Will keeping it blocked on Windows Firewall eliminate any potential risk (so far as I can tell it still functions as intended when blocked)?

56 minutes ago, GoddersUK wrote

*snip*

I'm slightly concerned that this could also be open and internet facing

*snip*

By "this" do you mean 127.0.0.1 (port 8777) or the proxy's internet facing side?

The loopback range 127.0.0.0/8 is supposed to be dropped if any of those packets should get on the network.  Those packets are not supposed to be on the network.

The proxy's internet facing side ... if the proxy were keeping listening ports open you could check it out by doing a netstat -ano and seeing what ports are listening, cull out the known ones, and investigate the unknown ones.

If it's listening on all addresses but you use WF to block communication from outside, without it breaking, then again you're safe (although the software probably shouldn't have done that in the first place) and I'd carry on using it in that config.

For example, in C# you can get either behaviour:

// This form is loopback only and not visible from outside of your machine:

listener = new TcpListener(new IPEndPoint(IPAddress.Loopback, port));

// this form exposes the port:

listener = new TcpListener(new IPEndPoint(IPAddress.Any, port));

Assuming you're running Windows Firewall, you'll get a prompt with the latter to ask you if you want to add an exception to punch a hole through the firewall. If your program gave you a Windows Firewall prompt, then you might want to make a feature request to the product team to allow you disable it.

If you didn't see a prompt, you're probably safe.

I have no idea what the software is actually listening too (ie. if it's listening for all attempted connections or only those arising from this computer.

@evildictaitor: I did get a Windows Firewall prompt. So this implies it's listening for incoming connections? (There's no reason that I can see for it to need incoming external connections and it appears to function perfectly when incoming connections are blocked on Windows Firewall).

I need to post on their support forums for an unrelated issue so I'll raise this with them then too.

19 hours ago, DaveWill2 wrote

*snip*

By "this" do you mean 127.0.0.1 (port 8777) or the proxy's internet facing side?

I mean I'm concerned the proxy that the software has installed on my machine could be accessible from other machines.

@evildictaitor: ATM I'm connected to a large university hall of residence network so it's always a good idea to be suspicious. You can't trust who or what you're connecting to - a while back they had a problem with malware on connected computers pretending to be the DHCP server and infecting unpatched machines. Similarly when I connect to the main university network (since I'm not normally in halls).

Anyway I think I'm safe atm. Thanks guys!

You can't trust who or what you're connecting to - a while back they had a problem with malware on connected computers pretending to be the DHCP server and infecting unpatched machines.

If you're on a university campus you'll have a big external firewall because the university will be sitting behind a big NAT, so you're probably good.

If you're in the csci department at your university, you might want to check (via Wireshark) that all of the machines are link-local isolated. Unfortunately there are design bugs in the TCP/IP stack that mean that computers who are situated next to you can do nasty things to your machine (e.g. ARP poisoning and DHCP poisoning (which can lead to DNS poisoning as well as network boot), as well as sending your network card network-on/network-off packets if they're enabled).

The canonical solution for this is to have all of the machines on the network living in their own subnet, preventing different machines on the network to DHCP or ARPing each other. If you do that, you only have to trust the routers aren't compromised, you don't have to care about the machines that are connected.

14 hours ago, evildictait​or wrote

*snip*

If you're on a university campus you'll have a big external firewall because the university will be sitting behind a big NAT, so you're probably good.

A lot of University networks won't actually be behind a NAT at all, because they were the ones who got the initial set of Class B networks, so often they're actually handing out publically addressable IP ranges internally (they really should and probably are firewalled these days, however).

That said, it's probably unlikely in most cases that there is much in the way of internal segregation between student residences, so it's definitely worth making sure your machine is treating the university network more like a public network than a private one.