I've just installed PC Tools Firewall. I'm running XP, SP2
with all critical updates, SuperAntiSpyware and NOD 32.
In looking at the logs, and I find 10 or 15 entries in
about 1 or two minutes which read as follows:
Rule: TCP/UDP: Any other packet
Zone: Internet Zone
Action: blocked
Type: UDP
Additional: Port Dest: 137 Src 137 (some are to 138)
What are these?
TIA
Louise
Post removed (X-No-Archive: yes)
B. Nice wrote:
> On Fri, 09 Mar 2007 23:33:33 -0500, louise
> wrote:
>
>> I've just installed PC Tools Firewall.
>
> Yes. For what purpose?
>
>> I'm running XP, SP2
>> with all critical updates, SuperAntiSpyware and NOD 32.
>
> So you don't really need this socalled "firewall".
>
>> In looking at the logs, and I find 10 or 15 entries in
>> about 1 or two minutes which read as follows:
>>
>> Rule: TCP/UDP: Any other packet
>> Zone: Internet Zone
>> Action: blocked
>> Type: UDP
>> Additional: Port Dest: 137 Src 137 (some are to 138)
>>
>> What are these?
>
> Log entries.
>
> You should'nt be running software you don't understand. Otherwise
> there is http://www.pctools.com/contact/support/
Being as smart as you seem to think you are, I'm surprised
you're not aware that PC Tools is not providing support for
their free firewall.
So, if you know the answer to my question, I'd really
appreciate the information. People post here to learn and
to help others. In this case, I'm hoping to learn.
Louise
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
<
> Being as smart as you seem to think you are, I'm surprised you're not
> aware that PC Tools is not providing support for their free firewall.
>
> So, if you know the answer to my question, I'd really appreciate the
> information. People post here to learn and to help others. In this case,
> I'm hoping to learn.
>
> Louise
For the record, although PC Tools says they do not offer "support" for the
firewall they do offer bug fixes (they are working on an update at the
moment for a problem with version 2.0.0.9). They also have a public,
moderated forum where you can post questions and have them answered by other
knowledgeable users. The advantage over an NG (which is not moderated) is
that rude and otherwise inappropriate posts are deleted.
Ports 137-139 are your NetBios ports, which, unless you are on a local
area network, probably should be blocked. Most firewalls have NetBios
blocked by default, since for home computers, most of the time, it is
not needed, and the ports are prime targets for hackers. In my own
firewall rules I purposely have ports 137-139 blocked both inbound and
outbound, and have ports 1024-1029 (Service ports) blocked inbound.
Hackers specifically target posts 1024-1029, and my firewall log shows
a lot of hits on ports 1026 and 1028. Unless you can't access the
Internet, I would adivse leaving the default setting alone and keep
blocking ports 137-139. I would also recommend reading the Wikipedia
article on NetBios, which will help explain a few things:
http://en.wikipedia.org/wiki/NetBIOS
louise wrote:
> I've just installed PC Tools Firewall. I'm running XP, SP2
> with all critical updates, SuperAntiSpyware and NOD 32.
>
> In looking at the logs, and I find 10 or 15 entries in
> about 1 or two minutes which read as follows:
>
> Rule: TCP/UDP: Any other packet
> Zone: Internet Zone
> Action: blocked
> Type: UDP
> Additional: Port Dest: 137 Src 137 (some are to 138)
>
> What are these?
>
> TIA
>
> Louise
Bullseye wrote:
> Ports 137-139 are your NetBios ports, which, unless you are on a local
> area network, probably should be blocked. Most firewalls have NetBios
> blocked by default, since for home computers, most of the time, it is
> not needed, and the ports are prime targets for hackers. In my own
> firewall rules I purposely have ports 137-139 blocked both inbound and
> outbound, and have ports 1024-1029 (Service ports) blocked inbound.
> Hackers specifically target posts 1024-1029, and my firewall log shows
> a lot of hits on ports 1026 and 1028. Unless you can't access the
> Internet, I would adivse leaving the default setting alone and keep
> blocking ports 137-139. I would also recommend reading the Wikipedia
> article on NetBios, which will help explain a few things:
>
> http://en.wikipedia.org/wiki/NetBIOS
>
> louise wrote:
>> I've just installed PC Tools Firewall. I'm running XP, SP2
>> with all critical updates, SuperAntiSpyware and NOD 32.
>>
>> In looking at the logs, and I find 10 or 15 entries in
>> about 1 or two minutes which read as follows:
>>
>> Rule: TCP/UDP: Any other packet
>> Zone: Internet Zone
>> Action: blocked
>> Type: UDP
>> Additional: Port Dest: 137 Src 137 (some are to 138)
>>
>> What are these?
>>
>> TIA
>>
>> Louise
>
Thanks for your help - I will read it.
Louise
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
louise
> I've just installed PC Tools Firewall. I'm running XP, SP2
> with all critical updates, SuperAntiSpyware and NOD 32.
>
> In looking at the logs, and I find 10 or 15 entries in
> about 1 or two minutes which read as follows:
>
> Rule: TCP/UDP: Any other packet
> Zone: Internet Zone
> Action: blocked
> Type: UDP
> Additional: Port Dest: 137 Src 137 (some are to 138)
>
> What are these?
Ports 137/udp and 138/udp are most likely NetBIOS traffic. However,
that's a mere guess, because the logs lack significant information
(including at least IP addresses, interface and direction), which makes
them pretty much worthless.
cu
59cobalt
--
"Personal Firewalls are crap. Throw away any personal firewall. Personal
Firewalls are bad[tm]."
--Malte von dem Hagen on security-basics
Bullseye wrote:
> Ports 137-139 are your NetBios ports, which, unless you are on a local
> area network, probably should be blocked. Most firewalls have NetBios
> blocked by default, since for home computers, most of the time, it is
> not needed, and the ports are prime targets for hackers. In my own
> firewall rules I purposely have ports 137-139 blocked both inbound and
> outbound, and have ports 1024-1029 (Service ports) blocked inbound.
> Hackers specifically target posts 1024-1029, and my firewall log shows
> a lot of hits on ports 1026 and 1028. Unless you can't access the
> Internet, I would adivse leaving the default setting alone and keep
> blocking ports 137-139. I would also recommend reading the Wikipedia
> article on NetBios, which will help explain a few things:
>
> http://en.wikipedia.org/wiki/NetBIOS
>
> louise wrote:
>> I've just installed PC Tools Firewall. I'm running XP, SP2
>> with all critical updates, SuperAntiSpyware and NOD 32.
>>
>> In looking at the logs, and I find 10 or 15 entries in
>> about 1 or two minutes which read as follows:
>>
>> Rule: TCP/UDP: Any other packet
>> Zone: Internet Zone
>> Action: blocked
>> Type: UDP
>> Additional: Port Dest: 137 Src 137 (some are to 138)
>>
>> What are these?
>>
>> TIA
>>
>> Louise
>
I ran into problems with PCTools because something they're
doing is provoking AV software (NOD and AVG), even their
newest version. I decided I really didn't want something
that was so buggy because I couldn't trust it. I read the
forums on their site and decided to wait quite a while
before going near it.
So I tried Kerio 2.1.5 which is light and "to the point". I
added the rules you suggested about port blocking and all is
running beautifully and taking minimal resources. I also
found a site that gave tips on setting rules for kerio and,
for whatever they are worth, I'm passing the Shields UP
tests on both my desktop and my portable.
Thanks for your suggestions about port blocking.
Louise
Post removed (X-No-Archive: yes)
louise wrote:
> So I tried Kerio 2.1.5 which is light and "to the point". I added the
> rules you suggested about port blocking and all is running beautifully
> and taking minimal resources.
This seems questionable as to just what are you trying to accomplish.
> I also found a site that gave tips on
> setting rules for kerio and, for whatever they are worth, I'm passing
> the Shields UP tests on both my desktop and my portable.
So, it's to be assumed that the two machines that are connected to your
router, the LAN or Local Area Network, are never to share resources or
network between the two, which are the ports you're blocking below with
the PFW.
Ports 137-139 are your NetBios ports, which, unless you are on a local
area network, probably should be blocked. Most firewalls have NetBios
If the machine is never to network, then simply remove MS File & Print
Sharing and Client for MS Network off of the NIC (Network Interface
Card) and those ports you have blocked including port TCP 445(NT based
O/S such as XP) are not open *period*. You don't need to set any rules
with a PFW for those ports as they are not open.
>
> Thanks for your suggestions about port blocking.
Why are you blocking the Windows Networking Ports while your machines
are setting behind a NAT router and those ports are closed to the
WAN/Wide Area Network - the Internet, by default?
No computer from the Internet can get to your machines on those ports
and network with a machine, because they are behind the router.
That's unless *you* configured the router to open those ports. If you
didn't do that, then it's a moot point of you setting rules with the PFW
running on the computer to block the ports.
It only makes sense to set PFW rules to close those ports if the machine
had a direct connection to the modem and therefore to the Internet. You
don't want the machine in that networking situation -- that's bad.
The other reason would be that your laptop was on a LAN wireless or
wired and it was not your LAN. It would be another reason you would want
to set rules to close 137-139 UDP and 445 TCP with a PFW or remove the
services off of the NIC to close the ports so that the machine couldn't
network.
You seem very confused.
Maximum Dog4 wrote:
> louise wrote:
>
>
>> So I tried Kerio 2.1.5 which is light and "to the point". I added the
>> rules you suggested about port blocking and all is running beautifully
>> and taking minimal resources.
>
> This seems questionable as to just what are you trying to accomplish.
>
>> I also found a site that gave tips on setting rules for kerio and, for
>> whatever they are worth, I'm passing the Shields UP tests on both my
>> desktop and my portable.
>
> So, it's to be assumed that the two machines that are connected to your
> router, the LAN or Local Area Network, are never to share resources or
> network between the two, which are the ports you're blocking below with
> the PFW.
>
>
>
> Ports 137-139 are your NetBios ports, which, unless you are on a local
> area network, probably should be blocked. Most firewalls have NetBios
>
>
>
>
> If the machine is never to network, then simply remove MS File & Print
> Sharing and Client for MS Network off of the NIC (Network Interface
> Card) and those ports you have blocked including port TCP 445(NT based
> O/S such as XP) are not open *period*. You don't need to set any rules
> with a PFW for those ports as they are not open.
>
>
>>
>> Thanks for your suggestions about port blocking.
>
> Why are you blocking the Windows Networking Ports while your machines
> are setting behind a NAT router and those ports are closed to the
> WAN/Wide Area Network - the Internet, by default?
>
> No computer from the Internet can get to your machines on those ports
> and network with a machine, because they are behind the router.
>
> That's unless *you* configured the router to open those ports. If you
> didn't do that, then it's a moot point of you setting rules with the PFW
> running on the computer to block the ports.
>
> It only makes sense to set PFW rules to close those ports if the machine
> had a direct connection to the modem and therefore to the Internet. You
> don't want the machine in that networking situation -- that's bad.
>
> The other reason would be that your laptop was on a LAN wireless or
> wired and it was not your LAN. It would be another reason you would want
> to set rules to close 137-139 UDP and 445 TCP with a PFW or remove the
> services off of the NIC to close the ports so that the machine couldn't
> network.
>
> You seem very confused.
I may be very confused - but I'm not sure where my confusion
is and perhaps someone could explain it.
My laptop and desktop are not networked and do not share
files and/or printers. I don't want to remove this capacity
(by removing files), as I might want to network them at some
point in the future, but right now they are not networked
and I don't want them to be.
I sometimes use my laptop on other wireless connections that
are open and available either in other locations, or even in
my own house if I'm doing a lot of uploading with my
desktop. I also use it at friend's houses - they frequently
haven't secured their networks. In other words, there are
times when I hook into someone else' network - someone who
has left their network unsecured. So, I certainly want my
ports blocked at those times, don't I? My laptop travels
many places and finds signals when possible.
Why is Kerio such a questionable product? My impression was
that it was more reliable than Sygate, clearly doesn't
transmit the virus that PC Tools seems to be transmitting
and does not drain resources the way Sunbelt/Kerio or
Outpost do. I regret being unable to use Comodo but it
conflicted with both WinFaxPro and also with the spam filter
I use with OUtlook.
So, could you please explain what I'm confused about so that
I can learn? I thought I'd done a good job :-)
Louise
Sebastian Gottschalk wrote:
> louise wrote:
>
>> So I tried Kerio 2.1.5 which is light and "to the point".
>
> And has known vulnerabilities. I rest my case.
>
>> I added the rules you suggested about port blocking and all is
>> running beautifully and taking minimal resources.
>
> And messing up your network connectivity.
>
>> I'm passing the Shields UP tests on both my desktop and my portable.
>
> Ehm... and you don't consider this as a *bad* thing?
What doesn't have "known vulnerabilities" - the same applied
to Sygate, as I understood it. And Comodo simply doesn't
play well with some other software on my machine.
Blocking the ports doesn't appear to have messed up my
network connectivity at all - what "mess" are you referring to?
Why is it a "bad" thing to pass the Shield UP test?
Thanks.
Louise
Post removed (X-No-Archive: yes)
louise wrote:
> Maximum Dog4 wrote:
>
>> louise wrote:
>>
>>
>>
>>> So I tried Kerio 2.1.5 which is light and "to the point". I added
>>> the rules you suggested about port blocking and all is running
>>> beautifully and taking minimal resources.
>>
>>
>> This seems questionable as to just what are you trying to accomplish.
>>
>>> I also found a site that gave tips on setting rules for kerio and,
>>> for whatever they are worth, I'm passing the Shields UP tests on both
>>> my desktop and my portable.
>>
>>
>> So, it's to be assumed that the two machines that are connected to
>> your router, the LAN or Local Area Network, are never to share
>> resources or network between the two, which are the ports you're
>> blocking below with the PFW.
>>
>>
>>
>> Ports 137-139 are your NetBios ports, which, unless you are on a local
>> area network, probably should be blocked. Most firewalls have NetBios
>>
>>
>>
>>
>> If the machine is never to network, then simply remove MS File &
>> Print Sharing and Client for MS Network off of the NIC (Network
>> Interface Card) and those ports you have blocked including port TCP
>> 445(NT based O/S such as XP) are not open *period*. You don't need to
>> set any rules with a PFW for those ports as they are not open.
>>
>>
>>>
>>> Thanks for your suggestions about port blocking.
>>
>>
>> Why are you blocking the Windows Networking Ports while your machines
>> are setting behind a NAT router and those ports are closed to the
>> WAN/Wide Area Network - the Internet, by default?
>>
>> No computer from the Internet can get to your machines on those ports
>> and network with a machine, because they are behind the router.
>>
>> That's unless *you* configured the router to open those ports. If you
>> didn't do that, then it's a moot point of you setting rules with the
>> PFW running on the computer to block the ports.
>>
>> It only makes sense to set PFW rules to close those ports if the
>> machine had a direct connection to the modem and therefore to the
>> Internet. You don't want the machine in that networking situation --
>> that's bad.
>>
>> The other reason would be that your laptop was on a LAN wireless or
>> wired and it was not your LAN. It would be another reason you would
>> want to set rules to close 137-139 UDP and 445 TCP with a PFW or
>> remove the services off of the NIC to close the ports so that the
>> machine couldn't network.
>>
>> You seem very confused.
>
> I may be very confused - but I'm not sure where my confusion is and
> perhaps someone could explain it.
>
> My laptop and desktop are not networked and do not share files and/or
> printers. I don't want to remove this capacity (by removing files), as
> I might want to network them at some point in the future, but right now
> they are not networked and I don't want them to be.
>
You're not removing files. All you're doing is removing the services
off of the NIC, unbinding them off of the NIC, so no networking with the
machine is possible. If you do want to network the machine at a later
time, then you simply bind the services/protocols back on the NIC.
> I sometimes use my laptop on other wireless connections that are open
> and available either in other locations, or even in my own house if I'm
> doing a lot of uploading with my desktop. I also use it at friend's
> houses - they frequently haven't secured their networks. In other
> words, there are times when I hook into someone else' network - someone
> who has left their network unsecured. So, I certainly want my ports
> blocked at those times, don't I? My laptop travels many places and
> finds signals when possible.
If you unbind the networking services off of the NIC, the machine cannot
network. The networking ports are not open, period, because the services
that would open the networking ports to allow networking are not on the
NIC and are not active.
>
> Why is Kerio such a questionable product? My impression was that it was
> more reliable than Sygate, clearly doesn't transmit the virus that PC
> Tools seems to be transmitting and does not drain resources the way
> Sunbelt/Kerio or Outpost do. I regret being unable to use Comodo but it
> conflicted with both WinFaxPro and also with the spam filter I use with
> OUtlook.
This has nothing to do with the PFW, but rather, your ability to
understand, control and protect the O/S, which removing the networking
services off of the NIC protects the O/S, since you have no intention of
the a machine ever being in a networking situation -- not even on your LAN.
You remove the services off of the NIC, the machine cannot network no
matter what you connect the machine to in a LAN situation or the
machine is directly connected to a modem and the Internet/no router
between the modem and the computer. It flat-out cannot network when the
services are not there.
>
> So, could you please explain what I'm confused about so that I can
> learn? I thought I'd done a good job :-)
You go to the O/S and configure it/harden it to attack, not the PFW. You
understand and learn how to control and protect the O/S.
http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
This link may help you understand. You un-check Client for MS Network
and MS File&Print sharing and the machine *cannot* network *period*.
http://www.practicallynetworked.com/sharing/xp/network_proto cols.htm
louise
> Sebastian Gottschalk wrote:
>> louise wrote:
>>> So I tried Kerio 2.1.5 which is light and "to the point".
>>
>> And has known vulnerabilities. I rest my case.
>>
>>> I added the rules you suggested about port blocking and all is
>>> running beautifully and taking minimal resources.
>>
>> And messing up your network connectivity.
>>
>>> I'm passing the Shields UP tests on both my desktop and my portable.
>>
>> Ehm... and you don't consider this as a *bad* thing?
>
> What doesn't have "known vulnerabilities" -
Known and unfixed vulnerabilities that are not going to be fixed,
because the product is out of support.
> the same applied to Sygate, as I understood it.
Aside from Sygate having a serious design flaw: the same applies to any
software that isn't supported by its vendor anymore.
[...]
> Blocking the ports doesn't appear to have messed up my network
> connectivity at all - what "mess" are you referring to?
My experience with personal firewalls as well as what I hear from users
of personal firewalls is that many of them will sometimes fsck up the
network connection(s) for no apparent reason.
> Why is it a "bad" thing to pass the Shield UP test?
It's not a bad thing per se. However, Steve Gibson doesn't really have a
clue when it comes to network and computer security, so his conclusions
and recommendations usually are misleading, to say the least. "Shields
UP" is okay if you can distinguish between fact and superstition.
However, in that case you'd probably be using something else (like nmap)
anyway.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
"Sebastian Gottschalk"
news:561r4sF274dhsU1@mid.dfncis.de...
> louise wrote:
>
>> Sebastian Gottschalk wrote:
>>> louise wrote:
>>>
>>>> So I tried Kerio 2.1.5 which is light and "to the point".
>>>
>>> And has known vulnerabilities. I rest my case.
>>>
>>>> I added the rules you suggested about port blocking and all is
>>>> running beautifully and taking minimal resources.
>>>
>>> And messing up your network connectivity.
>>>
>>>> I'm passing the Shields UP tests on both my desktop and my portable.
>>>
>>> Ehm... and you don't consider this as a *bad* thing?
>>
>> What doesn't have "known vulnerabilities"
>
> About any serious security software. After all, any reasonable person
> would
> cinsider such a thing unacceptable.
>
>> Blocking the ports doesn't appear to have messed up my
>> network connectivity at all - what "mess" are you referring to?
>
> Non RFC-conformant behaviour, broken PMTUD, broken Load Balancing, ... if
> you actually had a clue what you're doing, this would be obvious.
>
>> Why is it a "bad" thing to pass the Shield UP test?
>
> Because is testifies that your network connectivity is broken and your
> configuration is messed up.
Sebastian,
Most users on this NG are looking for help because they "don't know what
they are doing". The "Experts" typically are happy to help those of us who
are not experts. Your responses to any questions are typically cynical and
ambiguous. Your above response 'Non RFC-conformant behavior (What's that?),
'Broken PMTUD' (What's that?), 'broken Load Balancing' (What's that?) do
nothing to help the OP. Throwing out industry 'Buzz Words' to a layman is
not productive.
I suspect that you probably do have something to contribute. However, over
the time that I have been lurking on this NG, I have only seen 'one liners'
and sarcasms.
>
> Blocking the ports doesn't appear to have messed up my network
> connectivity at all - what "mess" are you referring to?
What network are you referring to? Are you referring to the network
connectivity that the machine can access the Internet, which the
Internet is a giant network. Blocking those ports meant nothing, because
once again, the router is setting there blocking those ports? Your
machines are NOT in a networking situation on ports 137-139 UDP and 445
TCP from another machine over the Internet. That should never happen.
Yes, your machine is connected to the router and therefore it's
connected to the Internet networking. Machines don't need to use 137-139
UDP or 445 TCP to network and communicate with each other there are
65,000 some other ports that machines can use to network on.
However, for the MS O/S in order for the machines to network with each
other to share files and the printer, the printer being on a host
machine, then 137-139 UDP and 445 TCP are the *standard* ports that have
been assigned to do that.
The fact is that you're not networking the machines in the first place
on the LAN, even with the services for networking on the NIC(s).
If you actually were to try to access one machine from the other on your
LAN, like logon to the remote machine and access its directories, etc,
then you're going to have problems, because you have blocked the ports
with the PFW.
The machines on the LAN are not networking, so it's a moot point that
you have blocked those ports. And you're not going to see any problems
with any networking because you blocked them, until you start trying to
network the machines on your LAN.
>
> Why is it a "bad" thing to pass the Shield UP test?
>
It would be one thing if you passed that test with a computer that had a
direct connection to the modem, which is a direct connection to the
Internet, using a PFW.
That test really means nothing, because once again, the machine is
setting behind a router. The router has all ports closed by default.
It's a bogus test that you're doing.
Post removed (X-No-Archive: yes)
Mr. Arnold wrote:
>>
>> Blocking the ports doesn't appear to have messed up my network
>> connectivity at all - what "mess" are you referring to?
>
> What network are you referring to? Are you referring to the network
> connectivity that the machine can access the Internet, which the
> Internet is a giant network. Blocking those ports meant nothing, because
> once again, the router is setting there blocking those ports? Your
> machines are NOT in a networking situation on ports 137-139 UDP and 445
> TCP from another machine over the Internet. That should never happen.
>
> Yes, your machine is connected to the router and therefore it's
> connected to the Internet networking. Machines don't need to use 137-139
> UDP or 445 TCP to network and communicate with each other there are
> 65,000 some other ports that machines can use to network on.
>
> However, for the MS O/S in order for the machines to network with each
> other to share files and the printer, the printer being on a host
> machine, then 137-139 UDP and 445 TCP are the *standard* ports that have
> been assigned to do that.
>
> The fact is that you're not networking the machines in the first place
> on the LAN, even with the services for networking on the NIC(s).
>
> If you actually were to try to access one machine from the other on your
> LAN, like logon to the remote machine and access its directories, etc,
> then you're going to have problems, because you have blocked the ports
> with the PFW.
>
> The machines on the LAN are not networking, so it's a moot point that
> you have blocked those ports. And you're not going to see any problems
> with any networking because you blocked them, until you start trying to
> network the machines on your LAN.
>>
>> Why is it a "bad" thing to pass the Shield UP test?
>>
>
> It would be one thing if you passed that test with a computer that had a
> direct connection to the modem, which is a direct connection to the
> Internet, using a PFW.
>
> That test really means nothing, because once again, the machine is
> setting behind a router. The router has all ports closed by default.
> It's a bogus test that you're doing.
Thanks for explaining. I will know that I blocked
networking, if I ever do want to network the two machines
and I will remove the firewall rule I created.
As soon as I get a chance, I will connect each machine
separately to the modem, thereby removing the router, and
use Shields Up again. I may be back with more questions
when I do, but at least I'll know why I'm asking them :-)
Louise