General infos about AtGuard.

First of all, this document assumes that you are using M$ W95/98 and AtGuard version 3.20/3.22, which is the last revision WRQ released before ceaseing distribution of the program and selling AtGuard to Symantec.

About this, I don't treat Symantecs’ version of AtGuard….because I judge it WORSE than the old WRQ version; of course, this is my personal opinion, and anyone may have a different one;)

AtGuard is a firewall program, originally produced by WRQ.

Basics on firewall

Well, for the first thing, you must open firewall ‘Settings’ window in your "Start" menu (Start - Programs - AtGuard - Settings), or in the firewall dashboard or in the control bar (right-click and select "Settings")if you prefer. In this window click the "Firewall" tab and confirm that the checkboxes "Firewall" tab and control that the checkboxes "EnableFirewall" and "EnableRuleAssistant" are checked; if not, check both.

Here, you may see some default rules, that normally are set on "Permit" action, except for the "NetBus" and "Back-Orifice" services, what are obviously set on "Block"

I personally (OK, OK, I’m a bit paranoid) have set all rules to block all services and programs I don't need, and then added rules that permit only the services that I want; I describe some of these here, but you may do this or not, depending of your needs.

I've set on "Block" all of these default rules: "Default Bootp" (sometimes used for nuke a pc), "Default NetBios" (nbname and nbdatagram services) and added a rule for block nbsession service (hacking and nukers), "Default ICMP" (unneeded, i don't use icmp, icq and similars), "Default Inbound TCP" and "UDP" protocols (hacking), leaving on "Permit" mode only "DNS" protocols (if you block this, you block all internet access).

About "Default Loopback" service, I’ve also blocked these, but if you use Proxomitron you need to have this service permitted, because Proxomitron uses this.

What is a rule

A "rule" is a set of instructions what tells the firewall to manage net communications to or from a service, an address, a range of addresses, or a program.

This means that you may decide, for example, to block any communications between your browser and Micro$oft.com domain, leaving all others intact, or block only the service "Backdoor-g-1" from your PC to any site and address leaving all other services working, or block any communications and/or services from any address between 201.191.0.0 and 201.191.255.255 (THIS range is only an example!), in case you decide to make block all of the addresses of an ISP or Proxy server, or similar, and leave all other addresses reachable, and so on, depending only from your needs.

With AtGuard you don't need to specify these rules with strings of commands in an ".ini" file like the first firewall programs. A simple and useful GUI interface helps you with this.

Create and modify a rule

First of all, keep this in mind: The firewall has some ability to correct your errors, but only in some fields and in limited ways; this means that if you set a rule and in the services field write "backdor-g-1" instead "Backdoor-g-1", the program tells you that this is an error because there are no services with this name. But if you write bad a port number or an address, the program may not know what this is an error, and your rule won't work correctly.

Assuming that all this is related to the "Firewall" tab.

For modify a pre-existing rule, simply highlight this (one click) and click the Modify button on bottom.

IIn the new window (Modify firewall rules) opened by this button, you have a lot of options, so you have to know overall what you want with this rule (it's simple to set these fields, but if you don't know what exactly the field does, it’s better not to modify).

Well, a little explanation about the fields and tabs here.

The field "Name" is only a personal reminder and you may write what you want here (normally what the rule does).

The field "Action" is what the rule does, and you may choose from "Permit" for permit communications or actions from the program or service to the net thru the firewall without interference, "Block" for block these communications or actions, and "Ignore", what forces a ‘log’ without affecting operation. This is a bit more complex and requires an example: Imagine that you have set a rule that "Permit" free communications from program-x and the net, but you want to monitor all the times that this program calls it’s homepage-x without blocking these calls; all you have to do is add an "Ignore" rule on program-x and homepage-x before the "Permit" rule on program-x. This allows program-x to work with any address (included homepage-x), but if it calls homepage-x then this is noted in a log file (this option is useful for sysadmins, but has little sense for private users).

The "Direction" field is the direction of the communications affected from the "Action" field, you may choose from "Inbound" (input data), "Outbound" (output data) and "Either" (both directions).

The "Protocol" field specifies what protocol, or type of data, is affected from the "Action" field (blocked or permitted), and may be TCP, UDP, TCP and UDP, or ICMP.

The tab "Application" allows you to specifically apply the rules to a single program (you must specify the program complete with path in this case, e.g. C:\windows\explorer.exe), or to any program; Note that in these tabs, the fields to write data appears only if you choose the related option, so if you choose "any..." you will see no fields, but if you choose "single..." you see one field, and so on.

The tab "Service" allows you to apply the rules on a single service or port, on a range of sequential services or ports, on a list of different services or ports (also non sequential) or on any services and ports (normally there's an equivalence on services and ports, e.g. nbsession is port 139, used from all the nukers programs).

The "Address" tab allows you to apply the rules to a single address, a range of address or any address (e.g. if you want to block Micro$oft.com, this is a single remote address, if you want to block NetBus server, this must be applied on any address).

The "Time Active" tab permits you to choose what time and what days the rule is active, but this is useful only for sysadmins… private users must leave this on "All" every day.

The "Logging" tab has two checkboxes. If the first is checked the rule writes an event log every time the actions match the rule specifications, and if also the second is checked, this displays a little "red book" icon on the dashboard near the trashcan every time this happens.

Learning mode

Only some words about this.

Learning mode is simply an useful "way_of_work" of the firewall; for example, permit you to see if a site try to use javascripts when you connect, and in this case the firewall ask you what you want; or also advise you about unexpected communications and/or actions from sites and/or programs and help you in on_the_fly creation of specific rules for this, and so on.

Learning mode is also useful in some situations, e.g. when you want to know if a program like getright, go!zilla, teleport, wwhack or any other program what connect to the net do only what you want or also some other things, like call home for transmit a report of your connections, or call voting sites for spam clicks, or any other hidden thing.

To do this, simply open "Settings", and in the "Firewall" tab uncheck the checkboxes near the rule you want to temporarily disable (DO NOT uncheck the "EnableFirewall" and "EnableRuleAssistant" links, this disable the firewall !), and after the "Apply" button and OK.

The characteristic of this firewall is what work principally for the security, so any operation without rules related is intercepted, and the program say you what is this operation, from what program came and to what address try to connect and ask you what want to do.

Now you have four choices, permit or block the communication a single time, or create a rule what every time permit or block this operation (you may need this in case you have an useful program, like teleport pro, and want to continue to use it, but without what the program call tenmax.com for transmit here a log of your site downloading each time you use the program).

Other features: Ad Blocking

This is in the "Web" tab, and simple is the section what block all that boring ads (be sure what the "Enable web filters" checkbox is checked).

Other Features: Privacy

Also this is in the "Web" tab.

The Privacy subtab permit you to manage some of the data what your browser send to a site on request, when you don't use a proxy (and also the same data sended at the proxy, if you use one), and to manage cookies

You may, or for the default field (applied on all unspecified address in the tree) or independently for each of the sites listed in the left tree, at your choice, set firewall to permit cookies, to block these, or to reply with a self-managed (faked) cookie containing no real data (for do this, you must have a copy of a cookie sended you to the site what you want to fool, and also the ability to modify this cookie in the right way).

You may also set in the same way the referer (HTTP referer), the browser (user-agent) and the mail (from) fields, block these (no reply) permit these (free reply) or reply at these with data you want, e.g. from "babylon5.space.net" with user agent "Skylark rev. 2.11" and refered "from the hell", or whatever you want ;) .

The other subtab, "Active content", is not the most important if you have already set your browser for disable javascripts and activex controls and animations, otherwise you may do this here, same for all or independently for each sites or domains listed in the left tree

The "Options" tab

No much to say on this tab, only working options.

I normally leave checked "Show taskbar icon", "Show dashboard window" and obviously "Enable AtGuard", the startup option is on "Run at system startup" and the "Enable password protection" is unchecked, otherwise it ask for the pw everytime you connect, but anyone may do all what prefer, here.

The "Filters" button (web filters)

This open a new window, and here you may enable or disable the filter section (better thing is to check all the checkboxes) and specify port numbers to be primarily watched.

Some port numbers are already here, but better add all dangerous (hackables) ports here.

You may do this with the "Add" button in this windows (one at a time).

The most dangerous ports to have opened are: 20, 21, 25, 67, 68, 80, 81, 82, 83, 125, 130, 131, 132, 133, 134, 135, 139, 194, 280, 389, 433, 458, 488, 529, 545, 554, 591, 593, 709, 800, 994, 1080, 1433, 1434, 1477, 1478, 1755, 4000, 5190, 5191, 5192, 5193, 5631, 5632, 6000, 6665, 6666, 6667, 6668, 6669, 7007, 8000, 8008, 8080, 8088, 11523, 12345, 12346, 13789, 13790, 31337, 54320, 54321, 60000.

Practical examples

Some little hidden things what i've finded in my system with the firewall, and some rule setting examples about this.

First of all, some proxy (not all) try to collect info from your system when you use these, normally from a service called "auth" (authorization data); you may stop this adding a rule with: name=what you want - action=block - direction=either - protocol=TCP or UDP - application=any - remote service=any - local service=single, in the field write "auth" (no quotes obviously) - remote address=the address of your proxy without the "http://" part - local address=any - time active=leave all days - logging=check if you want, no matter

Another is a backdoor service hidden into W98, probably in the explorer.exe and called Backdoor-g-1, discovered from some hacker and added to some remote consoles; the settings are: name=what you want - action=block - direction=either - protocol=TCP or UDP - application=any - remote service=any - local service=single, in the field write "Backdoor-g-1" (no quotes obviously) - remote address=any - local address=any - time active=leave all days - logging=check if you want, no matter

TeleportPro from Tennyson Maxwell Corporation send a log with all sites you load to www.tenmax.com (home site) each time you launch the program, but work also if this connection aren't, so... : name=what you want - action=block - direction=outbound - protocol=TCP or UDP - application=any - remote service=any - local service=any - remote address=www.tenmax.com - local address=any - time active=leave all days - logging=check if you want, no matter

Some FTP and file transfer programs (not all) send a log of your connections to an address (maybe for statistic, but better avoid also this), and sometimes if you block the first address the program try other times with other subdomains on the same address, e.g idn1.domain.com, idn4.domain.com, idn7.domain.com, and so on: for these cases you have to use learning mode and block (this time block function) all communications, this write in the log all the address you have blocked, after this you may add rules (one each logged address) like this: name=what you want - action=block - direction=outbound - protocol=TCP or UDP - application=name of the FTP program (with path) - remote service=any - local service=any - remote address=single, in the field write the logged address without the "http://" part - local address=any - time active=leave all days - logging=check if you want, no matter.

Or also, you may create these rules directly in the learning mode; this means, when the firewall ask you what action you want about the connection, you choose to "everytime block", this open a "Rule wizard" window, what ask you what you want about this for all the other times and automatically add the corrispondent rule to the list, after you have only to control if the rule do what you want (this with the "Modify" button) and eventually shift up the position of the rule if this is needed.

These are only some examples, you may find others yourself in the same way.

Required settings (permanently under developement)

In this section i try to give settings for some particular cases what someone require or suggest me.

This may require a bit of time, cause for all the cases i've not already tested, i've to install the related program, set a serie of rules and try for find the best before write this here (i normally prefer try a program before write explanations about it, cause this is the only system for know what i have to say in the most clear way, but this take time).

If someone have suggestions about rules, protocols, and particular cases (i means, if someone already use these particulars settings or rules and think what also other peoples may use these) please email me and i add here all the working suggestions.

Remember what a firewall is a control program, and this influence ALL communication programs, and i think NONE may install and set and try ALL types of existing programs, working alone (well, maybe not in one life only...).

In these examples i give generic names for the "Name" field, but remember what this is only a reminder and here you may write all what you want, and also the names i give for the fields must be written WITHOUT quotes.

Also, for the "Time active" tab and for the "Logging" tab, assume what for all examples they are "time active=leave all" and "logging=leave unchecked", i specify these only if differents.

About the order of the rules in the rule list (Firewall tab).

The rules for any data packed analyzed are processed in descending order as are written in the rule list, and when a rule match the related condition on a data packet, this packet is managed (permitted, blocked, logged, deleted, depending from the rule) and the process are stopped and restarted for the next data packet from the top of the list, ignoring the rest of the list.

This means what if you put a rule what, for example, block any TCP packet BEFORE a rule what, for example, permit TCP communications on ports 20 - 21 for a FTP program, the TCP packets are intercepted and deleted BEFORE may reach the "Permit" rule for the FTP, so this never work, and the same is valid for all the other programs you have what use these protocols.

The exemplificative structure i give you is a generical working structure what work well for the most cases, but you may modify this in what mode you want, ever keeping in mind the importance of the positions.

This is a practical example of list; ("Default" word is omitted, cause each of you may call the rules as your choices, the only thing you must consider is what the rules DO, not the names what have; also, if i say more than one direction for the rule this mean what you may use one or other as you prefer).

Block Inbound/Either NetBus, NetBus-Pro
Block Inbound/Either Back-Orifice
Block Inbound/Either Back-Orifice-Pro
Block Either Backdoor-g-1
Block Inbound port 139 (nbsession)
Block Inbound Bootp (bootpc)
Block Outbound Bootp (bootp)
Block Inbound/Either Authorization Echos (auth service)
Block Outbound tenmax.com TCP or UDP (i've added this for block TeleportPro trials to send at tenmax.com a log file each times i use the program, if you don't use Teleport discard this)
Block netshow service (i don't want this working on my system)
Block Elegy console port 13789-13790 (maybe you have this with another name, more than one groups of hackers use these ports with differents names, i've simply used the name of the first group what used this)
Block BlackIce console port 60000 (the same what for the previous regarding the name)
Block unknown console port 13223 (i don't know from how this came, but one time i've blocked 60 trials from 60 different remote ports to my port 13223 in less than 15 minutes, probably another multithread remote console with a robot scanner)
Some rules for block hostiles address ranges (these depend from you, if you see some company what play dirty, you may block all the addresses used from these companies if you don't need to use these); only for example, i've blocked the range from 203.179.64.0 to 203.179.79.255, assigned to SETO-PRINT CORPORATION, cause times ago i've blocked more than 400 trials of enter my machine in less than 2 hours from approx. 50 differents addresses in this range (probably a company robot), and i don't like these things and want having nothing to do with this type of companies

These rules before, for that what i want to block unconditionately; from here the rules what permit communications for your programs, for example:

Permit Outbound/Either Explorer.exe TCP (this is the browser for IE4)
Permit Either Netscape.exe TCP (This is Netscape browser, but for this you have to find the name of YOUR copy of the executable file in Netscape folders, cause many ISP's distribute this with their internet packets, and some of these modify the names of the programs)
Permit Outbound/Either Outlook TCP (mail server, find the name of the application your system use, normally Micro$oft use C:\program files\outlook express\msimn.exe but not for all the versions)
Permit Outbound TCP for FTP (normally ftp, port 20)
Permit Inbound TCP for FTP (normally ftp-data, port 21)
Permit Inbound DNS (domain, this is a default rule)
Permit Outbound DNS (domain, this is a default rule)
And Permit rules for any other programs you want, if you have some particular questions, mail me and i try to answer you, here or via mail, as you prefer.

From here, generical block rules, for intercept and delete all that what is not managed from the previous rules

Block Inbound TCP protocol
Block Inbound UDP protocol
Block Either Loopback (localhost service, for the proxomitron users see before)
Block Either ICMP protocol (this prevent also automatic Router Solicitation from your system to the net all times you go online)

Remember, this is only an example, you're not constrained to follow exactly this, cause you may have different exigences

Generic Block Inbound TCP: name=Block TCP - action=block - direction=inbound - protocol=TCP - application=any - local and remote service=any - local and remote address=any.

Generic Block Inbound UDP: name=Block UDP - action=block - direction=inbound - protocol=UDP - application=any - local and remote service=any - local and remote address=any.

Generic Block ICMP: name=Block ICMP - action=block - direction=either - protocol=ICMP - type=any - local and remote address=any.

Port 139 (nbsession). name=Block port 139 - action=block - direction=inbound - protocol=TCP or UDP - application=any - remote service=any - local service=single, in the field write 139 (or nbsession, is the same) - local and remote address=any.

Back Orifice Professional (BO 2000). name=Block BO 2000 - action=block - direction=either - protocol=TCP or UDP - application=any - remote and local service=range, in the fields write:first port=54320, last port=54321 (both services) - local and remote address=any.

Elegy console (31789,31790). name=Block ports 31789-31790 - action=block - direction=either - protocol=TCP or UDP - application=any - remote service=single, in the field write 31789 - local service=single, in the field write 31790 - local and remote address=any.

BlackIce console (60000). name=Block port 60000 - action=block - direction=either - protocol=TCP or UDP - application=any - remote service=single, in the field write 60000 - local service=any - local and remote address=any.

Unknown console (13223). name=Block port 13223 - action=block - direction=either - protocol=TCP or UDP - application=any - remote service=any - local service=single, in the field write 13223 - local and remote address=any.

Proxomitron. As already said, if you use Proxomitron you have to left loopback protocol permitted, or (better) set a rule what permit this for the program, in this way: name=Permit Proxomitron loopback - action=permit - direction=either - protocol=TCP or UDP - application=single, in the field write the name of the program with full path (better you browse this here, if you don't remember the exact name and path) - local and remote service=any - local and remote address=host address, in the fields write "localhost".

ICQ settings. The ICQ settings maybe a bit more complex what a single rule ;) .

If you use ICQ programs, you must create a rule for each ICQ server you use, cause the address tab don't allow a list of non-consequentials addresses: name=Permit (nameserver) ICQ - action=permit - direction=either - protocol=TCP or UDP - application=single, in the field browse the name of the ICQ program you use complete with path - remote and local service=single, in the field write "icq" (depending the program you're using, maybe you have to set local service on any, but for the programs i've checked this is not necessary, so try first in this way and set on any only if your program don't support this) - remote address=single, in the field write the address (IP or URL) of your ICQ server - local address=any (if you use a dynamical IP or a proxy, you may not specify a single local address).

About ICQ, if you're using an ICQ program what use the FULL ICMP protocol, you may try to set an ICMP rule instead a standard rule, but you have to try with your program if this work; for this type of rules you have different choices what for the standard rules.

I give you only an example, but you may choose all combinations you want; first: name=ICMP for (nameserver) ICQ - action=permit - direction=either - protocol=ICMP - type=any - remote address=single, in the field write the address (IP or URL) of your ICQ server - local address=any (also in this case, one rule for any server is needed if you have more than one server).

In addition, you may set a "safety rule" (this must be posed BEFORE all the first example rules in the list) for try to block undesired outcoming data thru ICMP, in this way: name=Block ICMP info - action=block - direction=outbound - protocol=ICMP - type=list of types, in the field use the "Add" button for any type you add and from the pull down menu choose "Timestamp Reply", "Information Reply" and "Address-Mask Reply".

Another important thing to remember is what ALL the rules about ICQ MUST BE POSED BEFORE the rules what block nb services (nbname, nbdatagram, nbsession) if you have set rules for block these services, cause the ICQ protocol use these nb services (and this is one of the reasons for what is not safe...).

Remember what if you use ICQ, you have a hole in your system, cause until this moment NO ONE of the ICQ programs around here have good safety functions nor sufficent protections, and if you're using an ICQ program someone may hack your system and the firewall may do nothing in this conditions.

Logs and safety (important)

An important word about the firewall logs (yes, firewalls have logs).

In the "Connections" tab in the "Event log" windows are reported ALL the IP's of the sessions you made, if you use a proxy, normally here you see only the proxy IP, if not you see the remote IP's; in the "Ad Blocking", "Firewall" and "Privacy" tabs you see logged all the blocked events, and these normally report also references about sites visited, and in the "Web History" tab you have listed ALL the URL's you connect with date, time and full address (!), so if you don't want what some of your "friends" see all this, better what each time you clear all these tabs.

For do this, simply go on the "Log" menu and choose "clear all tabs", and answer Yes on the ask window.

Obviously, if you're interested to some data here, e.g. the IP's of those have tried to hack you reported in the "Firewall" tab, you must copy these before clear the tabs, otherwise you loose all these.