cancel
Showing results for 
Search instead for 
Did you mean: 
loaned_brain
Level 9

HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

Hi Everybody,

I am configuring the firewall for HIP deployment. While testing it, I discovered (HIP window -> Activity Log -> Traffic Logging -> Enable Log All Allowed) that the following traffic occures:

Allowed Incoming TCP - Source 172.X.X.177: (60153) Destination 10.X.X.213 : ms-ds (445) Allow Loopback

The packets in question are SMB packets. (Verified with Wireshark on both sending and receiving side)

I narrowed it down, that the match is based on the "Local IP Address(es) = Any Local IP Address" option.

Now, this traffic originates from another (physical) computer from a completely different subnet (but same corporate LAN).

Is this a bug? This behavior is constant. If I disable this rule, the local loopback is disabled from the allowed traffic, I tried it. With this option enabled, the local loopbacks are working fine (and also allowes through other traffic).

If I messed up something, what do I need to change in order to allow regular loopbacks and filter this odd behavior?

Thanks

--

Loaned Brain

HIP 8.0.0.2151

Security Content 8.0.0.4587

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

I checked the McAfee Default firewall rule Allow Loopback, as well as the same rule in the HIPS 8.0 Catalog, but I only see two network entries in that default rule:  ::1 and 127.0.0.1.  I'm running the latest HIPS 8.0 P2 extension (8.0.0.563) and the latest HIPS Content is checked into the ePO Master Repository (8.0.0.4587) though.

I checked my ePO 4.5 server with the HIPS 8.0 P1 extension (8.0.0.528), in the HIPS 8 Catalog, the Allow Loopback rule only has ::1 and 127.0.0.1 in the localhost Local Network object.

I'm not seeing this information on my ePO server.

loaned_brain wrote:

In ePO Policy Catalog ->HIP 8.0 Firewall -> McAfee Default (Read Only) Firewall Rules (Win) - This is the one that I duplicated -> Allow Loopback

     Local networks, open localhost on the right side and the addresses are

  • ::1
  • 127.0.0.1
  • 169.254.0.0/16
  • 224.0.0.252
  • [local]  -> This is the issue
  • ff02::1:3
0 Kudos
8 Replies
rstevekadish
Level 9

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

Hi Brain,

Where is this "Local IP address(es) = Any Local IP addresses" option? 

In my rule for allowing loopback, I have the Local Network defined as "localhost = ::1 or 127.0.0.1" which I got from the built-in catalog.

Do you have the latest extensions for HIPS?

HTH,

- Steve

0 Kudos
loaned_brain
Level 9

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

In ePO Policy Catalog ->HIP 8.0 Firewall -> McAfee Default (Read Only) Firewall Rules (Win) - This is the one that I duplicated -> Allow Loopback

     Local networks, open localhost on the right side and the addresses are

  • ::1
  • 127.0.0.1
  • 169.254.0.0/16
  • 224.0.0.252
  • [local]  -> This is the issue
  • ff02::1:3

In software Manager, no updates are available for anything. (Checked just now, on 10/18/12)

Is there any extensions for HIPS? (We have both the IPS & Firewall version, 8.0.0.4587 Patch 2)

0 Kudos
rstevekadish
Level 9

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

Hi,

There are extensions for HIPS, under Software -> Extensions.  The latest version is 8.0.0.563.

- Steve

0 Kudos
loaned_brain
Level 9

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

That is for the server side and it is running.

0 Kudos
rstevekadish
Level 9

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

Right - the server-side extensions are what I was referring to.  The reason I asked is because I know that McAfee changed some behavior related to the loopback rules in HIPS 8 SP1, and when I was dealing with similar issues to yours McAfee tech support had me check that I had the latest extensions.

0 Kudos
McAfee Employee

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

I checked the McAfee Default firewall rule Allow Loopback, as well as the same rule in the HIPS 8.0 Catalog, but I only see two network entries in that default rule:  ::1 and 127.0.0.1.  I'm running the latest HIPS 8.0 P2 extension (8.0.0.563) and the latest HIPS Content is checked into the ePO Master Repository (8.0.0.4587) though.

I checked my ePO 4.5 server with the HIPS 8.0 P1 extension (8.0.0.528), in the HIPS 8 Catalog, the Allow Loopback rule only has ::1 and 127.0.0.1 in the localhost Local Network object.

I'm not seeing this information on my ePO server.

loaned_brain wrote:

In ePO Policy Catalog ->HIP 8.0 Firewall -> McAfee Default (Read Only) Firewall Rules (Win) - This is the one that I duplicated -> Allow Loopback

     Local networks, open localhost on the right side and the addresses are

  • ::1
  • 127.0.0.1
  • 169.254.0.0/16
  • 224.0.0.252
  • [local]  -> This is the issue
  • ff02::1:3
0 Kudos
loaned_brain
Level 9

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

Okay, thank you. I will just assume that something went wrong on our side. We came across other issues with HIPS and decided not to use it.

Message was edited by: loaned_brain on 10/26/12 11:15:52 AM CDT
0 Kudos
McAfee Employee

Re: HIP 8.0.0 Incorrectly allow through remote traffic under Allow Loopback rule?

Jump to solution

Does your Allow Loopback firewall rule include Any Local IP Address?  By the name of the rule, I would have assumed that it would include the 127.0.0.0/8 loopback addresses only.

0 Kudos