This document explains how to use IPNetSentry, a Macintosh application designed to protect your Macintosh from remote Internet intruders. Please read this document before using IPNetSentry.
****************** IMPORTANT! *******************
We recommend that you uncheck the "Load Only When Needed" option in your TCP/IP control panel before using IPNetSentry.
PPP or Remote Access users note: if you do NOT want your connection to be made automatically upon restarting your machine then open the Remote Access options and UNCHECK the "Connect automatically when starting TCP/IP applications" checkbox in the Connection Tab.
You can select the "Load Only When Needed" option by clicking the "Options..." button in the TCP/IP control panel. IF you do not see the Options button, then:
- Goto the Edit Menu in the TCP/IP control panel.
- Select the "User Mode..." item
- Select Advanced (or Administrator)
- Click OK
Unchecking the "Load Only When Needed" option will keep TCP/IP loaded. This is recommended for most Internet connections.
************************************************
ReadMe Contents
1. System Requirements
2. How to Get Started
3. How to Remove IPNetSentry
4. Custom Configuration
5. Testing IPNetSentry
6. Viewing the IPNetSentry Log
7. Viewing the Aged Filter file
8. Performing Trace Routes with IPNetMonitor
9. Running IPNetSentry with IPNetRouter
10. Registration and Licensing
11. Other Sustworks Software
System Requirements
Ñ A PowerPC Macintosh with an Internet connection (no 68K version available at this time).
Ñ MacOS 7.6.1 or later with Open Transport v1.1.1 or later
Ñ A popular internet browser (either Netscape Navigator/Communicator or Internet Explorer).
How to Get Started
1. Download and install IPNetSentry. The following components are installed:
Ñ IPNetSentry.PPC - extensions folder (a faceless background application)
Ñ OTModl$Proxy - extensions folder (a shared library - refer to the instructions below before removing this!)
Ñ IPNetSentry Config - preferences folder
Ñ IPNetSentry Companion App - IPNetSentry folder
You must restart your machine after installation of IPNetSentry.
2. The IPNetSentry companion application will automatically be launched the first time you restart your machine after having installed IPNetSentry. Through this companion application you can turn IPNetSentry on and off, configure it, test it, and view the log and aged filter files.
The IPNetSentry FBA (faceless background application) will automatically run after this initial restart.
3. Click the "Turn On" button in the IPNetSentry companion application to start IPNetSentry. A default configuration will be used. This configuration is normally sufficient to protect the machine of most Macintosh users.
When an attempted intrusion occurs, the default configuration will notify you of this event. IF you hold down the Shift key on your keyboard while clicking the notification OK button, your open browser will be taken to a page on our site which will provide you with more information about the intruder's domain. (administrative and technical contacts, etc.).
4. You can quit or launch the IPNetSentry companion application at any time. You do not need to run the IPNetSentry companion application in order to protect your Macintosh. Protection (filtering) of your Macintosh is handled through the IPNetSentry FBA.
How to Remove IPNetSentry
To remove IPNetSentry, simply drag the components installed above to the trash except for OTModl$Proxy in your Extensions folder. OTModl$Proxy is a shared library used by IPNetRouter, IPNetMonitor, and IPNetSentry. If you wish to remove this component on systems prior to Mac OS 9, please run the supplied ╥Unlink OTModl$Proxy╙ application to avoid disabling TCP/IP. Once OTModl$Proxy has been unlinked, you can safely move it to the trash.
Alternatively, run the IPNetSentry Installer and press Option to "Uninstall". This will remove OTModl$Proxy safely.
To manually unlink OTModl$Proxy, you can use ResEdit to remove any ╘crpt╒ resources in your TCP/IP Preferences File, or create a new TCP/IP Configuration (Cmd-K).
Custom Configuration
You can customize your IPNetSentry configuration by clicking the Config button in the IPNetSentry Companion application. Clicking this button will take your browser to our configuration page and upload your current IPNetSentry configuration. You can easily modify your IPNetSentry configuration through this page. Please see our IPNetSentry configuration page for more details.
After you have completed your custom configuration, a new IPNetSentry configuration file will automatically be downloaded to your machine and stored in your Preferences folder, overwriting your previous configuration. If the IPNetSentry FBA was running at the time the new configuration was downloaded, the IPNetSentry FBA will be restarted in order to invoke the new settings.
NOTE: IF your machine is located behind a firewall or a Network Address Translation (NAT) router, you will need to map incoming TCP Port 4670 connections to the machine on which you wish to configure IPNetSentry. Contact your Network Administrator for additional details. If this is not possible, you can still manually edit the IPNetSentry Config file (which resides within your Preferences folder).
You can manually edit the IPNetSentry configuration file with any text editor. It is important that you understand the syntax of each command before doing such editing. Please see the "IPNetSentry Command Syntax" document for more information. You must restart the IPNetSentry FBA after making any changes to the IPNetSentry Config document. This is most easily accomplished using the "Turn Off" and "Turn On" buttons in the IPNetSentry Companion application.
Testing IPNetSentry
You can test IPNetSentry by clicking the Test button in the IPNetSentry Companion application. Clicking this button will take your browser to a test page on our web site.
To test IPNetSentry, you need to select a server from which to initiate a test and select a specific service (protocol and port) to test (a trigger).
NOTE: some ISPs are now blocking incoming ICMP packets. If you do not get a reply from an initial Ping test, this does not necessarily mean that your Macintosh is already protected. You should also attempt an intrusion using one of the triggers you have setup.
Viewing the IPNetSentry Log
The IPNetSentry log is a plain text document, which is normally viewed in SimpleText (the default creator). This log file can get quite large after a period of time, and too large to be viewed with SimpleText. For this reason you may wish to set a different editor as the default creator of the log file.
To do this, just save a file named "IPNetSentry.log" in your Preferences folder with your chosen editor. Clicking the "Log" button within the IPNetSentry Companion application will then open this log file through this editor.
Viewing the Aged Filter file
IPNetSentry works by invoking a comprehensive 32 bit filter which completely bans a specific IP address from accessing your machine after a trigger has been hit. These filters age (that is expire after a preset time, unless the age time has been set to "Never"). You can view the Aged Filter file at any time by clicking the "Aged Filters" button in the IPNetSentry Companion application. IPNetSentry can accommodate up to 100 aged filters at any time. Filters are removed by either:
Ñ Automatic aging (expiration).
Ñ Automatic first-in-first-out removal (if the aged filter file becomes too large).
Ñ Manual removal (through the IPNetSentry Companion application).
Clicking the Aged Filters button will display the IP Address, port, protocol and service from which the trigger was initiated, the date and time the trigger was initiated, and the date and time for which the filter will expire.
By clicking any item in this list you can:
Ñ Reset the expiration time
Ñ Get more information about a specific IP address causing a trigger (contact information regarding this domain).
Ñ Delete a specific aged filter. Making any changes to the Aged Filter list when the IPNetSentry FBA is running, and then closing the Aged Filter window, will cause the IPNetSentry FBA to restart (thereby reloading the updated Aged Filter file).
Performing Trace Routes with IPNetMonitor
Intruders will often work from IP Addresses which are not easily resolved (that is, performing a Name Server reverse lookup will not return the network administrator nor any other contact or origin information). Another way to obtain information regarding the intruder's origin is to do a trace route. This will trace every router along the path back to the intruder. In this manner you should be able to determine from what country or region (and backbone network provider) the intruder originates. NOTE: because IPNetSentry automatically installs a filter blocking ALL datagrams from an intruder, a trace route will NOT show return packets from this intruder. The last returned packets will originate from the router nearest the intruder.
IPNetSentry makes it easy to perform a trace route on an intruder. But before you can do this you must:
- setup the "Internet" control panel (Internet Config on older Mac OS systems) so that "traceroute" commands are executed by IPNetMonitor.
To setup the Internet (Internet Config) control panel:
- open the Internet control panel
- select the "Advanced" tab
- click on the "Helper Apps" icon and Add... a new Helper Application
- enter "traceroute" as the type and description
- "Select" IPNetMonitor as the application which should be the target for traceroute commands.
- Click "OK" and save these new settings.
Now, anytime you receive notification of an intrusion, you can automatically run a trace route on this intruder by simply holding down the Control key on your keyboard and closing the notification alert. You can also hold down both the Shift and Control keys to both get more information about the intruder's specific IP address (through your browser) AND run a trace route.
Running IPNetSentry with IPNetRouter
IPNetSentry and IPNetRouter (our Macintosh software router product) can run together on the same machine. Both applications invoke IP filtering through our OTModl$Proxy module.
In most cases, the firewall protection offered by IPNetRouter is sufficient by itself. There are, however, some cases where IPNetSentry can offer additional benefits to the standard firewall protection of IPNetRouter, specifically:
Ñ The single ethernet configuration when sharing a cable/DSL/ADSL modem. Conventional firewall filtering does not work well in this single ethernet NIC configuration because the private LAN is physically attached to the public network. Invoking specific 32 bit filters on a selective basis when a trigger is hit in IPNetSentry is one way of providing protection of both the gateway machine and clients on your LAN.
Ñ Any cable modem connection where your gateway machine's IP address is assigned via DHCP from the cable company (either the single or dual ethernet setup). In this instance you will also want to add a trigger for Boot-P/DHCP (UDP Protocol, Port 67) to the IPNetSentry Config file. This will let IPNetSentry automatically ban any of your local neighbors from even seeing your machine after they renegotiate an IP address with the cable company (they will not even be able to ping your machine).
In all cases, any filters invoked by IPNetSentry can be directly viewed from the IPNetRouter IP Filtering window. You may have to refresh this window in order to display the latest filters (which dynamically change due to aging) .
Please see our IPNetSentry - IPNetRouter document for other details about running these products together.
Registration and Licensing
For information on registering, please see the Registration page on our website at
http://www.sustworks.com/site/reg.html .
Once you have downloaded the application, there are 3 basic ways to register:
1. Register on-line by clicking the "Purchase Registration" button in the IPNetSentry Companion Application. Or double click either the "Register online via Netscape" or "Register online via IE" documents in the Register NOW! folder. You need to have a web browser running (Netscape Navigator or MS Internet Explorer) and a valid credit card. The URL is: https://www.quicomm2.com/cgi-local/net_reg.cgi?m=ssoft. This server will automatically return your registration key within minutes.
2. Use the supplied Register via Kagi application to fill-in a Kagi registration form. Follow the instructions on the form to email, fax, or postal mail your registration to Kagi. Most common forms of payment are acceptable including personal checks. You can also complete a Kagi registration form online at: http://order.kagi.com/cgi-bin/register1.cgi?HQ. This server fills in a Kagi registration form and emails it for you. Kagi usually takes 1-3 days to process registrations. You cannot recieve an educational discount through Kagi.
3. For site license registrations, we can fax your company a proforma invoice. Please contact us at admin@sustworks.com for site licenses.
In each case, a program registration code will be sent to you by email once your payment is received.
To complete your registration, enter your information in the proper fields of the IPNetSentry Companion Application and press the "Save Registration" button. The IPNetSentry Companion application will contact our server and confirm that the registration information was accepted. (Please note: the only information sent to our server is the application name and the registration code. No other information is transmitted). You will receive confirmation that the registration was accepted and the main IPNetSentry Companion Application window will collapse (removing the registration fields).
Other Sustworks Software
We hope you find IPNetSentry useful. We also want to let you know about other software we develop that can enhance your Mac's networking capabilities. Like IPNetSentry, they all include a 21 day free trial.
IPNetMonitor (IPNM) provides a suite of integrated Internet tools which allows you to see how well TCP/IP is working on the fly. Perfect for tuning with IPNetTuner.
IPNetTuner (IPNT) optimizes your Macintosh's Internet connection, providing you with maximum throughput. IPNetTuner can help you get the most out of analog modem connections, cable modem connections, DSL/ADSL connections, broadband wireless connections, and high-speed ethernet connections.
IPNetRouter (IPNR) provides advanced Internet sharing, routing, and IP firewall capabilities for Macs. Using IPNR's NAT features you can share a single Internet connection with one or more other IP capable computers (including Windows boxes) from a single Macintosh.
You can download any of these software packages from our website:
