Firewall question

I just switched antivirus programs a few weeks ago from NAV to Bit
Defender and in doing so lost the Norton Internet Worm Protection (i.e
the builtin firewall). So I decided to enable the windows firewall and
also turned on logging. I also have a FW built in to my netgear wgr614
router which is supposed to be blocking everying except for 3 or 4 ports
that I have forwarded. When I check the Windows FW log however I see
thousands of entries where the action column is set to "DROP" for ports
that shouldn't even be getting through the hardware firewall. For
example TCP ports 2188 and 2273, and UDP port 8088 none of which are
forwarded. How are they getting as far as the software firewall?

My IP has not changed for several months and none of the IP's below are
my WAN IP.

Here's a couple of examples.

#Fields: date time action protocol src-ip dst-ip src-port dst-port size
tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
- - - - - RECEIVE

2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
4075071033 456793686 27466 - - - RECEIVE

2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
2133527059 111240437 18356 - - - RECEIVE

TIA

Re: Firewall question

"Chuck" wrote in message
news:_Voni.12961$LH5.10424@trnddc02...
>I just switched antivirus programs a few weeks ago from NAV to Bit
> Defender and in doing so lost the Norton Internet Worm Protection (i.e
> the builtin firewall). So I decided to enable the windows firewall and
> also turned on logging. I also have a FW built in to my netgear wgr614
> router which is supposed to be blocking everying except for 3 or 4 ports
> that I have forwarded. When I check the Windows FW log however I see
> thousands of entries where the action column is set to "DROP" for ports
> that shouldn't even be getting through the hardware firewall. For
> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
> forwarded. How are they getting as far as the software firewall?
>
> My IP has not changed for several months and none of the IP's below are
> my WAN IP.
>
> Here's a couple of examples.
>
> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>
> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
> - - - - - RECEIVE
>
> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
> 4075071033 456793686 27466 - - - RECEIVE
>
> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
> 2133527059 111240437 18356 - - - RECEIVE
>
> TIA

Close all the ports on the router, don't forward them. And if you don't have
the same thing happening, then that should tell that you have ports open,
and anything can come down the forwarded open port with unsolicited inbound
traffic, that are looking for openings and something listening on the port.

Re: Firewall question

Mr. Arnold wrote:
>
> "Chuck" wrote in message
> news:_Voni.12961$LH5.10424@trnddc02...
>> I just switched antivirus programs a few weeks ago from NAV to Bit
>> Defender and in doing so lost the Norton Internet Worm Protection (i.e
>> the builtin firewall). So I decided to enable the windows firewall and
>> also turned on logging. I also have a FW built in to my netgear wgr614
>> router which is supposed to be blocking everying except for 3 or 4 ports
>> that I have forwarded. When I check the Windows FW log however I see
>> thousands of entries where the action column is set to "DROP" for ports
>> that shouldn't even be getting through the hardware firewall. For
>> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
>> forwarded. How are they getting as far as the software firewall?
>>
>> My IP has not changed for several months and none of the IP's below are
>> my WAN IP.
>>
>> Here's a couple of examples.
>>
>> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
>> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>>
>> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
>> - - - - - RECEIVE
>>
>> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
>> 4075071033 456793686 27466 - - - RECEIVE
>>
>> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
>> 2133527059 111240437 18356 - - - RECEIVE
>>
>> TIA
>
> Close all the ports on the router, don't forward them. And if you don't
> have the same thing happening, then that should tell that you have ports
> open, and anything can come down the forwarded open port with
> unsolicited inbound traffic, that are looking for openings and something
> listening on the port.

I can't do that. I am not at home and that will cut off my remote access
to the network. I just double checked the router and the only forwarded
port is for ssh. And even that's secured as much as possible. It's
running on a non-standard port, only allows pubkey authentication, and
has a 5 second login grace time.

Re: Firewall question

Mr. Arnold wrote:
>
> "Chuck" wrote in message
> news:_Voni.12961$LH5.10424@trnddc02...
>> I just switched antivirus programs a few weeks ago from NAV to Bit
>> Defender and in doing so lost the Norton Internet Worm Protection (i.e
>> the builtin firewall). So I decided to enable the windows firewall and
>> also turned on logging. I also have a FW built in to my netgear wgr614
>> router which is supposed to be blocking everying except for 3 or 4 ports
>> that I have forwarded. When I check the Windows FW log however I see
>> thousands of entries where the action column is set to "DROP" for ports
>> that shouldn't even be getting through the hardware firewall. For
>> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
>> forwarded. How are they getting as far as the software firewall?
>>
>> My IP has not changed for several months and none of the IP's below are
>> my WAN IP.
>>
>> Here's a couple of examples.
>>
>> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
>> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>>
>> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
>> - - - - - RECEIVE
>>
>> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
>> 4075071033 456793686 27466 - - - RECEIVE
>>
>> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
>> 2133527059 111240437 18356 - - - RECEIVE
>>
>> TIA
>
> Close all the ports on the router, don't forward them. And if you don't
> have the same thing happening, then that should tell that you have ports
> open, and anything can come down the forwarded open port with
> unsolicited inbound traffic, that are looking for openings and something
> listening on the port.

Could these inbound requests be passed through due to SPI? A lot of them
have a source port on the remote machine of 80 or 443. Not all, but
most. I'm thinking they may be something someone launched from a web
browser on my home PC. Like audio streaming for example.

Re: Firewall question

"Chuck" wrote in message
news:LGpni.12967$LH5.4187@trnddc02...
> Mr. Arnold wrote:
>>
>> "Chuck" wrote in message
>> news:_Voni.12961$LH5.10424@trnddc02...
>>> I just switched antivirus programs a few weeks ago from NAV to Bit
>>> Defender and in doing so lost the Norton Internet Worm Protection (i.e
>>> the builtin firewall). So I decided to enable the windows firewall and
>>> also turned on logging. I also have a FW built in to my netgear wgr614
>>> router which is supposed to be blocking everying except for 3 or 4 ports
>>> that I have forwarded. When I check the Windows FW log however I see
>>> thousands of entries where the action column is set to "DROP" for ports
>>> that shouldn't even be getting through the hardware firewall. For
>>> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
>>> forwarded. How are they getting as far as the software firewall?
>>>
>>> My IP has not changed for several months and none of the IP's below are
>>> my WAN IP.
>>>
>>> Here's a couple of examples.
>>>
>>> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
>>> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>>>
>>> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
>>> - - - - - RECEIVE
>>>
>>> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
>>> 4075071033 456793686 27466 - - - RECEIVE
>>>
>>> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
>>> 2133527059 111240437 18356 - - - RECEIVE
>>>
>>> TIA
>>
>> Close all the ports on the router, don't forward them. And if you don't
>> have the same thing happening, then that should tell that you have ports
>> open, and anything can come down the forwarded open port with unsolicited
>> inbound traffic, that are looking for openings and something listening on
>> the port.
>
> I can't do that. I am not at home and that will cut off my remote access
> to the network. I just double checked the router and the only forwarded
> port is for ssh. And even that's secured as much as possible. It's running
> on a non-standard port, only allows pubkey authentication, and has a 5
> second login grace time.

SSH is only an encryption protocol, and I think it means in no way that the
port is not attackable, if open.

Re: Firewall question

>> Close all the ports on the router, don't forward them. And if you don't
>> have the same thing happening, then that should tell that you have ports
>> open, and anything can come down the forwarded open port with unsolicited
>> inbound traffic, that are looking for openings and something listening on
>> the port.
>
> Could these inbound requests be passed through due to SPI? A lot of them
> have a source port on the remote machine of 80 or 443. Not all, but most.
> I'm thinking they may be something someone launched from a web browser on
> my home PC. Like audio streaming for example.

SPI blocks unsolicited traffic based on a stateful connection being made by
a program on a port running on a machine behind the router, in this case
using SPI.

If XP's FW is blocking packets, then I think unsolicited inbound packets are
being blocked, for whatever reason that may be.

Re: Firewall question

Chuck wrote:

> It's running on a non-standard port, only allows pubkey authentication, and
> has a 5 second login grace time.

qwerty ?

Re: Firewall question

cattanack@yahoo.com wrote:
> Chuck wrote:
>
>> It's running on a non-standard port, only allows pubkey authentication, and
>> has a 5 second login grace time.
>
> qwerty ?
>

Are you asking if that's the password? Is so, no. Pubkey authentication
is like using an SSL certificate in that it uses a public and private
key pair. Only the holder of the private key (me) can log on.