Here is what I finally did to get Hamachi under control of my firewall. I use Outpost Free on some, and Outpost Pro on others, but the rules remain the same. In fact, the rules should apply to any firewall.
First, there are a number of IP addresses that need to have rules. The ones I found are:
63.208.197.* — Level 3 Communications (Hamachi?)
239.255.255.250 — IANA
82.165.226.212 — RIPE
82.165.243.45 — RIPE
Those are public ip’s, needing rules for both UDP or TCP. Here is how my rules go:
Hamachi Home TCP Rule:
Protocol: TCP
Direction: Outbound
RemoteHost: 63.208.197.*
AllowIt
Hamachi Home UDP Rule:
Protocol: UDP
RemoteHost: 63.208.197.*
AllowIt
Hamachi IANA/RIPE UDP Rule:
Protocol: UDP
RemoteHost: 239.255.255.250,82.165.226.212,82.165.243.45
AllowIt
These rules are for Hamachi.exe. I found I also needed a rule for Svchost.exe. Since I have other rules for Svchost.exe, I found that I had to include this specifically for Hamachi.
Svchost Hamachi Rule: (svchost.exe)
Protocol: UDP
RemoteHost: 5.0.0.1
RemotePort: 67
LocalPort: 68
AllowIt
That should wrap up the rules needed for any application threads (.exe’s). Next, I turn to System settings. In Outpost, I do not allow outgoing DHCP. My WAN is a static ip in front of an NAT router.
I use static ip’s in my local network. I had to either allow outgoing DHCP (free version) or make a global rule (Pro version). The custom rule is this:
Allow Hamachi DHCP:
Protocol: UDP
RemotePort: 67,68,546,547
AllowIt
That takes care of getting connected. Next there are the local side of things to consider.
First and foremost, with XP SP2 I am constantly annoyed by the “Acquiring network address” symptom. Hamachi was driving me nuts with the limited connectivity of that. One solution was to start Hamachi offline, disable my nic, then enable it. Bye Bye acquisition. However, I now fix it by starting Hamachi and going online. Then I navigate regedit to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\YOUR # HERE], and find the device that has the value “DhcpIPAddress” that matches my Hamachi address. Then I edit the IPAddress from 0.0.0.0 to the Hamachi address, and edit SubnetMask from 0.0.0.0 to 255.0.0.0. That fixes that. Note that these are NOT the Dhcp values, but the ones normally used for static ip’s. I tried to make the Hamachi adapter static, but it fails to finish connecting. No worries though, as this method gets rid of that “Acquiring network address” annoyance.
Hamachi appears to use a 5.x.x.x scheme for it’s ip addressing, so for network connectivity amongst other peers, you must make some more exceptions. In Outpost, there are 2 ways. One is to enable Netbios, and enter your peers Hamachi addresses into the allowed list. I prefer the Outpost Pro method, which is to make a global trusted zone and put those Hamachi ip’s in that. Either way, if you are blocking netbios you will not be able to file share and the like.
Hamachi also requests to open a connection to 169.254.132.178, which is an IANA net block address, from 169.254.0.0 to 169.254.255.255. I put a rule in effect to allow netbios communication with this ip range, but found it works without it, so I dumped it. Time will tell what use it plays.
That about covers what I had to do to make Hamachi compliant with Outpost firewall.
Credit to the original poster Mr.woo at this site
A Guide to Producing a Secure Configuration Using Outpost Firewall:http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=9858
0 comments:
Post a Comment