreciate it.

Paranoid2000
10-24-2004, 12:35
Well something in your Firefox setup is expecting you to be running a web server or proxy. Did you have any of the programs I mentioned previously installed? Have you altered Firefox's proxy settings at all? What extensions are you running? (one of them could be responsible).

bigT
10-24-2004, 12:59
Proxie Programs is a negitive
Extenions: I use adblock but its turned off now that i use outpost and host files
Proxy Alter in Firefox: Yes I did change it to manual and had it use 127.0.0.1 for all ports however I have it set on Direct connect to Internet. I took and cleared all the 127.0.0.1 information under manual and ensured the radio button was on Direct connect to internet and tryed the test again with the same results. Thanks again!

bigT
10-26-2004, 13:02
Paranoid: any Idea? I have ran out of options but you seem to always bring something out of that magic hat of yours :)

Paranoid2000
10-28-2004, 12:43
I can only conjecture that there is something amiss with your setup that is causing Outpost to misidentify Firefox traffic as System traffic or that other software is somehow involved. Try accessing a 127.0.0.1 domain in Firefox again and in the Blocked logs, check to see if the local ports (the ones with varying numbers) are also reported in the Open Ports section as belonging to Firefox. Also try accessing the 127.0.0.1 directly in Firefox (just to ensure that there is no issue with DNS lookup configuration messing things up).

If the local ports do belong to Firefox, then try updating Windows's MDAC drivers (MDAC 2.8 is downloadable from here (http://www.microsoft.com/downloads/details.aspx?FamilyID=6c050fe3-c795-4b7d-b037-185d0506396c&DisplayLang=en)) - see Making Outpost Smooth (http://outpostfirewall.com/forum/showthread.php?t=9600) for the symptoms and cause of possible MDAC problems. If they belong to another program then check its rules - and consider disabling it if it is "interfering" with Firefox.

Another possibility is other software interfering with Outpost - if you have anything that provides low-level networking functions (this includes other firewalls, packet sniffers, port monitors, network diagnostics and VPN software) then try disabling them.

bigT
10-29-2004, 16:19
Paranoid in the open ports I see no listing at all for any verifying numbers all i see is System blocked HTTP I look in the open ports and i see no HTTP listing at all. When I type 127.0.0.1 in the address bar it can not access. any other suggestions. I have thought of just adding a rule to the system to allow localloopback where http is the port to solve this problem, just don't know how secure that would be.

Paranoid2000
10-29-2004, 19:31
You won't see an HTTP entry in Open Ports unless you're running a webserver. What I meant was looking for the other ports listed since these should have a corresponding entry in Open Ports which should provide the name of the application.

Adding a rule of the form Protocol TCP, Incoming, Local Port HTTP, Remote Address 127.0.0.1, Allow shouldn't pose too much of a security risk as long as you access the Internet via a router with its own firewall. If you rely on Outpost only, then there is a possibility that this rule may allow spoofed packets (with a faked sender address of 127.0.0.1) to slip in.