new to firewalls
am 17.10.2007 03:57:46 von Bri
I just installed comodo pro firewall.
I have never really used a firewall before
and I have a question. I keep getting
inbound policy violation entries in the log
every few minutes all from the same ip
address. Can someone explain this?
Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
MonitorDescription: Inbound Policy Violation (Access Denied, IP =
192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5
Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
MonitorDescription: Inbound Policy Violation (Access Denied, IP =
192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5
thanks
tom
Re: new to firewalls
am 17.10.2007 05:14:29 von MR. Arnold
"Tom W." wrote in message
news:cvmah3tqi44bm3ltj1fcen519e1km3jf13@4ax.com...
>
> I just installed comodo pro firewall.
> I have never really used a firewall before
> and I have a question. I keep getting
> inbound policy violation entries in the log
> every few minutes all from the same ip
> address. Can someone explain this?
>
Something like Comodo is not FW technology. Comodo is a personal packet
filter or machine level packet filter, and it's not FW technology.
You can start with the links.
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
http://www.more.net/technical/netserv/tcpip/firewalls/
> Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
> 192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
> 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
> Reason: Network Control Rule ID = 5
>
>
>
> Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
> 192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
> 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
> Reason: Network Control Rule ID = 5
>
It was denied the personal packet filter is doing its job of stopping
unsolicited inbound traffic. What you need to worry about is the inbound
traffic that's is coming through the packet filter and is not being denied.
A connection is made due to some program running on the computer behind the
FW or packet filter that has made a solicitation for traffic to a
remote/Internet IP, because the program sent outbound traffic to the site,
and inbound traffic is coming back -- the solicitation.
There a two types of traffic a FW or a packet filter is going to deal with
and is kind of a default. 1) Solicited inbound traffic. Traffic is coming
inbound due to a program running behind the FW or packet filter has sent
outbound traffic or the contract was initiated by the program behind the FW
or packet filter. The FW or packet filter is going to let that type of
inbound traffic pass. The traffic can or cannot be legit. It could be a
legit program or a malware program that is doing the solicitation.
2) Unsolicited inbound traffic is just the opposite. No program running
behind the FW or packet filter has made a solicitation for inbound traffic.
That type for inbound traffic is blocked or denied.
Re: new to firewalls
am 17.10.2007 05:27:59 von Bri
On Tue, 16 Oct 2007 23:14:29 -0400, "Mr. Arnold"
Arnold@Arnold.com> wrote:
>
>"Tom W." wrote in message
>news:cvmah3tqi44bm3ltj1fcen519e1km3jf13@4ax.com...
>>
>> I just installed comodo pro firewall.
>> I have never really used a firewall before
>> and I have a question. I keep getting
>> inbound policy violation entries in the log
>> every few minutes all from the same ip
>> address. Can someone explain this?
>>
>
>Something like Comodo is not FW technology. Comodo is a personal packet
>filter or machine level packet filter, and it's not FW technology.
>
>You can start with the links.
>
>http://www.vicomsoft.com/knowledge/reference/firewalls1.htm l
>http://www.more.net/technical/netserv/tcpip/firewalls/
>
>> Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
>> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
>> 192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
>> 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
>> Reason: Network Control Rule ID = 5
>>
>>
>>
>> Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
>> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
>> 192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
>> 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
>> Reason: Network Control Rule ID = 5
>>
>
>It was denied the personal packet filter is doing its job of stopping
>unsolicited inbound traffic. What you need to worry about is the inbound
>traffic that's is coming through the packet filter and is not being denied.
>A connection is made due to some program running on the computer behind the
>FW or packet filter that has made a solicitation for traffic to a
>remote/Internet IP, because the program sent outbound traffic to the site,
>and inbound traffic is coming back -- the solicitation.
>
>There a two types of traffic a FW or a packet filter is going to deal with
>and is kind of a default. 1) Solicited inbound traffic. Traffic is coming
>inbound due to a program running behind the FW or packet filter has sent
>outbound traffic or the contract was initiated by the program behind the FW
>or packet filter. The FW or packet filter is going to let that type of
>inbound traffic pass. The traffic can or cannot be legit. It could be a
>legit program or a malware program that is doing the solicitation.
>
>
>2) Unsolicited inbound traffic is just the opposite. No program running
>behind the FW or packet filter has made a solicitation for inbound traffic.
>That type for inbound traffic is blocked or denied.
>
>
>
>
Rebooting the computer seems to have cleared it up.
Thanks for the response.
Tom
Re: new to firewalls
am 17.10.2007 05:50:31 von MR. Arnold
"Tom W." wrote in message
news:l20bh3l7pog4370vep6vkvrmn76trks1va@4ax.com...
> On Tue, 16 Oct 2007 23:14:29 -0400, "Mr. Arnold"
> Arnold@Arnold.com> wrote:
>
>>
>>"Tom W." wrote in message
>>news:cvmah3tqi44bm3ltj1fcen519e1km3jf13@4ax.com...
>>>
>>> I just installed comodo pro firewall.
>>> I have never really used a firewall before
>>> and I have a question. I keep getting
>>> inbound policy violation entries in the log
>>> every few minutes all from the same ip
>>> address. Can someone explain this?
>>>
>>
>>Something like Comodo is not FW technology. Comodo is a personal packet
>>filter or machine level packet filter, and it's not FW technology.
>>
>>You can start with the links.
>>
>>http://www.vicomsoft.com/knowledge/reference/firewalls1.ht ml
>>http://www.more.net/technical/netserv/tcpip/firewalls/
>>
>>> Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
>>> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
>>> 192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
>>> 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
>>> Reason: Network Control Rule ID = 5
>>>
>>>
>>>
>>> Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
>>> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
>>> 192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
>>> 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
>>> Reason: Network Control Rule ID = 5
>>>
>>
>>It was denied the personal packet filter is doing its job of stopping
>>unsolicited inbound traffic. What you need to worry about is the inbound
>>traffic that's is coming through the packet filter and is not being
>>denied.
>>A connection is made due to some program running on the computer behind
>>the
>>FW or packet filter that has made a solicitation for traffic to a
>>remote/Internet IP, because the program sent outbound traffic to the site,
>>and inbound traffic is coming back -- the solicitation.
>>
>>There a two types of traffic a FW or a packet filter is going to deal with
>>and is kind of a default. 1) Solicited inbound traffic. Traffic is coming
>>inbound due to a program running behind the FW or packet filter has sent
>>outbound traffic or the contract was initiated by the program behind the
>>FW
>>or packet filter. The FW or packet filter is going to let that type of
>>inbound traffic pass. The traffic can or cannot be legit. It could be a
>>legit program or a malware program that is doing the solicitation.
>>
>>
>>2) Unsolicited inbound traffic is just the opposite. No program running
>>behind the FW or packet filter has made a solicitation for inbound
>>traffic.
>>That type for inbound traffic is blocked or denied.
>>
>>
>>
>>
>
> Rebooting the computer seems to have cleared it up.
> Thanks for the response.
>
I suspect that's not the case. Unsolicited inbound traffic which was what
the packet filter was blocking is just everyday noise or traffic on the
Internet. The booting of the computer is not going to clear it up, unless
Comodo was doing false reporting, which can happen with any PFW/personal
packet filter. But most likely, the unsolicited was stopped from whatever on
the other end, because it couldn't get through, and it moved on.
Re: new to firewalls
am 17.10.2007 15:57:46 von Bri
On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold"
Arnold@Arnold.com> wrote:
>snipped for space.
>>>
>>>
>>>
>>>
>>
>> Rebooting the computer seems to have cleared it up.
>> Thanks for the response.
>>
>
>I suspect that's not the case. Unsolicited inbound traffic which was what
>the packet filter was blocking is just everyday noise or traffic on the
>Internet. The booting of the computer is not going to clear it up, unless
>Comodo was doing false reporting, which can happen with any PFW/personal
>packet filter. But most likely, the unsolicited was stopped from whatever on
>the other end, because it couldn't get through, and it moved on.
I just turned on the computer this morning adn got this:
Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
= IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
224.0.0.22 Reason: Network Control Rule ID = 5
windows media player goes out on 192.168.1.64. I don't know what
it is.
tom
Re: new to firewalls
am 17.10.2007 16:04:12 von Sebastian Gottschalk
Tom W. wrote:
> I just turned on the computer this morning adn got this:
>
>
> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
> 224.0.0.22 Reason: Network Control Rule ID = 5
>
> windows media player goes out on 192.168.1.64. I don't know what
> it is.
If you don't have sufficient knowledge about networks and protocols, why do
you even run a host-based packet filter and even further believe that you
could actually achieve any level of security through it?
The above is a simple multicast subscription initiated upon your very own
request.
Re: new to firewalls
am 17.10.2007 17:25:55 von Bri
On Wed, 17 Oct 2007 16:04:12 +0200, "Sebastian G."
wrote:
>Tom W. wrote:
>
>
>> I just turned on the computer this morning adn got this:
>>
>>
>> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
>> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
>> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
>> 224.0.0.22 Reason: Network Control Rule ID = 5
>>
>> windows media player goes out on 192.168.1.64. I don't know what
>> it is.
>
>
>If you don't have sufficient knowledge about networks and protocols, why do
>you even run a host-based packet filter and even further believe that you
>could actually achieve any level of security through it?
>
>The above is a simple multicast subscription initiated upon your very own
>request.
I had picked up a few trojans and decided to install a firewall.
Comodo was supposed to be good so I installed it. It
was blocking repeated connections from somewhere and
I wondered why. It was recommended so I installed it.
Tom
Re: new to firewalls
am 17.10.2007 18:53:24 von goarilla
Tom W. wrote:
> On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold"
> Arnold@Arnold.com> wrote:
>
>> snipped for space.
>>>>
>>>>
>>>>
>>> Rebooting the computer seems to have cleared it up.
>>> Thanks for the response.
>>>
>> I suspect that's not the case. Unsolicited inbound traffic which was what
>> the packet filter was blocking is just everyday noise or traffic on the
>> Internet. The booting of the computer is not going to clear it up, unless
>> Comodo was doing false reporting, which can happen with any PFW/personal
>> packet filter. But most likely, the unsolicited was stopped from whatever on
>> the other end, because it couldn't get through, and it moved on.
>
> I just turned on the computer this morning adn got this:
>
>
> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
> 224.0.0.22 Reason: Network Control Rule ID = 5
>
> windows media player goes out on 192.168.1.64. I don't know what
> it is.
>
> tom
>
iirc 224.x.x.x is a multicast adress
it seems to me wmp is trying to become part of the multicast group
which could be normal behaviour iirc wmp could try this to accept
multicast packets
for information like MSN today, wmp loads things from the internet like
advertisement, new
bbc clips, ...
i myself wouldn't allow this, but i myself will never use WMP.
Re: new to firewalls
am 17.10.2007 19:30:06 von Bri
On Wed, 17 Oct 2007 18:53:24 +0200, goarilla <"kevin DOT paulus AT
skynet DOT be"> wrote:
>Tom W. wrote:
>> On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold"
>> Arnold@Arnold.com> wrote:
>>
>>> snipped for space.
>>>>>
>>>>>
>>>>>
>>>> Rebooting the computer seems to have cleared it up.
>>>> Thanks for the response.
>>>>
>>> I suspect that's not the case. Unsolicited inbound traffic which was what
>>> the packet filter was blocking is just everyday noise or traffic on the
>>> Internet. The booting of the computer is not going to clear it up, unless
>>> Comodo was doing false reporting, which can happen with any PFW/personal
>>> packet filter. But most likely, the unsolicited was stopped from whatever on
>>> the other end, because it couldn't get through, and it moved on.
>>
>> I just turned on the computer this morning adn got this:
>>
>>
>> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
>> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
>> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
>> 224.0.0.22 Reason: Network Control Rule ID = 5
>>
>> windows media player goes out on 192.168.1.64. I don't know what
>> it is.
>>
>> tom
>>
>iirc 224.x.x.x is a multicast adress
>it seems to me wmp is trying to become part of the multicast group
>which could be normal behaviour iirc wmp could try this to accept
>multicast packets
>for information like MSN today, wmp loads things from the internet like
>advertisement, new
>bbc clips, ...
>
>i myself wouldn't allow this, but i myself will never use WMP.
Ok...Thanks. I didn't have problems until I let active x and
scripting through on internet explorer. Almost every page
wants to use active x and i gave in and let the browser use it.
When I did I started to get loaded with adware and viruses.
Tom
Re: new to firewalls
am 17.10.2007 22:54:04 von Sebastian Gottschalk
Tom W. wrote:
>> If you don't have sufficient knowledge about networks and protocols, why do
>> you even run a host-based packet filter and even further believe that you
>> could actually achieve any level of security through it?
>>
>> The above is a simple multicast subscription initiated upon your very own
>> request.
>
> I had picked up a few trojans and decided to install a firewall.
Firewalls can't protect against trojan horses, and in fact nothing but
education can. Even further, if you picked up some trojan horses, then you
installed them intentionally and it's solely your very own fault - how
should dumb software prevent you from doing what you want, and why would you
not enforce your own stupid ideas against such software?
> Comodo was supposed to be good so I installed it.
If you had informed yourself properly, then you'd understand that Comodo is
anything but good. It hooks into various kernel functions for no good, or
better said: no serious reason, and thus adds a huge amount of complexity -
and complexity is exactly the contrary of security.
> It was blocking repeated connections from somewhere and
> I wondered why.
Don't worry, we also wonder why it does what it does. Since it has no actual
goal, it seems like it acts particularly random / non-deterministic.
Re: new to firewalls
am 17.10.2007 23:01:52 von Sebastian Gottschalk
Tom W. wrote:
> Ok...Thanks. I didn't have problems until I let active x and
> scripting through on internet explorer.
You don't need ActiveX or even the scripting stuff to get malware when
visiting websites with MSIE.
> Almost every page wants to use active x and i gave in and
> let the browser use it.
Now the real question is: Why are you abusing MSIE as a webbrowser and why
do you even wonder that this would lead to security problems?
And, as I see it now: As you're most likely not Michael Grossman, why are
you abusing his domain here.com fro your mail address?
Re: new to firewalls
am 17.10.2007 23:02:03 von Leythos
In article <5nnb4qFj51tgU1@mid.dfncis.de>, seppi@seppig.de says...
> Firewalls can't protect against trojan horses, and in fact nothing but
> education can.
Trojans and other malware is a result of downloading some file that
installs the malware.
With HTTP, SMTP and FTP proxy services in firewalls, you can block
attachments of types that commonly infect systems.
As an example, we don't allow non-admin users to download any file that
could be "Run" or Zip files, as well as about 30 other types....
So, a firewall can protect against them, but it does it by keeping you
from getting at them.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
Re: new to firewalls
am 18.10.2007 00:22:12 von Sharky
Tom W. wrote:
>Can someone explain this?
>
>Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
>MonitorDescription: Inbound Policy Violation (Access Denied, IP =
>192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
>192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
>Reason: Network Control Rule ID = 5
Normal Micro$oft NetBIOS over TCP/IP traffic from a private network.
If you connect to a network with other computers (like a private
wireless network) you will normally see this traffic because M$ turns
on NetBIOS over TCP/IP by default on all network interfaces. I
recommend that people turn off this setting unless they have a need to
reference computers on their network by NetBIOS name.
Re: new to firewalls
am 18.10.2007 02:41:39 von MR. Arnold
"Tom W." wrote in message
news:urdch319p41isa5oip0bmcn0hpq10g18fj@4ax.com...
> On Wed, 17 Oct 2007 18:53:24 +0200, goarilla <"kevin DOT paulus AT
> skynet DOT be"> wrote:
>
>>Tom W. wrote:
>>> On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold"
>>> Arnold@Arnold.com> wrote:
>>>
>>>> snipped for space.
>>>>>>
>>>>>>
>>>>>>
>>>>> Rebooting the computer seems to have cleared it up.
>>>>> Thanks for the response.
>>>>>
>>>> I suspect that's not the case. Unsolicited inbound traffic which was
>>>> what
>>>> the packet filter was blocking is just everyday noise or traffic on the
>>>> Internet. The booting of the computer is not going to clear it up,
>>>> unless
>>>> Comodo was doing false reporting, which can happen with any
>>>> PFW/personal
>>>> packet filter. But most likely, the unsolicited was stopped from
>>>> whatever on
>>>> the other end, because it couldn't get through, and it moved on.
>>>
>>> I just turned on the computer this morning adn got this:
>>>
>>>
>>> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
>>> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
>>> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
>>> 224.0.0.22 Reason: Network Control Rule ID = 5
>>>
>>> windows media player goes out on 192.168.1.64. I don't know what
>>> it is.
>>>
>>> tom
>>>
>>iirc 224.x.x.x is a multicast adress
>>it seems to me wmp is trying to become part of the multicast group
>>which could be normal behaviour iirc wmp could try this to accept
>>multicast packets
>>for information like MSN today, wmp loads things from the internet like
>>advertisement, new
>>bbc clips, ...
>>
>>i myself wouldn't allow this, but i myself will never use WMP.
>
> Ok...Thanks. I didn't have problems until I let active x and
> scripting through on internet explorer. Almost every page
> wants to use active x and i gave in and let the browser use it.
> When I did I started to get loaded with adware and viruses.
>
I read your other post about picking up some Trojans. The machine has been
compromised. You should consider what is in the link.
http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx
It's up to you to practice safe hex, like not using IE, if it's a problem
for you. Only use IE when a site calls for the use of IE and not using OE or
Outlook find alternatives to these solutions that are less susceptible to
attack, in your case.
http://www.claymania.com/safe-hex.html
FireFox for the browser and Thunderbird for the email client are (free). FF
has the touch and feel of IE but doesn't use ActiveX controls and is a
little tighter in its vulnerabilities.
But you should know this. None of this stuff and I mean *NONE* of this stuff
is bullet proof. I don't care what O/S, like MS, Linux, Apple, whatever or
what applications are running on the platforms as all of it is venerable to
attack.
On the MS platform such as XP or other NT classed MS O/S(s), you have to go
look from time to time for yourself with other tools. You cannot think that
any one solution is providing stop all protection and notification. They
cannot do it.
http://www.windowsecurity.com/articles/Hidden_Backdoors_Troj an_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
You should harden or tighten the O/S to attack as much as possible, like if
Client for MS Networks and MS File & Print Sharing are enabled on the
Network Interface Card or dial-up connection and it's a computer that is
connected to the modem, which is a direct connection to the Internet, then
those services or features should be removed. The computer has no business
or should have no possibility of being in any networking situation while
connected to the Internet in this manner - none.
http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
The buck starts with you, the buck stops with you, and what you are or are
not doing to protect your situation, with the knowledge you have to do it.
I say it's based upon who is sitting be wheel and is doing the driving.