firewalls - what to block and why - your security at risk

PCR and Gram Pappy [among others] have been discussing firewall settings and
what they can or should be used for.

In the spirit of those discussions, I thought I would post some blocked
activity from a SINGLE session/contact through my ISP and ONLY to this news
server and my email accounts [via OE6]. This is from the firewall log
[several of my normal settings/restrictions were specifically reset for this
presentation].
No other Internet activity occurred [e.g., no external IE or browser usage
or other activity]. All *allowed activity* has been removed, so that the
addresses and activities blocked might be addressed for perhaps a greater
understanding of the function of firewalls, what they can and are used for,
and other aspects related thereto.
For those who do not understand firewalls, these activities would or may
have been allowed as they followed either programs IN USE [allowed
activity], or through addressing [broadcast or otherwise] had a firewall not
been used.
NOTE: this is contact through a dial-up connection[phone]/ISP [which is
indicated via some of these addresses], ALWAYS ON connections are even more
of a security risk.

Hopefully, this discussion will be useful to those interested and provide
theory and answers to various issues.
Rule sets or other settings for various firewalls would naturally be of
interest.

1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received': Blocked:
In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received': Blocked:
In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked:
In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner
1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked:
In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner
1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.46.171.127:41806-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.46.171.127:41806-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 189.153.168.143:32737-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received': Blocked:
In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner
1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received': Blocked:
In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner
1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received': Blocked:
In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner
1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In TCP,
msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner: no owner
1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port received': Blocked:
In UDP, 90.20.19.204:46983-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 87.235.125.80:8052-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port received': Blocked:
In UDP, 69.126.6.107:32338-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened port received': Blocked:
In UDP, 189.128.113.251:16491-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.209.110.13:49282-localhost:1026, Owner: no owner
1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.209.110.13:49282-localhost:1027, Owner: no owner
1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened port received': Blocked:
In UDP, 200.117.180.230:22925-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received': Blocked:
In UDP, 74.120.200.92:45097-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port received': Blocked:
In UDP, host230.200-117-180.telecom.net.ar
[200.117.180.230:22925]-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 88.22.213.173:19033-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port received': Blocked:
In UDP, 74.107.240.241:48641-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.208.208.95:53699-localhost:1026, Owner: no owner
1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port received': Blocked:
In UDP, 67.81.156.51:20406-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received': Blocked:
In UDP, 200.89.49.207:23085-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port received': Blocked:
In UDP, 221.208.208.90:33490-localhost:1026, Owner: no owner
1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened port received': Blocked:
In UDP, 142.161.209.54:15611-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.60.89.179:47922-localhost:29081, Owner: no owner
1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no owner
1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received': Blocked:
In UDP, 190.31.24.235:50988-localhost:29081, Owner: no owner


--
MEB
http://peoplescounsel.orgfree.com
________

MEB wrote:
| PCR and Gram Pappy [among others] have been discussing firewall
| settings and what they can or should be used for.

That's right. I installed...
http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW

....Kerio Personal Firewall v2.1.5 about 4 years ago & several months
later began a 17 year study of what to do with it. But I should have
spoke up sooner!

| In the spirit of those discussions, I thought I would post some
| blocked activity from a SINGLE session/contact through my ISP and
| ONLY to this news server and my email accounts [via OE6]. This is
| from the firewall log [several of my normal settings/restrictions
| were specifically reset for this presentation].

Thanks for jumping in. So, you wanted to see what would happen just by
connecting to the NET & using OE for mail & NG activity.

| No other Internet activity occurred [e.g., no external IE or browser
| usage or other activity]. All *allowed activity* has been removed, so
| that the addresses and activities blocked might be addressed for
| perhaps a greater understanding of the function of firewalls, what
| they can and are used for, and other aspects related thereto.

Really, it's important to see what was allowed too. Where I thought my
Primary DNS Server rule would be used only by NetZero (they are NetZero
addresses in there)... really a whole bunch of apps were using it! But
that's in the other thread!

| For those who do not understand firewalls, these activities would or
| may have been allowed as they followed either programs IN USE [allowed
| activity], or through addressing [broadcast or otherwise] had a
| firewall not been used.

That is right. Without a firewall with a good set of denial rules, all
activity is allowed. Hopefully, if a virus or a trojan or a spy can
sneak in that way, a good virus detector will prevent it from executing.
Also, there may have been an MS fix or two to prevent some forms of
abuse along these lines (I don't know).

| NOTE: this is contact through a dial-up connection[phone]/ISP [which
| is indicated via some of these addresses], ALWAYS ON connections are
| even more of a security risk.

Uhuh. I am Dial-Up too. That way, you get a new IP address each connect.

| Hopefully, this discussion will be useful to those interested and
| provide theory and answers to various issues.
| Rule sets or other settings for various firewalls would naturally be
| of interest.
|
| 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner

I find I have to guess as to the meaning of that. Looks like someone at
67.170.2.174, who is Comcast...

http://www.networksolutions.com/whoi...p=67.170.2.174
......Quote...........
67.170.2.174
Record Type: IP Address

Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
67.160.0.0 - 67.191.255.255
Comcast Cable Communications, IP Services WASHINGTON-6
(NET-67-170-0-0-1)
67.170.0.0 - 67.170.127.255
......EOQ.............

....sent a UDP datagram to port 29081 on your machine. But I don't
know...

(1) did the port exist without an owner, & would it have received
the datagram (except the rule blocked it)?
(The name of that rule suggests the answer is no.)

(2) did the the port once exist & at that time have an owner,
but somehow was closed before the datagram arrived?
Therefore, it couldn't get it, anyhow, even if not blocked?

(3) did the port 29081 never exist?

Do any earlier log entries mention that port? You'd have to log all
activity of each "permit" rule to know for sure. But, if there is no
rule permitting the activity, then you would have received a Kerio
requestor mentioning the port.

Here is a Kerio help page to study...

.......Quote............
Filter.log file

The filter.log file is used for logging Kerio Personal Firewall actions
on a local computer. It is created in a directory where Personal
Firewall is installed (typically C:\Program Files\Kerio\Personal
Firewall). It is created upon the first record.

Filter.log is a text file where each record is placed on a new line. It
has the following format:

1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner:
G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE

How to read this line:

1 — rule type (1 = denying, 2 = permitting)

[08/Jun/2001 16:52:09] — date and time that the packet was detected (we
recommend checking the correct setting of the system time on your
computer)

Rule 'Internet Information Services' — name of a rule that was applied
(from the Description field)

Blocked: / Permittted: — indicates whether the packet was blocked or
permitted (corresponds with the number at the beginning of the line)

In / Out — indicates an incoming or outgoing packet

IP / TCP / UDP / ICMP, etc. — communication protocol (for which the rule
was defined)

richard.kerio.com [192.168.2.38:3772] — DNS name of the computer, from
which the packet was sent, in square brackets is the IP address with the
source port after a colon

locahost:25 — destination IP address (or DNS name) and port (localhost =
this computer)

Owner: — name of the local application to which the packet is addressed
(including its full path). If the application is a system service the
name displayed is SYSTEM.
..........EOQ.................

| 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner

That one seems to be coming from...

NetRange: 200.0.0.0 - 200.255.255.255
NetName: LACNIC-200

| 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner
| 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner
| 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no
| owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
| received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 189.153.168.143:32737-localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
| Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner
| 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
| Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner
| 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
| Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner
| 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner:
| no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
| received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
| port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
| port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 189.128.113.251:16491-localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
| Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no
| owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
| received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027,
| Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 200.117.180.230:22925-localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
| Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no
| owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
| received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
| [200.117.180.230:22925]-localhost:29081, Owner: no owner
| 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
| Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no
| owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
| received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081,
| Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
| port received': Blocked: In UDP,
| 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007
| 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
| 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
| 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
| 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007
| 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
| 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
| 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007
| 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
| msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no
| owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
| received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081,
| Owner: no owner
|
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR

"PCR" wrote in message
...
| MEB wrote:
| | PCR and Gram Pappy [among others] have been discussing firewall
| | settings and what they can or should be used for.
|
| That's right. I installed...
| http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW
|
| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
| later began a 17 year study of what to do with it. But I should have
| spoke up sooner!
|
| | In the spirit of those discussions, I thought I would post some
| | blocked activity from a SINGLE session/contact through my ISP and
| | ONLY to this news server and my email accounts [via OE6]. This is
| | from the firewall log [several of my normal settings/restrictions
| | were specifically reset for this presentation].
|
| Thanks for jumping in. So, you wanted to see what would happen just by
| connecting to the NET & using OE for mail & NG activity.

Well, ah no, actually I wanted to let other users who may not have
investigated or understand firewalls.

|
| | No other Internet activity occurred [e.g., no external IE or browser
| | usage or other activity]. All *allowed activity* has been removed, so
| | that the addresses and activities blocked might be addressed for
| | perhaps a greater understanding of the function of firewalls, what
| | they can and are used for, and other aspects related thereto.
|
| Really, it's important to see what was allowed too. Where I thought my
| Primary DNS Server rule would be used only by NetZero (they are NetZero
| addresses in there)... really a whole bunch of apps were using it! But
| that's in the other thread!

DNS is used by any program requiring addressing information. The key is to
limit to the EXACT DNS server(s) NOT within your system [unless for local
network traffic] and the port [53] used by that (those) server(s) with
limited [chosen by previous monitoring] local ports and applications.

I will NOT post all my rules or what exactly I have configured locally
[that would supply the exact way to circumvent my protection], however I
will post this contact to retreive the email/news messages [your posting],
with a few more inclusions [again, slightly modified rules and rule
logging]. This was ONLY to retreive mail and the newsgroups on Microsoft.
Nothing else occurred BUT the logon to the ISP.

2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE
7.0\WAOL.EXE
1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver
2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE
7.0\WAOL.EXE
1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
Kernel Driver
1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
Kernel Driver
1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver
1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898-localhost:1026, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898-localhost:1027, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898-localhost:1028, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
207.46.248.16:119-localhost:1072, Owner: no owner
at which point I disconnected having retrieved mail and the news messages.

NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel
requests.

|
| | For those who do not understand firewalls, these activities would or
| | may have been allowed as they followed either programs IN USE [allowed
| | activity], or through addressing [broadcast or otherwise] had a
| | firewall not been used.
|
| That is right. Without a firewall with a good set of denial rules, all
| activity is allowed. Hopefully, if a virus or a trojan or a spy can
| sneak in that way, a good virus detector will prevent it from executing.
| Also, there may have been an MS fix or two to prevent some forms of
| abuse along these lines (I don't know).

What would make you think any anti-spyware or anti-virus programs would
check or correct these types of activities?

Anti-spyware programs MAY block certain addresses and perhaps some ActiveX,
or other. Anti-virus MIGHT catch scripting or attempts to infect something,
or emails or files which contain hacks or other. Host or lmhost files catch
what they have been configured to catch via addressing/name.
These, however, are *network use* activities WITHIN the TCP/IP and other
aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
client servers, the TCP/IP kernel, and the like, are what handle these
activities.
Of course the above is an overly simplified explanation.

|
| | NOTE: this is contact through a dial-up connection[phone]/ISP [which
| | is indicated via some of these addresses], ALWAYS ON connections are
| | even more of a security risk.
|
| Uhuh. I am Dial-Up too. That way, you get a new IP address each connect.

Only if that is what the ISP requires or desires.

|
| | Hopefully, this discussion will be useful to those interested and
| | provide theory and answers to various issues.
| | Rule sets or other settings for various firewalls would naturally be
| | of interest.
| |
| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner
|
| I find I have to guess as to the meaning of that. Looks like someone at
| 67.170.2.174, who is Comcast...
|
| http://www.networksolutions.com/whoi...p=67.170.2.174
| .....Quote...........
| 67.170.2.174
| Record Type: IP Address
|
| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
| 67.160.0.0 - 67.191.255.255
| Comcast Cable Communications, IP Services WASHINGTON-6
| (NET-67-170-0-0-1)
| 67.170.0.0 - 67.170.127.255
| .....EOQ.............
|
| ...sent a UDP datagram to port 29081 on your machine. But I don't
| know...
|
| (1) did the port exist without an owner, & would it have received
| the datagram (except the rule blocked it)?
| (The name of that rule suggests the answer is no.)

The data request would have been received and likely honored.
The port would have been opened/created to allow this activity.

|
| (2) did the the port once exist & at that time have an owner,
| but somehow was closed before the datagram arrived?
| Therefore, it couldn't get it, anyhow, even if not blocked?

If it would have been ALLOWED activity [e.g., without proxy or firewall
monitoring or exculsion, or within a hosts or lmhosts, or other]], then a
search would have been made for an available port, and then created/opened.
Look again at this:
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898-localhost:1026, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898-localhost:1027, Owner: no owner
1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
24.64.192.20:17898-localhost:1028, Owner: no owner

See the attempt to find or create an open port?
Now, should I have stayed online, there would have been continued attempts
[see your prior discussion where I was online longer], though with different
Shaw addressing and OUT ports, again stepping through IN [local] ports in
attempt to find or create.one.


|
| (3) did the port 29081 never exist?
|
| Do any earlier log entries mention that port? You'd have to log all
| activity of each "permit" rule to know for sure. But, if there is no
| rule permitting the activity, then you would have received a Kerio
| requestor mentioning the port.

No we don't need that.
Were an ALLOWED program or address using that aspect, then it would NOT
have created the denial. Either would have cascaded to find an open port for
use [as long as it was in the defined rule range].
AND you mention Kerio, which MUST have that turned on {requestor].
Other firewalls, particularly those that automatically configure
themselves, MAY not pop-up anything unless it has been configured that way.
They also MAY pass through such requests if piggy-backed from or on allowed
activities/programs. Think "but all I want to know is the user address".
Think Microsoft's firewalls, imagine what they are configured by default to
allow.

|
| Here is a Kerio help page to study...
|
| ......Quote............
| Filter.log file
|
| The filter.log file is used for logging Kerio Personal Firewall actions
| on a local computer. It is created in a directory where Personal
| Firewall is installed (typically C:\Program Files\Kerio\Personal
| Firewall). It is created upon the first record.
|
| Filter.log is a text file where each record is placed on a new line. It
| has the following format:
|
| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
| In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner:
| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
|
| How to read this line:
|
| 1 rule type (1 = denying, 2 = permitting)
|
| [08/Jun/2001 16:52:09] date and time that the packet was detected (we
| recommend checking the correct setting of the system time on your
| computer)
|
| Rule 'Internet Information Services' name of a rule that was applied
| (from the Description field)
|
| Blocked: / Permittted: indicates whether the packet was blocked or
| permitted (corresponds with the number at the beginning of the line)
|
| In / Out indicates an incoming or outgoing packet
|
| IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule
| was defined)
|
| richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
| which the packet was sent, in square brackets is the IP address with the
| source port after a colon
|
| locahost:25 destination IP address (or DNS name) and port (localhost =
| this computer)
|
| Owner: name of the local application to which the packet is addressed
| (including its full path). If the application is a system service the
| name displayed is SYSTEM.
| .........EOQ.................
|
| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner
|
| That one seems to be coming from...
|
| NetRange: 200.0.0.0 - 200.255.255.255
| NetName: LACNIC-200

Yes, that is the key to your Firewall security.
Tracking each suspect activity to the originator, if possible.

Actually were I to post prior complete TRACKING logs [which I collect(ed)
for specific use], say for one day's normal usage, vast numbers of
potentially dangerous attacks/attempts would be shown.
The Internet is a cesspool of users, unless you protect yourself from them.
NO-ONE is completely invisible or invulnerable. There is always a starting
[requesting/receiving] address [yours].
If you were ACTUALLY invisible then nothing would reach you; you couldn't
receive a web page; you couldn't receive email; you couldn't do any
networking. Whatever is requested MUST have a destination [You]. [Okay, I
know of ways but we're not educating hackers here.]

FOR THE GENERAL DOUBTER [not you PCR]:
Try it. Block all network and Internet traffic in your firewall. That
closes all ports, hence no requesting/receiving address [yours]. It doesn't
matter that you may have obtained an IP address or have one hard set, there
is no way to use it {don't try this for long or you will lose access to the
net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
applicable}...] No ports or no address and there is no network.
Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to
ANY web address. Notice the addresses? Notice the routing?
NOW, exactly how did YOU receive that information? Certainly it wasn't
broadcast to the world and you just happened to have ended up with it. Or
was it?
--

Now what could a hacker, or someone wishing to track you for whatever
reason, do with that information?
All that is originally needed by that party is the requesting/receiving
address; e.g. your address, your activity, something you did or allowed.
Once this is known then anythng that party wishes to do can be done. Now
think about ALWAYS ON connections.

For instance, you did go through Sponge's other pages [used because it was
previously referenced] which address advertising and other inoccent [cough]
inclusions on web pages, or which you may find on the Internet, correct?
Such as: http://www.geocities.com/yosponge/othrstuf.html
Did you look at his host file, etc..
Or perhaps look at ports, packets, formation, and other aspects over on:
http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives

9X users?
Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide some
nice tools for network/Internet use/diagnostics.
Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be careful
using it, many servers do NOT like to be scanned, you may be logged and your
ISP or other agency may be contacted..

Another nifty test tool is called *tooleaky*. A little 3k tool to test your
supposed security [created to test/expose GRC suggestions]. Read about what
it does and how. You might think twice about what you think you know.

If your using 2000 or above, might want to check these older tools:

http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee

Attacker 3.00

http://www.foundstone.com/knowledge/proddesc/fport.html
fport - find out what is using what port - 2000 - XP/NT
Identify unknown open ports and their associated applications
Copyright 2002 (c) by Foundstone, Inc.
http://www.foundstone.com
fport supports Windows NT4, Windows 2000 and Windows XP
fport reports all open TCP/IP and UDP ports and maps them to the owning
application. This is the same information you would see using the
'netstat -an' command, but it also maps those ports to running processes
with the PID, process name and path. Fport can be used to quickly identify
unknown open ports and their associated applications.


Trout Version 2.0 (formerly SuboTronic)
New in this release
Parallel pinging, resulting in a huge speed improvment.
Selectable background and text colors.
Improved interface.
Save trace to file.
Improved HTML output.
Optional continuous ping mode.
Traceroute and Whois program.
Copyright 2000 (c) by Foundstone, Inc.
A visual (i.e. GUI as opposed to command-line) traceroute and Whois program.
Pinging can be set at a controllable rate as can the frequency of repeatedly
scanning the selected host. The built-in simple Whois lookup can be used to
identify hosts discovered along the route to the destination computer.
Parallel pinging and hostname lookup techniques make this traceroute program
perhaps the fastest currently available.


Of course SYSINTERNALS/WINTERNALS has some nice tools - look on Microsoft's
TechNet

|
| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no
| | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 189.153.168.143:32737-localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner
| | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
| | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner
| | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
| | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner
| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner:
| | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
| | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
| | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 189.128.113.251:16491-localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no
| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027,
| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 200.117.180.230:22925-localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no
| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
| | [200.117.180.230:22925]-localhost:29081, Owner: no owner
| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
| | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no
| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081,
| | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
| | port received': Blocked: In UDP,
| | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007
| | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007
| | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
| | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007
| | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
| | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no
| | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
| | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081,
| | Owner: no owner
| |
| |
| | --
| | MEB
| | http://peoplescounsel.orgfree.com
| | ________
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| Should things get worse after this,
| PCR
|
|
|


--
MEB
http://peoplescounsel.orgfree.com
________

Some real food for thought gentlemen. Thank you.

P.S. I've been using ZA since 2000.

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" meb@not wrote in message
...
|
|
|
| "PCR" wrote in message
| ...
|| MEB wrote:
|| | PCR and Gram Pappy [among others] have been discussing firewall
|| | settings and what they can or should be used for.
||
|| That's right. I installed...
|| http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW
||
|| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
|| later began a 17 year study of what to do with it. But I should have
|| spoke up sooner!
||
|| | In the spirit of those discussions, I thought I would post some
|| | blocked activity from a SINGLE session/contact through my ISP and
|| | ONLY to this news server and my email accounts [via OE6]. This is
|| | from the firewall log [several of my normal settings/restrictions
|| | were specifically reset for this presentation].
||
|| Thanks for jumping in. So, you wanted to see what would happen just by
|| connecting to the NET & using OE for mail & NG activity.
|
| Well, ah no, actually I wanted to let other users who may not have
| investigated or understand firewalls.
|
||
|| | No other Internet activity occurred [e.g., no external IE or browser
|| | usage or other activity]. All *allowed activity* has been removed, so
|| | that the addresses and activities blocked might be addressed for
|| | perhaps a greater understanding of the function of firewalls, what
|| | they can and are used for, and other aspects related thereto.
||
|| Really, it's important to see what was allowed too. Where I thought my
|| Primary DNS Server rule would be used only by NetZero (they are NetZero
|| addresses in there)... really a whole bunch of apps were using it! But
|| that's in the other thread!
|
| DNS is used by any program requiring addressing information. The key is to
| limit to the EXACT DNS server(s) NOT within your system [unless for local
| network traffic] and the port [53] used by that (those) server(s) with
| limited [chosen by previous monitoring] local ports and applications.
|
| I will NOT post all my rules or what exactly I have configured locally
| [that would supply the exact way to circumvent my protection], however I
| will post this contact to retreive the email/news messages [your posting],
| with a few more inclusions [again, slightly modified rules and rule
| logging]. This was ONLY to retreive mail and the newsgroups on Microsoft.
| Nothing else occurred BUT the logon to the ISP.
|
| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA ONLINE
| 7.0\WAOL.EXE
| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
| Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver
| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA ONLINE
| 7.0\WAOL.EXE
| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
| Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| Kernel Driver
| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10] Router
| Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| Kernel Driver
| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver
| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1026, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1027, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1028, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
| 207.46.248.16:119-localhost:1072, Owner: no owner
| at which point I disconnected having retrieved mail and the news messages.
|
| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel
| requests.
|
||
|| | For those who do not understand firewalls, these activities would or
|| | may have been allowed as they followed either programs IN USE [allowed
|| | activity], or through addressing [broadcast or otherwise] had a
|| | firewall not been used.
||
|| That is right. Without a firewall with a good set of denial rules, all
|| activity is allowed. Hopefully, if a virus or a trojan or a spy can
|| sneak in that way, a good virus detector will prevent it from executing.
|| Also, there may have been an MS fix or two to prevent some forms of
|| abuse along these lines (I don't know).
|
| What would make you think any anti-spyware or anti-virus programs would
| check or correct these types of activities?
|
| Anti-spyware programs MAY block certain addresses and perhaps some
ActiveX,
| or other. Anti-virus MIGHT catch scripting or attempts to infect
something,
| or emails or files which contain hacks or other. Host or lmhost files
catch
| what they have been configured to catch via addressing/name.
| These, however, are *network use* activities WITHIN the TCP/IP and other
| aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
| client servers, the TCP/IP kernel, and the like, are what handle these
| activities.
| Of course the above is an overly simplified explanation.
|
||
|| | NOTE: this is contact through a dial-up connection[phone]/ISP [which
|| | is indicated via some of these addresses], ALWAYS ON connections are
|| | even more of a security risk.
||
|| Uhuh. I am Dial-Up too. That way, you get a new IP address each connect.
|
| Only if that is what the ISP requires or desires.
|
||
|| | Hopefully, this discussion will be useful to those interested and
|| | provide theory and answers to various issues.
|| | Rule sets or other settings for various firewalls would naturally be
|| | of interest.
|| |
|| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner
||
|| I find I have to guess as to the meaning of that. Looks like someone at
|| 67.170.2.174, who is Comcast...
||
|| http://www.networksolutions.com/whoi...p=67.170.2.174
|| .....Quote...........
|| 67.170.2.174
|| Record Type: IP Address
||
|| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
|| 67.160.0.0 - 67.191.255.255
|| Comcast Cable Communications, IP Services WASHINGTON-6
|| (NET-67-170-0-0-1)
|| 67.170.0.0 - 67.170.127.255
|| .....EOQ.............
||
|| ...sent a UDP datagram to port 29081 on your machine. But I don't
|| know...
||
|| (1) did the port exist without an owner, & would it have received
|| the datagram (except the rule blocked it)?
|| (The name of that rule suggests the answer is no.)
|
| The data request would have been received and likely honored.
| The port would have been opened/created to allow this activity.
|
||
|| (2) did the the port once exist & at that time have an owner,
|| but somehow was closed before the datagram arrived?
|| Therefore, it couldn't get it, anyhow, even if not blocked?
|
| If it would have been ALLOWED activity [e.g., without proxy or firewall
| monitoring or exculsion, or within a hosts or lmhosts, or other]], then a
| search would have been made for an available port, and then
created/opened.
| Look again at this:
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1026, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1027, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1028, Owner: no owner
|
| See the attempt to find or create an open port?
| Now, should I have stayed online, there would have been continued attempts
| [see your prior discussion where I was online longer], though with
different
| Shaw addressing and OUT ports, again stepping through IN [local] ports in
| attempt to find or create.one.
|
|
||
|| (3) did the port 29081 never exist?
||
|| Do any earlier log entries mention that port? You'd have to log all
|| activity of each "permit" rule to know for sure. But, if there is no
|| rule permitting the activity, then you would have received a Kerio
|| requestor mentioning the port.
|
| No we don't need that.
| Were an ALLOWED program or address using that aspect, then it would NOT
| have created the denial. Either would have cascaded to find an open port
for
| use [as long as it was in the defined rule range].
| AND you mention Kerio, which MUST have that turned on {requestor].
| Other firewalls, particularly those that automatically configure
| themselves, MAY not pop-up anything unless it has been configured that
way.
| They also MAY pass through such requests if piggy-backed from or on
allowed
| activities/programs. Think "but all I want to know is the user address".
| Think Microsoft's firewalls, imagine what they are configured by default
to
| allow.
|
||
|| Here is a Kerio help page to study...
||
|| ......Quote............
|| Filter.log file
||
|| The filter.log file is used for logging Kerio Personal Firewall actions
|| on a local computer. It is created in a directory where Personal
|| Firewall is installed (typically C:\Program Files\Kerio\Personal
|| Firewall). It is created upon the first record.
||
|| Filter.log is a text file where each record is placed on a new line. It
|| has the following format:
||
|| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
|| In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner:
|| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
||
|| How to read this line:
||
|| 1 rule type (1 = denying, 2 = permitting)
||
|| [08/Jun/2001 16:52:09] date and time that the packet was detected (we
|| recommend checking the correct setting of the system time on your
|| computer)
||
|| Rule 'Internet Information Services' name of a rule that was applied
|| (from the Description field)
||
|| Blocked: / Permittted: indicates whether the packet was blocked or
|| permitted (corresponds with the number at the beginning of the line)
||
|| In / Out indicates an incoming or outgoing packet
||
|| IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule
|| was defined)
||
|| richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
|| which the packet was sent, in square brackets is the IP address with the
|| source port after a colon
||
|| locahost:25 destination IP address (or DNS name) and port (localhost =
|| this computer)
||
|| Owner: name of the local application to which the packet is addressed
|| (including its full path). If the application is a system service the
|| name displayed is SYSTEM.
|| .........EOQ.................
||
|| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner
||
|| That one seems to be coming from...
||
|| NetRange: 200.0.0.0 - 200.255.255.255
|| NetName: LACNIC-200
|
| Yes, that is the key to your Firewall security.
| Tracking each suspect activity to the originator, if possible.
|
| Actually were I to post prior complete TRACKING logs [which I collect(ed)
| for specific use], say for one day's normal usage, vast numbers of
| potentially dangerous attacks/attempts would be shown.
| The Internet is a cesspool of users, unless you protect yourself from
them.
| NO-ONE is completely invisible or invulnerable. There is always a starting
| [requesting/receiving] address [yours].
| If you were ACTUALLY invisible then nothing would reach you; you couldn't
| receive a web page; you couldn't receive email; you couldn't do any
| networking. Whatever is requested MUST have a destination [You]. [Okay, I
| know of ways but we're not educating hackers here.]
|
| FOR THE GENERAL DOUBTER [not you PCR]:
| Try it. Block all network and Internet traffic in your firewall. That
| closes all ports, hence no requesting/receiving address [yours]. It
doesn't
| matter that you may have obtained an IP address or have one hard set,
there
| is no way to use it {don't try this for long or you will lose access to
the
| net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
| applicable}...] No ports or no address and there is no network.
| Now turn it on again [or re-connect] and do a TRACE [preferred] or ping to
| ANY web address. Notice the addresses? Notice the routing?
| NOW, exactly how did YOU receive that information? Certainly it wasn't
| broadcast to the world and you just happened to have ended up with it. Or
| was it?
| --
|
| Now what could a hacker, or someone wishing to track you for whatever
| reason, do with that information?
| All that is originally needed by that party is the requesting/receiving
| address; e.g. your address, your activity, something you did or allowed.
| Once this is known then anythng that party wishes to do can be done. Now
| think about ALWAYS ON connections.
|
| For instance, you did go through Sponge's other pages [used because it was
| previously referenced] which address advertising and other inoccent
[cough]
| inclusions on web pages, or which you may find on the Internet, correct?
| Such as: http://www.geocities.com/yosponge/othrstuf.html
| Did you look at his host file, etc..
| Or perhaps look at ports, packets, formation, and other aspects over on:
| http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
|
| 9X users?
| Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide
some
| nice tools for network/Internet use/diagnostics.
| Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
careful
| using it, many servers do NOT like to be scanned, you may be logged and
your
| ISP or other agency may be contacted..
|
| Another nifty test tool is called *tooleaky*. A little 3k tool to test
your
| supposed security [created to test/expose GRC suggestions]. Read about
what
| it does and how. You might think twice about what you think you know.
|
| If your using 2000 or above, might want to check these older tools:
|
| http://www.foundstone.com/us/resources-free-tools.asp - Division of McAfee
|
| Attacker 3.00
|
| http://www.foundstone.com/knowledge/proddesc/fport.html
| fport - find out what is using what port - 2000 - XP/NT
| Identify unknown open ports and their associated applications
| Copyright 2002 (c) by Foundstone, Inc.
| http://www.foundstone.com
| fport supports Windows NT4, Windows 2000 and Windows XP
| fport reports all open TCP/IP and UDP ports and maps them to the owning
| application. This is the same information you would see using the
| 'netstat -an' command, but it also maps those ports to running processes
| with the PID, process name and path. Fport can be used to quickly identify
| unknown open ports and their associated applications.
|
|
| Trout Version 2.0 (formerly SuboTronic)
| New in this release
| Parallel pinging, resulting in a huge speed improvment.
| Selectable background and text colors.
| Improved interface.
| Save trace to file.
| Improved HTML output.
| Optional continuous ping mode.
| Traceroute and Whois program.
| Copyright 2000 (c) by Foundstone, Inc.
| A visual (i.e. GUI as opposed to command-line) traceroute and Whois
program.
| Pinging can be set at a controllable rate as can the frequency of
repeatedly
| scanning the selected host. The built-in simple Whois lookup can be used
to
| identify hosts discovered along the route to the destination computer.
| Parallel pinging and hostname lookup techniques make this traceroute
program
| perhaps the fastest currently available.
|
|
| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
Microsoft's
| TechNet
|
||
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no
|| | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 189.153.168.143:32737-localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner
|| | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
|| | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner
|| | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
|| | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner
|| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
|| | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner:
|| | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
|| | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
|| | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 189.128.113.251:16491-localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no
|| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027,
|| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 200.117.180.230:22925-localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no
|| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
|| | [200.117.180.230:22925]-localhost:29081, Owner: no owner
|| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no
|| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081,
|| | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
|| | port received': Blocked: In UDP,
|| | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007
|| | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007
|| | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
|| | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
|| | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no
|| | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
|| | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081,
|| | Owner: no owner
|| |
|| |
|| | --
|| | MEB
|| | http://peoplescounsel.orgfree.com
|| | ________
||
|| --
|| Thanks or Good Luck,
|| There may be humor in this post, and,
|| Naturally, you will not sue,
|| Should things get worse after this,
|| PCR
||
||
||
|
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
|
|

Curt Christianson wrote:
| Some real food for thought gentlemen. Thank you.

You are welcome. I have only begun & will not rest until I get these
Kerio rules right-- even if I have to complete the rest of my 17 year
study! I'm moving it to the top of my to-do list! My master plan is to
discover just what my legit apps want to or must do to function
properly. Then, I will code rules that permit JUST those apps to do it.
Only my denial rules will apply to "any application", is my plan.

And I have begun with my Primary DNS Server rule, which now I have split
into FIVE...

(1) DNS Server-- EXEC.exe (NetZero)
(2) DNS Server-- ASHWEBSV (avast! Web Scanner)
(3) DNS Server-- AVAST.SETUP
(4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
(5) DNS Server-- IExplore

I may attempt again to narrow it down. But, currently, each of those
gets to do UDP, both directions, local ports 1024-5000, any NetZero
address, port 53.

Lots of other apps were using it before. But that's in another thread!

| P.S. I've been using ZA since 2000.
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" meb@not wrote in message
| ...
||
||
||
|| "PCR" wrote in message
|| ...
||| MEB wrote:
||| | PCR and Gram Pappy [among others] have been discussing firewall
||| | settings and what they can or should be used for.
|||
||| That's right. I installed...
|||
http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW
|||
||| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
||| later began a 17 year study of what to do with it. But I should have
||| spoke up sooner!
|||
||| | In the spirit of those discussions, I thought I would post some
||| | blocked activity from a SINGLE session/contact through my ISP and
||| | ONLY to this news server and my email accounts [via OE6]. This is
||| | from the firewall log [several of my normal settings/restrictions
||| | were specifically reset for this presentation].
|||
||| Thanks for jumping in. So, you wanted to see what would happen just
||| by connecting to the NET & using OE for mail & NG activity.
||
|| Well, ah no, actually I wanted to let other users who may not have
|| investigated or understand firewalls.
||
|||
||| | No other Internet activity occurred [e.g., no external IE or
||| | browser usage or other activity]. All *allowed activity* has been
||| | removed, so that the addresses and activities blocked might be
||| | addressed for perhaps a greater understanding of the function of
||| | firewalls, what they can and are used for, and other aspects
||| | related thereto.
|||
||| Really, it's important to see what was allowed too. Where I thought
||| my Primary DNS Server rule would be used only by NetZero (they are
||| NetZero addresses in there)... really a whole bunch of apps were
||| using it! But that's in the other thread!
||
|| DNS is used by any program requiring addressing information. The key
|| is to limit to the EXACT DNS server(s) NOT within your system
|| [unless for local network traffic] and the port [53] used by that
|| (those) server(s) with limited [chosen by previous monitoring] local
|| ports and applications.
||
|| I will NOT post all my rules or what exactly I have configured
|| locally [that would supply the exact way to circumvent my
|| protection], however I will post this contact to retreive the
|| email/news messages [your posting], with a few more inclusions
|| [again, slightly modified rules and rule logging]. This was ONLY to
|| retreive mail and the newsgroups on Microsoft. Nothing else occurred
|| BUT the logon to the ISP.
||
|| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
|| localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
|| ONLINE
|| 7.0\WAOL.EXE
|| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver
|| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
|| ONLINE
|| 7.0\WAOL.EXE
|| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2],
|| Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
|| Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2],
|| Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| Echo Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
|| Echo Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898-localhost:1026, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898-localhost:1027, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898-localhost:1028, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In
|| TCP, 207.46.248.16:119-localhost:1072, Owner: no owner
|| at which point I disconnected having retrieved mail and the news
|| messages.
||
|| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
|| Kernel requests.
||
|||
||| | For those who do not understand firewalls, these activities
||| | would or may have been allowed as they followed either programs
||| | IN USE [allowed activity], or through addressing [broadcast or
||| | otherwise] had a firewall not been used.
|||
||| That is right. Without a firewall with a good set of denial rules,
||| all activity is allowed. Hopefully, if a virus or a trojan or a spy
||| can sneak in that way, a good virus detector will prevent it from
||| executing. Also, there may have been an MS fix or two to prevent
||| some forms of abuse along these lines (I don't know).
||
|| What would make you think any anti-spyware or anti-virus programs
|| would check or correct these types of activities?
||
|| Anti-spyware programs MAY block certain addresses and perhaps some
|| ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to
|| infect something, or emails or files which contain hacks or other.
|| Host or lmhost files catch what they have been configured to catch
|| via addressing/name.
|| These, however, are *network use* activities WITHIN the TCP/IP and
|| other aspects of Internet/network usage. Firewalls, proxies, packet
|| sniffers, client servers, the TCP/IP kernel, and the like, are what
|| handle these activities.
|| Of course the above is an overly simplified explanation.
||
|||
||| | NOTE: this is contact through a dial-up connection[phone]/ISP
||| | [which is indicated via some of these addresses], ALWAYS ON
||| | connections are even more of a security risk.
|||
||| Uhuh. I am Dial-Up too. That way, you get a new IP address each
||| connect.
||
|| Only if that is what the ISP requires or desires.
||
|||
||| | Hopefully, this discussion will be useful to those interested and
||| | provide theory and answers to various issues.
||| | Rule sets or other settings for various firewalls would
||| | naturally be of interest.
||| |
||| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no
||| | owner
|||
||| I find I have to guess as to the meaning of that. Looks like
||| someone at
||| 67.170.2.174, who is Comcast...
|||
||| http://www.networksolutions.com/whoi...p=67.170.2.174
||| .....Quote...........
||| 67.170.2.174
||| Record Type: IP Address
|||
||| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
||| 67.160.0.0 - 67.191.255.255
||| Comcast Cable Communications, IP Services WASHINGTON-6
||| (NET-67-170-0-0-1)
||| 67.170.0.0 - 67.170.127.255
||| .....EOQ.............
|||
||| ...sent a UDP datagram to port 29081 on your machine. But I don't
||| know...
|||
||| (1) did the port exist without an owner, & would it have received
||| the datagram (except the rule blocked it)?
||| (The name of that rule suggests the answer is no.)
||
|| The data request would have been received and likely honored.
|| The port would have been opened/created to allow this activity.
||
|||
||| (2) did the the port once exist & at that time have an owner,
||| but somehow was closed before the datagram arrived?
||| Therefore, it couldn't get it, anyhow, even if not blocked?
||
|| If it would have been ALLOWED activity [e.g., without proxy or
|| firewall monitoring or exculsion, or within a hosts or lmhosts, or
|| other]], then a search would have been made for an available port,
|| and then created/opened. Look again at this:
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898-localhost:1026, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898-localhost:1027, Owner: no owner
|| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| 24.64.192.20:17898-localhost:1028, Owner: no owner
||
|| See the attempt to find or create an open port?
|| Now, should I have stayed online, there would have been continued
|| attempts [see your prior discussion where I was online longer],
|| though with different Shaw addressing and OUT ports, again stepping
|| through IN [local] ports in attempt to find or create.one.
||
||
|||
||| (3) did the port 29081 never exist?
|||
||| Do any earlier log entries mention that port? You'd have to log all
||| activity of each "permit" rule to know for sure. But, if there is no
||| rule permitting the activity, then you would have received a Kerio
||| requestor mentioning the port.
||
|| No we don't need that.
|| Were an ALLOWED program or address using that aspect, then it would
|| NOT have created the denial. Either would have cascaded to find an
|| open port for use [as long as it was in the defined rule range].
|| AND you mention Kerio, which MUST have that turned on {requestor].
|| Other firewalls, particularly those that automatically configure
|| themselves, MAY not pop-up anything unless it has been configured
|| that way. They also MAY pass through such requests if piggy-backed
|| from or on allowed activities/programs. Think "but all I want to
|| know is the user address". Think Microsoft's firewalls, imagine what
|| they are configured by default to allow.
||
|||
||| Here is a Kerio help page to study...
|||
||| ......Quote............
||| Filter.log file
|||
||| The filter.log file is used for logging Kerio Personal Firewall
||| actions on a local computer. It is created in a directory where
||| Personal Firewall is installed (typically C:\Program
||| Files\Kerio\Personal Firewall). It is created upon the first record.
|||
||| Filter.log is a text file where each record is placed on a new
||| line. It has the following format:
|||
||| 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services':
||| Blocked: In TCP, richard.kerio.cz
||| [192.168.2.38:3772]-localhost:25, Owner:
||| G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
|||
||| How to read this line:
|||
||| 1 rule type (1 = denying, 2 = permitting)
|||
||| [08/Jun/2001 16:52:09] date and time that the packet was detected
||| (we recommend checking the correct setting of the system time on
||| your computer)
|||
||| Rule 'Internet Information Services' name of a rule that was
||| applied (from the Description field)
|||
||| Blocked: / Permittted: indicates whether the packet was blocked or
||| permitted (corresponds with the number at the beginning of the line)
|||
||| In / Out indicates an incoming or outgoing packet
|||
||| IP / TCP / UDP / ICMP, etc. communication protocol (for which the
||| rule was defined)
|||
||| richard.kerio.com [192.168.2.38:3772] DNS name of the computer,
||| from which the packet was sent, in square brackets is the IP
||| address with the source port after a colon
|||
||| locahost:25 destination IP address (or DNS name) and port
||| (localhost = this computer)
|||
||| Owner: name of the local application to which the packet is
||| addressed (including its full path). If the application is a system
||| service the name displayed is SYSTEM.
||| .........EOQ.................
|||
||| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no
||| | owner
|||
||| That one seems to be coming from...
|||
||| NetRange: 200.0.0.0 - 200.255.255.255
||| NetName: LACNIC-200
||
|| Yes, that is the key to your Firewall security.
|| Tracking each suspect activity to the originator, if possible.
||
|| Actually were I to post prior complete TRACKING logs [which I
|| collect(ed) for specific use], say for one day's normal usage, vast
|| numbers of potentially dangerous attacks/attempts would be shown.
|| The Internet is a cesspool of users, unless you protect yourself
|| from them. NO-ONE is completely invisible or invulnerable. There is
|| always a starting [requesting/receiving] address [yours].
|| If you were ACTUALLY invisible then nothing would reach you; you
|| couldn't receive a web page; you couldn't receive email; you
|| couldn't do any networking. Whatever is requested MUST have a
|| destination [You]. [Okay, I know of ways but we're not educating
|| hackers here.]
||
|| FOR THE GENERAL DOUBTER [not you PCR]:
|| Try it. Block all network and Internet traffic in your firewall. That
|| closes all ports, hence no requesting/receiving address [yours]. It
|| doesn't matter that you may have obtained an IP address or have one
|| hard set, there is no way to use it {don't try this for long or you
|| will lose access to the net on a phoneline}. [Or clear your IP,
|| DHCP, and DNS entries {WINS if applicable}...] No ports or no
|| address and there is no network.
|| Now turn it on again [or re-connect] and do a TRACE [preferred] or
|| ping to ANY web address. Notice the addresses? Notice the routing?
|| NOW, exactly how did YOU receive that information? Certainly it
|| wasn't broadcast to the world and you just happened to have ended up
|| with it. Or was it?
|| --
||
|| Now what could a hacker, or someone wishing to track you for whatever
|| reason, do with that information?
|| All that is originally needed by that party is the
|| requesting/receiving address; e.g. your address, your activity,
|| something you did or allowed. Once this is known then anythng that
|| party wishes to do can be done. Now think about ALWAYS ON
|| connections.
||
|| For instance, you did go through Sponge's other pages [used because
|| it was previously referenced] which address advertising and other
|| inoccent [cough] inclusions on web pages, or which you may find on
|| the Internet, correct? Such as:
|| http://www.geocities.com/yosponge/othrstuf.html
|| Did you look at his host file, etc..
|| Or perhaps look at ports, packets, formation, and other aspects over
|| on: http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
||
|| 9X users?
|| Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)]
|| provide some nice tools for network/Internet use/diagnostics.
|| Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
|| careful using it, many servers do NOT like to be scanned, you may be
|| logged and your ISP or other agency may be contacted..
||
|| Another nifty test tool is called *tooleaky*. A little 3k tool to
|| test your supposed security [created to test/expose GRC
|| suggestions]. Read about what it does and how. You might think twice
|| about what you think you know.
||
|| If your using 2000 or above, might want to check these older tools:
||
|| http://www.foundstone.com/us/resources-free-tools.asp - Division of
|| McAfee
||
|| Attacker 3.00
||
|| http://www.foundstone.com/knowledge/proddesc/fport.html
|| fport - find out what is using what port - 2000 - XP/NT
|| Identify unknown open ports and their associated applications
|| Copyright 2002 (c) by Foundstone, Inc.
|| http://www.foundstone.com
|| fport supports Windows NT4, Windows 2000 and Windows XP
|| fport reports all open TCP/IP and UDP ports and maps them to the
|| owning application. This is the same information you would see using
|| the 'netstat -an' command, but it also maps those ports to running
|| processes with the PID, process name and path. Fport can be used to
|| quickly identify unknown open ports and their associated
|| applications.
||
||
|| Trout Version 2.0 (formerly SuboTronic)
|| New in this release
|| Parallel pinging, resulting in a huge speed improvment.
|| Selectable background and text colors.
|| Improved interface.
|| Save trace to file.
|| Improved HTML output.
|| Optional continuous ping mode.
|| Traceroute and Whois program.
|| Copyright 2000 (c) by Foundstone, Inc.
|| A visual (i.e. GUI as opposed to command-line) traceroute and Whois
|| program. Pinging can be set at a controllable rate as can the
|| frequency of repeatedly scanning the selected host. The built-in
|| simple Whois lookup can be used to identify hosts discovered along
|| the route to the destination computer. Parallel pinging and hostname
|| lookup techniques make this traceroute program perhaps the fastest
|| currently available.
||
||
|| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
|| Microsoft's TechNet
||
|||
||| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no
||| | owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 218.10.137.139:55190-localhost:1027,
||| | Owner: no owner 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 190.46.171.127:41806-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened port
||| | received': Blocked: In UDP,
||| | 189.153.168.143:32737-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no
||| | owner 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port
||| | received': Blocked: In TCP, 219.148.119.6:12200-localhost:7212,
||| | Owner: no owner 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened
||| | port received': Blocked: In TCP,
||| | 219.148.119.6:12200-localhost:8000, Owner: no owner
||| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked:
||| | In TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186,
||| | Owner: no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 90.20.19.204:46983-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 87.235.125.80:8052-localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081,
||| | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 189.128.113.251:16491-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no
||| | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027,
||| | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 200.117.180.230:22925-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
||| | [200.117.180.230:22925]-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
||| | received': Blocked: In UDP,
||| | 74.107.240.241:48641-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 221.208.208.95:53699-localhost:1026, Owner: no
||| | owner 1,[28/Jul/2007 01:39:54] Rule 'Packet to unopened port
||| | received': Blocked: In UDP,
||| | 67.81.156.51:20406-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:40:46] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 200.89.49.207:23085-localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:40:58] Rule 'Packet to unopened port
||| | received': Blocked: In UDP, 221.208.208.90:33490-localhost:1026,
||| | Owner: no owner 1,[28/Jul/2007 01:42:36] Rule 'Packet to unopened
||| | port received': Blocked: In UDP,
||| | 142.161.209.54:15611-localhost:29081, Owner: no owner
||| | 1,[28/Jul/2007 01:42:52] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 190.60.89.179:47922-localhost:29081, Owner: no
||| | owner 1,[28/Jul/2007 01:43:20] Rule 'TCP ack packet attack':
||| | Blocked: In TCP, msnews.microsoft.com
||| | [207.46.248.16:119]-localhost:1185, Owner: no owner
||| | 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port received':
||| | Blocked: In UDP, 190.31.24.235:50988-localhost:29081, Owner: no
||| | owner
||| |
||| |
||| | --
||| | MEB
||| | http://peoplescounsel.orgfree.com
||| | ________
|||
||| --
||| Thanks or Good Luck,
||| There may be humor in this post, and,
||| Naturally, you will not sue,
||| Should things get worse after this,
||| PCR
|||
|||
|||
||
||
|| --
|| MEB
|| http://peoplescounsel.orgfree.com
|| ________

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR

"Curt Christianson" wrote in message
...
| Some real food for thought gentlemen. Thank you.
|
| P.S. I've been using ZA since 2000.
|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm

We aim to please...

I also used ZA for a number of years on the various 9X boxes and XP. The
rules aspect of other firewalls always drew me [having a Linux, Zenix, NT
background] but I thought it wise to use what others might be using [for
comparison purposes].
Now however, with the use of highly questionable activities on the
Internet, and my personal questions related to ZA, and no support from
Microsoft and ZoneLabs, I thought I would return to something which gave
considerably more control during my final testing days under 9X.

I have an old ZA version [forgot which version though, and have no
intention of re-installing it] about 1.4meg which actually seemed to supply
MOST of the normal functions required, at least semi-adequately. Sometimes I
thought the newer versions were attempting aspects which were not well
implimented or implimented in a fashion I thought not user friendly. Of
course there is an ability to setup *rules like* activities within ZA, but I
would imagine most users do not do so.

In the spirit of this discussion, which is to include any firewalls [and I
hope it eventually does. Note this has ZONEALARM now in its subject
heading]:

What version and product are you or others using?

Have you or others run monitoring/sniffing programs while using ZA to see
if it actual performs as advertised?

What settings or other seemed to be the most useful to you or other users?

What advise would users give concerning settings, configuration, etc. to
other users of ZA, [noting in Curt's case, I think your using it under W2K,
so does that offer anything different as far as you know]?

Have you or other users created any similar rules within ZA to the below
[referencing Kerio PFW rules]?

|
| "MEB" meb@not wrote in message
| ...
| |
| |
| |
| | "PCR" wrote in message
| | ...
| || MEB wrote:
| || | PCR and Gram Pappy [among others] have been discussing firewall
| || | settings and what they can or should be used for.
| ||
| || That's right. I installed...
| ||
http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW
| ||
| || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
| || later began a 17 year study of what to do with it. But I should have
| || spoke up sooner!
| ||
| || | In the spirit of those discussions, I thought I would post some
| || | blocked activity from a SINGLE session/contact through my ISP and
| || | ONLY to this news server and my email accounts [via OE6]. This is
| || | from the firewall log [several of my normal settings/restrictions
| || | were specifically reset for this presentation].
| ||
| || Thanks for jumping in. So, you wanted to see what would happen just by
| || connecting to the NET & using OE for mail & NG activity.
| |
| | Well, ah no, actually I wanted to let other users who may not have
| | investigated or understand firewalls.
| |
| ||
| || | No other Internet activity occurred [e.g., no external IE or browser
| || | usage or other activity]. All *allowed activity* has been removed, so
| || | that the addresses and activities blocked might be addressed for
| || | perhaps a greater understanding of the function of firewalls, what
| || | they can and are used for, and other aspects related thereto.
| ||
| || Really, it's important to see what was allowed too. Where I thought my
| || Primary DNS Server rule would be used only by NetZero (they are NetZero
| || addresses in there)... really a whole bunch of apps were using it! But
| || that's in the other thread!
| |
| | DNS is used by any program requiring addressing information. The key is
to
| | limit to the EXACT DNS server(s) NOT within your system [unless for
local
| | network traffic] and the port [53] used by that (those) server(s) with
| | limited [chosen by previous monitoring] local ports and applications.
| |
| | I will NOT post all my rules or what exactly I have configured locally
| | [that would supply the exact way to circumvent my protection], however I
| | will post this contact to retreive the email/news messages [your
posting],
| | with a few more inclusions [again, slightly modified rules and rule
| | logging]. This was ONLY to retreive mail and the newsgroups on
Microsoft.
| | Nothing else occurred BUT the logon to the ISP.
| |
| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| | localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
ONLINE
| | 7.0\WAOL.EXE
| | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
Router
| | Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver
| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| | XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
ONLINE
| | 7.0\WAOL.EXE
| | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
Router
| | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| | Kernel Driver
| | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
Router
| | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner: Tcpip
| | Kernel Driver
| | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| | Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver
| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8] Echo
| | Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898-localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898-localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898-localhost:1028, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
| | 207.46.248.16:119-localhost:1072, Owner: no owner
| | at which point I disconnected having retrieved mail and the news
messages.
| |
| | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip Kernel
| | requests.
| |
| ||
| || | For those who do not understand firewalls, these activities would or
| || | may have been allowed as they followed either programs IN USE
[allowed
| || | activity], or through addressing [broadcast or otherwise] had a
| || | firewall not been used.
| ||
| || That is right. Without a firewall with a good set of denial rules, all
| || activity is allowed. Hopefully, if a virus or a trojan or a spy can
| || sneak in that way, a good virus detector will prevent it from
executing.
| || Also, there may have been an MS fix or two to prevent some forms of
| || abuse along these lines (I don't know).
| |
| | What would make you think any anti-spyware or anti-virus programs would
| | check or correct these types of activities?
| |
| | Anti-spyware programs MAY block certain addresses and perhaps some
| ActiveX,
| | or other. Anti-virus MIGHT catch scripting or attempts to infect
| something,
| | or emails or files which contain hacks or other. Host or lmhost files
| catch
| | what they have been configured to catch via addressing/name.
| | These, however, are *network use* activities WITHIN the TCP/IP and other
| | aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
| | client servers, the TCP/IP kernel, and the like, are what handle these
| | activities.
| | Of course the above is an overly simplified explanation.
| |
| ||
| || | NOTE: this is contact through a dial-up connection[phone]/ISP [which
| || | is indicated via some of these addresses], ALWAYS ON connections are
| || | even more of a security risk.
| ||
| || Uhuh. I am Dial-Up too. That way, you get a new IP address each
connect.
| |
| | Only if that is what the ISP requires or desires.
| |
| ||
| || | Hopefully, this discussion will be useful to those interested and
| || | provide theory and answers to various issues.
| || | Rule sets or other settings for various firewalls would naturally be
| || | of interest.
| || |
| || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no owner
| ||
| || I find I have to guess as to the meaning of that. Looks like someone at
| || 67.170.2.174, who is Comcast...
| ||
| || http://www.networksolutions.com/whoi...p=67.170.2.174
| || .....Quote...........
| || 67.170.2.174
| || Record Type: IP Address
| ||
| || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
| || 67.160.0.0 - 67.191.255.255
| || Comcast Cable Communications, IP Services WASHINGTON-6
| || (NET-67-170-0-0-1)
| || 67.170.0.0 - 67.170.127.255
| || .....EOQ.............
| ||
| || ...sent a UDP datagram to port 29081 on your machine. But I don't
| || know...
| ||
| || (1) did the port exist without an owner, & would it have received
| || the datagram (except the rule blocked it)?
| || (The name of that rule suggests the answer is no.)
| |
| | The data request would have been received and likely honored.
| | The port would have been opened/created to allow this activity.
| |
| ||
| || (2) did the the port once exist & at that time have an owner,
| || but somehow was closed before the datagram arrived?
| || Therefore, it couldn't get it, anyhow, even if not blocked?
| |
| | If it would have been ALLOWED activity [e.g., without proxy or firewall
| | monitoring or exculsion, or within a hosts or lmhosts, or other]], then
a
| | search would have been made for an available port, and then
| created/opened.
| | Look again at this:
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898-localhost:1026, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898-localhost:1027, Owner: no owner
| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| | 24.64.192.20:17898-localhost:1028, Owner: no owner
| |
| | See the attempt to find or create an open port?
| | Now, should I have stayed online, there would have been continued
attempts
| | [see your prior discussion where I was online longer], though with
| different
| | Shaw addressing and OUT ports, again stepping through IN [local] ports
in
| | attempt to find or create.one.
| |
| |
| ||
| || (3) did the port 29081 never exist?
| ||
| || Do any earlier log entries mention that port? You'd have to log all
| || activity of each "permit" rule to know for sure. But, if there is no
| || rule permitting the activity, then you would have received a Kerio
| || requestor mentioning the port.
| |
| | No we don't need that.
| | Were an ALLOWED program or address using that aspect, then it would NOT
| | have created the denial. Either would have cascaded to find an open port
| for
| | use [as long as it was in the defined rule range].
| | AND you mention Kerio, which MUST have that turned on {requestor].
| | Other firewalls, particularly those that automatically configure
| | themselves, MAY not pop-up anything unless it has been configured that
| way.
| | They also MAY pass through such requests if piggy-backed from or on
| allowed
| | activities/programs. Think "but all I want to know is the user address".
| | Think Microsoft's firewalls, imagine what they are configured by default
| to
| | allow.
| |
| ||
| || Here is a Kerio help page to study...
| ||
| || ......Quote............
| || Filter.log file
| ||
| || The filter.log file is used for logging Kerio Personal Firewall actions
| || on a local computer. It is created in a directory where Personal
| || Firewall is installed (typically C:\Program Files\Kerio\Personal
| || Firewall). It is created upon the first record.
| ||
| || Filter.log is a text file where each record is placed on a new line. It
| || has the following format:
| ||
| || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services': Blocked:
| || In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner:
| || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
| ||
| || How to read this line:
| ||
| || 1 rule type (1 = denying, 2 = permitting)
| ||
| || [08/Jun/2001 16:52:09] date and time that the packet was detected (we
| || recommend checking the correct setting of the system time on your
| || computer)
| ||
| || Rule 'Internet Information Services' name of a rule that was applied
| || (from the Description field)
| ||
| || Blocked: / Permittted: indicates whether the packet was blocked or
| || permitted (corresponds with the number at the beginning of the line)
| ||
| || In / Out indicates an incoming or outgoing packet
| ||
| || IP / TCP / UDP / ICMP, etc. communication protocol (for which the rule
| || was defined)
| ||
| || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
| || which the packet was sent, in square brackets is the IP address with
the
| || source port after a colon
| ||
| || locahost:25 destination IP address (or DNS name) and port (localhost =
| || this computer)
| ||
| || Owner: name of the local application to which the packet is addressed
| || (including its full path). If the application is a system service the
| || name displayed is SYSTEM.
| || .........EOQ.................
| ||
| || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner
| ||
| || That one seems to be coming from...
| ||
| || NetRange: 200.0.0.0 - 200.255.255.255
| || NetName: LACNIC-200
| |
| | Yes, that is the key to your Firewall security.
| | Tracking each suspect activity to the originator, if possible.
| |
| | Actually were I to post prior complete TRACKING logs [which I
collect(ed)
| | for specific use], say for one day's normal usage, vast numbers of
| | potentially dangerous attacks/attempts would be shown.
| | The Internet is a cesspool of users, unless you protect yourself from
| them.
| | NO-ONE is completely invisible or invulnerable. There is always a
starting
| | [requesting/receiving] address [yours].
| | If you were ACTUALLY invisible then nothing would reach you; you
couldn't
| | receive a web page; you couldn't receive email; you couldn't do any
| | networking. Whatever is requested MUST have a destination [You]. [Okay,
I
| | know of ways but we're not educating hackers here.]
| |
| | FOR THE GENERAL DOUBTER [not you PCR]:
| | Try it. Block all network and Internet traffic in your firewall. That
| | closes all ports, hence no requesting/receiving address [yours]. It
| doesn't
| | matter that you may have obtained an IP address or have one hard set,
| there
| | is no way to use it {don't try this for long or you will lose access to
| the
| | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
| | applicable}...] No ports or no address and there is no network.
| | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping
to
| | ANY web address. Notice the addresses? Notice the routing?
| | NOW, exactly how did YOU receive that information? Certainly it wasn't
| | broadcast to the world and you just happened to have ended up with it.
Or
| | was it?
| | --
| |
| | Now what could a hacker, or someone wishing to track you for whatever
| | reason, do with that information?
| | All that is originally needed by that party is the requesting/receiving
| | address; e.g. your address, your activity, something you did or allowed.
| | Once this is known then anythng that party wishes to do can be done. Now
| | think about ALWAYS ON connections.
| |
| | For instance, you did go through Sponge's other pages [used because it
was
| | previously referenced] which address advertising and other inoccent
| [cough]
| | inclusions on web pages, or which you may find on the Internet, correct?
| | Such as: http://www.geocities.com/yosponge/othrstuf.html
| | Did you look at his host file, etc..
| | Or perhaps look at ports, packets, formation, and other aspects over on:
| | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
| |
| | 9X users?
| | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide
| some
| | nice tools for network/Internet use/diagnostics.
| | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
| careful
| | using it, many servers do NOT like to be scanned, you may be logged and
| your
| | ISP or other agency may be contacted..
| |
| | Another nifty test tool is called *tooleaky*. A little 3k tool to test
| your
| | supposed security [created to test/expose GRC suggestions]. Read about
| what
| | it does and how. You might think twice about what you think you know.
| |
| | If your using 2000 or above, might want to check these older tools:
| |
| | http://www.foundstone.com/us/resources-free-tools.asp - Division of
McAfee
| |
| | Attacker 3.00
| |
| | http://www.foundstone.com/knowledge/proddesc/fport.html
| | fport - find out what is using what port - 2000 - XP/NT
| | Identify unknown open ports and their associated applications
| | Copyright 2002 (c) by Foundstone, Inc.
| | http://www.foundstone.com
| | fport supports Windows NT4, Windows 2000 and Windows XP
| | fport reports all open TCP/IP and UDP ports and maps them to the owning
| | application. This is the same information you would see using the
| | 'netstat -an' command, but it also maps those ports to running processes
| | with the PID, process name and path. Fport can be used to quickly
identify
| | unknown open ports and their associated applications.
| |
| |
| | Trout Version 2.0 (formerly SuboTronic)
| | New in this release
| | Parallel pinging, resulting in a huge speed improvment.
| | Selectable background and text colors.
| | Improved interface.
| | Save trace to file.
| | Improved HTML output.
| | Optional continuous ping mode.
| | Traceroute and Whois program.
| | Copyright 2000 (c) by Foundstone, Inc.
| | A visual (i.e. GUI as opposed to command-line) traceroute and Whois
| program.
| | Pinging can be set at a controllable rate as can the frequency of
| repeatedly
| | scanning the selected host. The built-in simple Whois lookup can be used
| to
| | identify hosts discovered along the route to the destination computer.
| | Parallel pinging and hostname lookup techniques make this traceroute
| program
| | perhaps the fastest currently available.
| |
| |
| | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
| Microsoft's
| | TechNet
| |
| ||
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no
owner
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no
owner
| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no
| || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 189.153.168.143:32737-localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner
| || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
| || | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no owner
| || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
| || | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no owner
| || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
| || | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186, Owner:
| || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
| || | port received': Blocked: In UDP, 87.235.125.80:8052-localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
| || | port received': Blocked: In UDP, 69.126.6.107:32338-localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 189.128.113.251:16491-localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no
| || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027,
| || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 200.117.180.230:22925-localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no
| || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
| || | [200.117.180.230:22925]-localhost:29081, Owner: no owner
| || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
| || | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no
| || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081,
| || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
| || | port received': Blocked: In UDP,
| || | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007
| || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007
| || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 142.161.209.54:15611-localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
| || | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007
| || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
| || | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no
| || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
| || | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081,
| || | Owner: no owner
| || |
| || |
| || | --
| || | MEB
| || | http://peoplescounsel.orgfree.com
| || | ________
| ||
| || --
| || Thanks or Good Luck,
| || There may be humor in this post, and,
| || Naturally, you will not sue,
| || Should things get worse after this,
| || PCR
| ||
| ||
| ||
| |
| |
| | --
| | MEB
| | http://peoplescounsel.orgfree.com
| | ________
| |
| |
| |
| |
|
|

--
MEB
http://peoplescounsel.orgfree.com
________

Hi MEB, and all,


I'm actually running a rather old version of ZA; v. 3.1.291. My philosophy
is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't
want or need any additional bells and whistles.

And you were close, I'm running XP Pro, but I keep perusing this group,
because this is where it all started for me. I still have my copy of W98SE,
but it's kind of a pain to install that *after* XP is already there. I was a
die-hard 98 fan, and swore I would *never* switch to XP, but the computer I
inherited already had it on it. I figured I'd give it a try, and if I
didn't like it, well, then back to good ol' 98. The way I have XP set up,
you'd almost think it was 98. I turned off *all* the cutesy eye-candy etc.,
mainly for performance reasons. Besides, I *hate* pastels! This box was
built for W98.
I have to admit that it is extremely stable, but then again so was my 98
install. It's the "junk" we add later that tends to muck things up.

Sorry I digressed.

--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" meb@not wrote in message
...
|
|
| "Curt Christianson" wrote in message
| ...
|| Some real food for thought gentlemen. Thank you.
||
|| P.S. I've been using ZA since 2000.
||
|| --
|| HTH,
|| Curt
||
|| Windows Support Center
|| www.aumha.org
|| Practically Nerded,...
|| http://dundats.mvps.org/Index.htm
|
| We aim to please...
|
| I also used ZA for a number of years on the various 9X boxes and XP. The
| rules aspect of other firewalls always drew me [having a Linux, Zenix, NT
| background] but I thought it wise to use what others might be using [for
| comparison purposes].
| Now however, with the use of highly questionable activities on the
| Internet, and my personal questions related to ZA, and no support from
| Microsoft and ZoneLabs, I thought I would return to something which gave
| considerably more control during my final testing days under 9X.
|
| I have an old ZA version [forgot which version though, and have no
| intention of re-installing it] about 1.4meg which actually seemed to
supply
| MOST of the normal functions required, at least semi-adequately. Sometimes
I
| thought the newer versions were attempting aspects which were not well
| implimented or implimented in a fashion I thought not user friendly. Of
| course there is an ability to setup *rules like* activities within ZA, but
I
| would imagine most users do not do so.
|
| In the spirit of this discussion, which is to include any firewalls [and
I
| hope it eventually does. Note this has ZONEALARM now in its subject
| heading]:
|
| What version and product are you or others using?
|
| Have you or others run monitoring/sniffing programs while using ZA to see
| if it actual performs as advertised?
|
| What settings or other seemed to be the most useful to you or other users?
|
| What advise would users give concerning settings, configuration, etc. to
| other users of ZA, [noting in Curt's case, I think your using it under
W2K,
| so does that offer anything different as far as you know]?
|
| Have you or other users created any similar rules within ZA to the below
| [referencing Kerio PFW rules]?
|
||
|| "MEB" meb@not wrote in message
|| ...
|| |
|| |
|| |
|| | "PCR" wrote in message
|| | ...
|| || MEB wrote:
|| || | PCR and Gram Pappy [among others] have been discussing firewall
|| || | settings and what they can or should be used for.
|| ||
|| || That's right. I installed...
|| ||
| http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW
|| ||
|| || ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
|| || later began a 17 year study of what to do with it. But I should have
|| || spoke up sooner!
|| ||
|| || | In the spirit of those discussions, I thought I would post some
|| || | blocked activity from a SINGLE session/contact through my ISP and
|| || | ONLY to this news server and my email accounts [via OE6]. This is
|| || | from the firewall log [several of my normal settings/restrictions
|| || | were specifically reset for this presentation].
|| ||
|| || Thanks for jumping in. So, you wanted to see what would happen just by
|| || connecting to the NET & using OE for mail & NG activity.
|| |
|| | Well, ah no, actually I wanted to let other users who may not have
|| | investigated or understand firewalls.
|| |
|| ||
|| || | No other Internet activity occurred [e.g., no external IE or
browser
|| || | usage or other activity]. All *allowed activity* has been removed,
so
|| || | that the addresses and activities blocked might be addressed for
|| || | perhaps a greater understanding of the function of firewalls, what
|| || | they can and are used for, and other aspects related thereto.
|| ||
|| || Really, it's important to see what was allowed too. Where I thought my
|| || Primary DNS Server rule would be used only by NetZero (they are
NetZero
|| || addresses in there)... really a whole bunch of apps were using it! But
|| || that's in the other thread!
|| |
|| | DNS is used by any program requiring addressing information. The key is
| to
|| | limit to the EXACT DNS server(s) NOT within your system [unless for
| local
|| | network traffic] and the port [53] used by that (those) server(s) with
|| | limited [chosen by previous monitoring] local ports and applications.
|| |
|| | I will NOT post all my rules or what exactly I have configured locally
|| | [that would supply the exact way to circumvent my protection], however
I
|| | will post this contact to retreive the email/news messages [your
| posting],
|| | with a few more inclusions [again, slightly modified rules and rule
|| | logging]. This was ONLY to retreive mail and the newsgroups on
| Microsoft.
|| | Nothing else occurred BUT the logon to the ISP.
|| |
|| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
|| | localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
|| | 7.0\WAOL.EXE
|| | 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router
|| | Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver
|| | 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
|| | XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
|| | 7.0\WAOL.EXE
|| | 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router
|| | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner:
Tcpip
|| | Kernel Driver
|| | 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router
|| | Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2], Owner:
Tcpip
|| | Kernel Driver
|| | 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
Echo
|| | Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver
|| | 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
Echo
|| | Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898-localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898-localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898-localhost:1028, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In TCP,
|| | 207.46.248.16:119-localhost:1072, Owner: no owner
|| | at which point I disconnected having retrieved mail and the news
| messages.
|| |
|| | NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
Kernel
|| | requests.
|| |
|| ||
|| || | For those who do not understand firewalls, these activities would
or
|| || | may have been allowed as they followed either programs IN USE
| [allowed
|| || | activity], or through addressing [broadcast or otherwise] had a
|| || | firewall not been used.
|| ||
|| || That is right. Without a firewall with a good set of denial rules, all
|| || activity is allowed. Hopefully, if a virus or a trojan or a spy can
|| || sneak in that way, a good virus detector will prevent it from
| executing.
|| || Also, there may have been an MS fix or two to prevent some forms of
|| || abuse along these lines (I don't know).
|| |
|| | What would make you think any anti-spyware or anti-virus programs would
|| | check or correct these types of activities?
|| |
|| | Anti-spyware programs MAY block certain addresses and perhaps some
|| ActiveX,
|| | or other. Anti-virus MIGHT catch scripting or attempts to infect
|| something,
|| | or emails or files which contain hacks or other. Host or lmhost files
|| catch
|| | what they have been configured to catch via addressing/name.
|| | These, however, are *network use* activities WITHIN the TCP/IP and
other
|| | aspects of Internet/network usage. Firewalls, proxies, packet sniffers,
|| | client servers, the TCP/IP kernel, and the like, are what handle these
|| | activities.
|| | Of course the above is an overly simplified explanation.
|| |
|| ||
|| || | NOTE: this is contact through a dial-up connection[phone]/ISP
[which
|| || | is indicated via some of these addresses], ALWAYS ON connections are
|| || | even more of a security risk.
|| ||
|| || Uhuh. I am Dial-Up too. That way, you get a new IP address each
| connect.
|| |
|| | Only if that is what the ISP requires or desires.
|| |
|| ||
|| || | Hopefully, this discussion will be useful to those interested and
|| || | provide theory and answers to various issues.
|| || | Rule sets or other settings for various firewalls would naturally
be
|| || | of interest.
|| || |
|| || | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no
owner
|| ||
|| || I find I have to guess as to the meaning of that. Looks like someone
at
|| || 67.170.2.174, who is Comcast...
|| ||
|| || http://www.networksolutions.com/whoi...p=67.170.2.174
|| || .....Quote...........
|| || 67.170.2.174
|| || Record Type: IP Address
|| ||
|| || Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
|| || 67.160.0.0 - 67.191.255.255
|| || Comcast Cable Communications, IP Services WASHINGTON-6
|| || (NET-67-170-0-0-1)
|| || 67.170.0.0 - 67.170.127.255
|| || .....EOQ.............
|| ||
|| || ...sent a UDP datagram to port 29081 on your machine. But I don't
|| || know...
|| ||
|| || (1) did the port exist without an owner, & would it have received
|| || the datagram (except the rule blocked it)?
|| || (The name of that rule suggests the answer is no.)
|| |
|| | The data request would have been received and likely honored.
|| | The port would have been opened/created to allow this activity.
|| |
|| ||
|| || (2) did the the port once exist & at that time have an owner,
|| || but somehow was closed before the datagram arrived?
|| || Therefore, it couldn't get it, anyhow, even if not blocked?
|| |
|| | If it would have been ALLOWED activity [e.g., without proxy or firewall
|| | monitoring or exculsion, or within a hosts or lmhosts, or other]], then
| a
|| | search would have been made for an available port, and then
|| created/opened.
|| | Look again at this:
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898-localhost:1026, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898-localhost:1027, Owner: no owner
|| | 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
|| | 24.64.192.20:17898-localhost:1028, Owner: no owner
|| |
|| | See the attempt to find or create an open port?
|| | Now, should I have stayed online, there would have been continued
| attempts
|| | [see your prior discussion where I was online longer], though with
|| different
|| | Shaw addressing and OUT ports, again stepping through IN [local] ports
| in
|| | attempt to find or create.one.
|| |
|| |
|| ||
|| || (3) did the port 29081 never exist?
|| ||
|| || Do any earlier log entries mention that port? You'd have to log all
|| || activity of each "permit" rule to know for sure. But, if there is no
|| || rule permitting the activity, then you would have received a Kerio
|| || requestor mentioning the port.
|| |
|| | No we don't need that.
|| | Were an ALLOWED program or address using that aspect, then it would NOT
|| | have created the denial. Either would have cascaded to find an open
port
|| for
|| | use [as long as it was in the defined rule range].
|| | AND you mention Kerio, which MUST have that turned on {requestor].
|| | Other firewalls, particularly those that automatically configure
|| | themselves, MAY not pop-up anything unless it has been configured that
|| way.
|| | They also MAY pass through such requests if piggy-backed from or on
|| allowed
|| | activities/programs. Think "but all I want to know is the user
address".
|| | Think Microsoft's firewalls, imagine what they are configured by
default
|| to
|| | allow.
|| |
|| ||
|| || Here is a Kerio help page to study...
|| ||
|| || ......Quote............
|| || Filter.log file
|| ||
|| || The filter.log file is used for logging Kerio Personal Firewall
actions
|| || on a local computer. It is created in a directory where Personal
|| || Firewall is installed (typically C:\Program Files\Kerio\Personal
|| || Firewall). It is created upon the first record.
|| ||
|| || Filter.log is a text file where each record is placed on a new line.
It
|| || has the following format:
|| ||
|| || 1,[08/Jun/2001 16:52:09] Rule 'Internet Information Services':
Blocked:
|| || In TCP, richard.kerio.cz [192.168.2.38:3772]-localhost:25, Owner:
|| || G:\WINNT\SYSTEM32\INETSRV\INETINFO.EXE
|| ||
|| || How to read this line:
|| ||
|| || 1 rule type (1 = denying, 2 = permitting)
|| ||
|| || [08/Jun/2001 16:52:09] date and time that the packet was detected (we
|| || recommend checking the correct setting of the system time on your
|| || computer)
|| ||
|| || Rule 'Internet Information Services' name of a rule that was applied
|| || (from the Description field)
|| ||
|| || Blocked: / Permittted: indicates whether the packet was blocked or
|| || permitted (corresponds with the number at the beginning of the line)
|| ||
|| || In / Out indicates an incoming or outgoing packet
|| ||
|| || IP / TCP / UDP / ICMP, etc. communication protocol (for which the
rule
|| || was defined)
|| ||
|| || richard.kerio.com [192.168.2.38:3772] DNS name of the computer, from
|| || which the packet was sent, in square brackets is the IP address with
| the
|| || source port after a colon
|| ||
|| || locahost:25 destination IP address (or DNS name) and port (localhost
=
|| || this computer)
|| ||
|| || Owner: name of the local application to which the packet is addressed
|| || (including its full path). If the application is a system service the
|| || name displayed is SYSTEM.
|| || .........EOQ.................
|| ||
|| || | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner
|| ||
|| || That one seems to be coming from...
|| ||
|| || NetRange: 200.0.0.0 - 200.255.255.255
|| || NetName: LACNIC-200
|| |
|| | Yes, that is the key to your Firewall security.
|| | Tracking each suspect activity to the originator, if possible.
|| |
|| | Actually were I to post prior complete TRACKING logs [which I
| collect(ed)
|| | for specific use], say for one day's normal usage, vast numbers of
|| | potentially dangerous attacks/attempts would be shown.
|| | The Internet is a cesspool of users, unless you protect yourself from
|| them.
|| | NO-ONE is completely invisible or invulnerable. There is always a
| starting
|| | [requesting/receiving] address [yours].
|| | If you were ACTUALLY invisible then nothing would reach you; you
| couldn't
|| | receive a web page; you couldn't receive email; you couldn't do any
|| | networking. Whatever is requested MUST have a destination [You]. [Okay,
| I
|| | know of ways but we're not educating hackers here.]
|| |
|| | FOR THE GENERAL DOUBTER [not you PCR]:
|| | Try it. Block all network and Internet traffic in your firewall. That
|| | closes all ports, hence no requesting/receiving address [yours]. It
|| doesn't
|| | matter that you may have obtained an IP address or have one hard set,
|| there
|| | is no way to use it {don't try this for long or you will lose access to
|| the
|| | net on a phoneline}. [Or clear your IP, DHCP, and DNS entries {WINS if
|| | applicable}...] No ports or no address and there is no network.
|| | Now turn it on again [or re-connect] and do a TRACE [preferred] or ping
| to
|| | ANY web address. Notice the addresses? Notice the routing?
|| | NOW, exactly how did YOU receive that information? Certainly it wasn't
|| | broadcast to the world and you just happened to have ended up with it.
| Or
|| | was it?
|| | --
|| |
|| | Now what could a hacker, or someone wishing to track you for whatever
|| | reason, do with that information?
|| | All that is originally needed by that party is the requesting/receiving
|| | address; e.g. your address, your activity, something you did or
allowed.
|| | Once this is known then anythng that party wishes to do can be done.
Now
|| | think about ALWAYS ON connections.
|| |
|| | For instance, you did go through Sponge's other pages [used because it
| was
|| | previously referenced] which address advertising and other inoccent
|| [cough]
|| | inclusions on web pages, or which you may find on the Internet,
correct?
|| | Such as: http://www.geocities.com/yosponge/othrstuf.html
|| | Did you look at his host file, etc..
|| | Or perhaps look at ports, packets, formation, and other aspects over
on:
|| | http://www.faqs.org/rfcs/ - Internet RFC/STD/FYI/BCP Archives
|| |
|| | 9X users?
|| | Older versions of NetInfo [NetInfo - Version 3.75 (Build 604)] provide
|| some
|| | nice tools for network/Internet use/diagnostics.
|| | Local Info, Ping, Finger, Whois, Scanner, Services, Lookup, etc.. Be
|| careful
|| | using it, many servers do NOT like to be scanned, you may be logged and
|| your
|| | ISP or other agency may be contacted..
|| |
|| | Another nifty test tool is called *tooleaky*. A little 3k tool to test
|| your
|| | supposed security [created to test/expose GRC suggestions]. Read about
|| what
|| | it does and how. You might think twice about what you think you know.
|| |
|| | If your using 2000 or above, might want to check these older tools:
|| |
|| | http://www.foundstone.com/us/resources-free-tools.asp - Division of
| McAfee
|| |
|| | Attacker 3.00
|| |
|| | http://www.foundstone.com/knowledge/proddesc/fport.html
|| | fport - find out what is using what port - 2000 - XP/NT
|| | Identify unknown open ports and their associated applications
|| | Copyright 2002 (c) by Foundstone, Inc.
|| | http://www.foundstone.com
|| | fport supports Windows NT4, Windows 2000 and Windows XP
|| | fport reports all open TCP/IP and UDP ports and maps them to the owning
|| | application. This is the same information you would see using the
|| | 'netstat -an' command, but it also maps those ports to running
processes
|| | with the PID, process name and path. Fport can be used to quickly
| identify
|| | unknown open ports and their associated applications.
|| |
|| |
|| | Trout Version 2.0 (formerly SuboTronic)
|| | New in this release
|| | Parallel pinging, resulting in a huge speed improvment.
|| | Selectable background and text colors.
|| | Improved interface.
|| | Save trace to file.
|| | Improved HTML output.
|| | Optional continuous ping mode.
|| | Traceroute and Whois program.
|| | Copyright 2000 (c) by Foundstone, Inc.
|| | A visual (i.e. GUI as opposed to command-line) traceroute and Whois
|| program.
|| | Pinging can be set at a controllable rate as can the frequency of
|| repeatedly
|| | scanning the selected host. The built-in simple Whois lookup can be
used
|| to
|| | identify hosts discovered along the route to the destination computer.
|| | Parallel pinging and hostname lookup techniques make this traceroute
|| program
|| | perhaps the fastest currently available.
|| |
|| |
|| | Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
|| Microsoft's
|| | TechNet
|| |
|| ||
|| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no
| owner
|| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 218.10.137.139:55190-localhost:1027, Owner: no
| owner
|| || | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 190.46.171.127:41806-localhost:29081, Owner: no
|| || | owner 1,[28/Jul/2007 01:34:10] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 190.46.171.127:41806-localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:35:30] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 189.153.168.143:32737-localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:35:46] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 58.49.103.227:1107-localhost:1434, Owner: no owner
|| || | 1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port received':
|| || | Blocked: In TCP, 219.148.119.6:12200-localhost:7212, Owner: no
owner
|| || | 1,[28/Jul/2007 01:36:08] Rule 'Packet to unopened port received':
|| || | Blocked: In TCP, 219.148.119.6:12200-localhost:8000, Owner: no
owner
|| || | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
|| || | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186,
Owner:
|| || | no owner 1,[28/Jul/2007 01:36:12] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 90.20.19.204:46983-localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:36:30] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
87.235.125.80:8052-localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:36:50] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
69.126.6.107:32338-localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:37:36] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 189.128.113.251:16491-localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 221.209.110.13:49282-localhost:1026, Owner: no
|| || | owner 1,[28/Jul/2007 01:37:38] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 221.209.110.13:49282-localhost:1027,
|| || | Owner: no owner 1,[28/Jul/2007 01:38:02] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 200.117.180.230:22925-localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:38:10] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 74.120.200.92:45097-localhost:29081, Owner: no
|| || | owner 1,[28/Jul/2007 01:38:16] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, host230.200-117-180.telecom.net.ar
|| || | [200.117.180.230:22925]-localhost:29081, Owner: no owner
|| || | 1,[28/Jul/2007 01:38:30] Rule 'Packet to unopened port received':
|| || | Blocked: In UDP, 88.22.213.173:19033-localhost:29081, Owner: no
|| || | owner 1,[28/Jul/2007 01:38:56] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 74.107.240.241:48641-localhost:29081,
|| || | Owner: no owner 1,[28/Jul/2007 01:39:22] Rule 'Packet to unopened
|| || | port received': Blocked: In UDP,
|| || | 221.208.208.95:53699-localhost:1026, Owner: no owner 1,[28/Jul/2007
|| || | 01:39:54] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 67.81.156.51:20406-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| || | 01:40:46] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 200.89.49.207:23085-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| || | 01:40:58] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 221.208.208.90:33490-localhost:1026, Owner: no owner 1,[28/Jul/2007
|| || | 01:42:36] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 142.161.209.54:15611-localhost:29081, Owner: no owner
1,[28/Jul/2007
|| || | 01:42:52] Rule 'Packet to unopened port received': Blocked: In UDP,
|| || | 190.60.89.179:47922-localhost:29081, Owner: no owner 1,[28/Jul/2007
|| || | 01:43:20] Rule 'TCP ack packet attack': Blocked: In TCP,
|| || | msnews.microsoft.com [207.46.248.16:119]-localhost:1185, Owner: no
|| || | owner 1,[28/Jul/2007 01:43:40] Rule 'Packet to unopened port
|| || | received': Blocked: In UDP, 190.31.24.235:50988-localhost:29081,
|| || | Owner: no owner
|| || |
|| || |
|| || | --
|| || | MEB
|| || | http://peoplescounsel.orgfree.com
|| || | ________
|| ||
|| || --
|| || Thanks or Good Luck,
|| || There may be humor in this post, and,
|| || Naturally, you will not sue,
|| || Should things get worse after this,
|| || PCR
|| ||
|| ||
|| ||
|| |
|| |
|| | --
|| | MEB
|| | http://peoplescounsel.orgfree.com
|| | ________
|| |
|| |
|| |
|| |
||
||
|
| --
| MEB
| http://peoplescounsel.orgfree.com
| ________
|
|
|

MEB wrote:
| "PCR" wrote in message
| ...
|| MEB wrote:
|| | PCR and Gram Pappy [among others] have been discussing firewall
|| | settings and what they can or should be used for.
||
|| That's right. I installed...
||
http://www.dslreports.com/faq/securi...-v3.0+Tiny+PFW
||
|| ...Kerio Personal Firewall v2.1.5 about 4 years ago & several months
|| later began a 17 year study of what to do with it. But I should have
|| spoke up sooner!
||
|| | In the spirit of those discussions, I thought I would post some
|| | blocked activity from a SINGLE session/contact through my ISP and
|| | ONLY to this news server and my email accounts [via OE6]. This is
|| | from the firewall log [several of my normal settings/restrictions
|| | were specifically reset for this presentation].
||
|| Thanks for jumping in. So, you wanted to see what would happen just
|| by connecting to the NET & using OE for mail & NG activity.
|
| Well, ah no, actually I wanted to let other users who may not have
| investigated or understand firewalls.

Uh-huh. Naturally, you & I have advanced beyond that point.

||
|| | No other Internet activity occurred [e.g., no external IE or
|| | browser usage or other activity]. All *allowed activity* has been
|| | removed, so that the addresses and activities blocked might be
|| | addressed for perhaps a greater understanding of the function of
|| | firewalls, what they can and are used for, and other aspects
|| | related thereto.
||
|| Really, it's important to see what was allowed too. Where I thought
|| my Primary DNS Server rule would be used only by NetZero (they are
|| NetZero addresses in there)... really a whole bunch of apps were
|| using it! But that's in the other thread!
|
| DNS is used by any program requiring addressing information.

The sole purpose of my DNS Server rule(s)...

Protocol.......... UDP
Direction......... Both
Local Endpoint
Ports........... 1024-5000
Application... Any (but now I've limited it to 5 apps
by creating 5 of these rules)
Remote Endpoint
Addresses.... The entire NetZero range
Port............. 53

.... is to resolve NET addresses? Still, am I right to seek to limit it
to the five apps I kind of have to trust? Otherwise, can't it be
appropriated by some devious app to do ill?

| The key
| is to limit to the EXACT DNS server(s) NOT within your system [unless
| for local network traffic] and the port [53] used by that (those)
| server(s) with limited [chosen by previous monitoring] local ports
| and applications.

Why do I need to bother with ports, if I limit the DNS rule(s) to
trusted apps & to trusted NetZero addresses? Unfortunately, Kerio does
not permit a list of apps in a rule, the way it does with ports &
addresses. So, currently I have coded 5 of them...!...

(1) DNS Server-- EXEC.exe (NetZero)
(2) DNS Server-- ASHWEBSV (avast! Web Scanner)
(3) DNS Server-- AVAST.SETUP (There actually is no program)
(4) DNS Server-- ASHMAISV (avast! e-Mail Scanner Service)
(5) DNS Server-- IExplore

| I will NOT post all my rules or what exactly I have configured
| locally [that would supply the exact way to circumvent my
| protection],

OK.

| however I will post this contact to retreive the
| email/news messages [your posting], with a few more inclusions
| [again, slightly modified rules and rule logging]. This was ONLY to
| retreive mail and the newsgroups on Microsoft. Nothing else occurred
| BUT the logon to the ISP.

OK, limited to mail & NG activities, right.

| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: Out UDP,
| localhost:1030-XXX.XXX.XXX.X:7427, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
| 7.0\WAOL.EXE

So... WAOL.exe (which was port 1030 on your computer) needed to resolve
an address? And it did so at XXX.XXX.XXX.X, port7427? Is that what that
says?

| 1,[28/Jul/2007 17:22:18] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router Solicitation, localhost-224.0.0.2, Owner: Tcpip Kernel Driver

I get lots of those. Here is the last I recorded...

1,[27/Jul/2007 17:40:12] Rule 'Kill ICMP (Log)': Blocked: In ICMP [8]
Echo Request, 4.232.192.209-localhost, Owner: Tcpip Kernel Driver

...., but, beginning yesterday, I have chosen NOT to log those anymore. I
have two rules above that blocker. One allows ICMP incoming for...
[0] Echo Reply, [3] Destination Unreachable, [11] Time Exceeded

The other allows it outgoing for...
[3] Destination Unreachable, [8] Echo Request

I think that's probably finalized for ICMP. In this case, specific apps
& ports are not possible in the rules-- only specific endpoint addresses
are. But mine apply to any address.

| 2,[28/Jul/2007 17:22:18] Rule 'AOL UDP pass': Permitted: In UDP,
| XXX.XXX.XXX.X:7427-localhost:1030, Owner: C:\PROGRAM FILES\AMERICA
| ONLINE
| 7.0\WAOL.EXE

| 1,[28/Jul/2007 17:22:22] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2],
| Owner: Tcpip Kernel Driver

I've never seen an ALL-ROUTERS.MCAST.NET. But this would also be blocked
in my machine!

| 1,[28/Jul/2007 17:22:24] Rule 'Other ICMP': Blocked: Out ICMP [10]
| Router Solicitation, localhost-ALL-ROUTERS.MCAST.NET [224.0.0.2],
| Owner: Tcpip Kernel Driver

| 1,[28/Jul/2007 17:23:58] Rule 'Incoming ICMP': Blocked: In ICMP [8]
| Echo Request, XXX.XXX.XX.XXX-localhost, Owner: Tcpip Kernel Driver

| 1,[28/Jul/2007 17:26:56] Rule 'Incoming ICMP': Blocked: In ICMP [8]
| Echo Request, XXX.XXX.XXX.XXX-localhost, Owner: Tcpip Kernel Driver

| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1026, Owner: no owner

I used to get these Kerio alert's about Shaw Comm...

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to
port 1027 owned by 'Distributed COM Services' on your computer.

...., but they are prevented now with a rule that specifically blocks
RPCSS.exe (which is Distributed COM Services & which establishes the
port 1027) from using UDP/TCP. Eventually, I hope to remove that block
rule (& 4 others)-- after I have completed my UDP & TCP permit rules for
speific, trusted apps/addresses. Then, RPCSS.exe will be blocked along
with the others by virtue of not being included in the PERMITs-- &
having one single BLOCK after them.

| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1027, Owner: no owner

| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1028, Owner: no owner

| 1,[28/Jul/2007 17:29:12] Rule 'TCP ack packet attack': Blocked: In
| TCP, 207.46.248.16:119-localhost:1072, Owner: no owner

I haven't begun to finalize my TCP rules yet. That's probably where I go
next, once UDP is done!

| at which point I disconnected having retrieved mail and the news
| messages.

Nothing ELSE tried to use UDP? Not even RNAAPP.exe, RPCSS.exe,
PersFW.exe, & PFWadMin.exe-- which are just some of the ones using it in
here before I recently have prevented them! Well, I guess it may require
the clicking of an URL for those to kick in.

| NOTE specifically the *ALL_ROUTERS* from MCAST.NET, and the tcpip
| Kernel requests.

What specifically is notable about them?

||
|| | For those who do not understand firewalls, these activities would
|| | or may have been allowed as they followed either programs IN USE
|| | [allowed activity], or through addressing [broadcast or otherwise]
|| | had a firewall not been used.
||
|| That is right. Without a firewall with a good set of denial rules,
|| all activity is allowed. Hopefully, if a virus or a trojan or a spy
|| can sneak in that way, a good virus detector will prevent it from
|| executing. Also, there may have been an MS fix or two to prevent
|| some forms of abuse along these lines (I don't know).
|
| What would make you think any anti-spyware or anti-virus programs
| would check or correct these types of activities?

I do believe an actual executable can be read into a machine through
malicious use of these NET packets, although I'm not sure which precise
protocols can do it. Once it is read in &/or tries to run, one hopes
one's virus/malware scanner WILL catch it, before it delivers its
payload!

| Anti-spyware programs MAY block certain addresses and perhaps some
| ActiveX, or other. Anti-virus MIGHT catch scripting or attempts to
| infect something, or emails or files which contain hacks or other.

It is still quick enough, in the cases when this bad stuff makes it
through the firewall (or the lack of one), for these other apps to catch
them trying to do their ill work-- if they can!

BUT, I'm sure some ill-conceived packet can possibly do ill without
delivering an executable that can be caught in another way. Somewhere in
my 12th year of study I will know what these packets are & the protocols
they use! But I'm hoping to get my Kerio rules solidified a lot sooner!

| Host or lmhost files catch what they have been configured to catch
| via addressing/name. These, however, are *network use* activities
| WITHIN the TCP/IP and other aspects of Internet/network usage.
| Firewalls, proxies, packet sniffers, client servers, the TCP/IP
| kernel, and the like, are what handle these activities.
| Of course the above is an overly simplified explanation.

This isn't the year for me to really want to know every little detail,
anyhow.

||
|| | NOTE: this is contact through a dial-up connection[phone]/ISP
|| | [which is indicated via some of these addresses], ALWAYS ON
|| | connections are even more of a security risk.
||
|| Uhuh. I am Dial-Up too. That way, you get a new IP address each
|| connect.
|
| Only if that is what the ISP requires or desires.

OK. For me, it does happen that way, I'm fairly sure.

||
|| | Hopefully, this discussion will be useful to those interested and
|| | provide theory and answers to various issues.
|| | Rule sets or other settings for various firewalls would naturally
|| | be of interest.
|| |
|| | 1,[28/Jul/2007 01:33:36] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 67.170.2.174:43511-localhost:29081, Owner: no
|| | owner
||
|| I find I have to guess as to the meaning of that. Looks like someone
|| at
|| 67.170.2.174, who is Comcast...
||
|| http://www.networksolutions.com/whoi...p=67.170.2.174

|| .....Quote...........
|| 67.170.2.174
|| Record Type: IP Address
||
|| Comcast Cable Communications, Inc. ATT-COMCAST (NET-67-160-0-0-1)
|| 67.160.0.0 - 67.191.255.255
|| Comcast Cable Communications, IP Services WASHINGTON-6
|| (NET-67-170-0-0-1)
|| 67.170.0.0 - 67.170.127.255
|| .....EOQ.............
||
|| ...sent a UDP datagram to port 29081 on your machine. But I don't
|| know...
||
|| (1) did the port exist without an owner, & would it have received
|| the datagram (except the rule blocked it)?
|| (The name of that rule suggests the answer is no.)
|
| The data request would have been received and likely honored.
| The port would have been opened/created to allow this activity.

I'm still thinking the port has to already be open to receive a packet.
Is there documentation that may say otherwise?

||
|| (2) did the the port once exist & at that time have an owner,
|| but somehow was closed before the datagram arrived?
|| Therefore, it couldn't get it, anyhow, even if not blocked?
|
| If it would have been ALLOWED activity [e.g., without proxy or
| firewall monitoring or exculsion, or within a hosts or lmhosts, or
| other]], then a search would have been made for an available port,
| and then created/opened. Look again at this:
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1026, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1027, Owner: no owner
| 1,[28/Jul/2007 17:29:12] Rule 'Shaw Comm block': Blocked: In UDP,
| 24.64.192.20:17898-localhost:1028, Owner: no owner
|
| See the attempt to find or create an open port?

Looks like Shaw Comm is trying to FIND one. If it could create one, why
wouldn't it stop & just create 1026?

It might still be worthwhile to block these-- but I wouldn't want to
block them on an individual basis per abuser like Shaw Comm.

| Now, should I have stayed online, there would have been continued
| attempts [see your prior discussion where I was online longer],
| though with different Shaw addressing and OUT ports, again stepping
| through IN [local] ports in attempt to find or create.one.

I'll look.

||
|| (3) did the port 29081 never exist?
||
|| Do any earlier log entries mention that port? You'd have to log all
|| activity of each "permit" rule to know for sure. But, if there is no
|| rule permitting the activity, then you would have received a Kerio
|| requestor mentioning the port.
|
| No we don't need that.
| Were an ALLOWED program or address using that aspect, then it would
| NOT have created the denial.

No, I wanted to know... did a PERMIT exist that came from port 29081?
That would prove the port once existed & possibly initiated a
communication with Shaw Comm. But, I'm fairly confident no such thing
happened-- but it was Shaw Comm doing a probe. If it found it & activity
was permitted-- mayhem such as pop-up ads or at least spying may have
ensued, I think!

| Either would have cascaded to find an
| open port for use [as long as it was in the defined rule range].

That's what I think-- it wants to find one that is already open.

| AND you mention Kerio, which MUST have that turned on {requestor].

Oops, that's right. "Kerio, Administration, Firewall tab" has to be set
at "Ask me first". Then, when activity occurs that is not covered by a
rule, an alert requestor will appear. It offers to create the rule,
which later can be fine tuned. Yep, & that's a great feature!

| Other firewalls, particularly those that automatically configure
| themselves, MAY not pop-up anything unless it has been configured
| that way. They also MAY pass through such requests if piggy-backed
| from or on allowed activities/programs. Think "but all I want to know
| is the user address". Think Microsoft's firewalls, imagine what they
| are configured by default to allow.

Yep. Kerio seems to have it all. It's highly configurable!

....snip of Kerio help page
|| | 1,[28/Jul/2007 01:34:00] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 200.112.1.7:8806-localhost:29081, Owner: no owner
||
|| That one seems to be coming from...
||
|| NetRange: 200.0.0.0 - 200.255.255.255
|| NetName: LACNIC-200
|
| Yes, that is the key to your Firewall security.
| Tracking each suspect activity to the originator, if possible.

In the end, I just want to block them.

| Actually were I to post prior complete TRACKING logs [which I
| collect(ed) for specific use], say for one day's normal usage, vast
| numbers of potentially dangerous attacks/attempts would be shown.

By the way, how do you empty Kerio's Filter.log, when you think you've
seen enough? (I've been deleting it in DOS along with Filter.log.idx.)

....snip of stuff not meant for me, but thanks for the additional URLs to
research. And thanks for continuing to contribute to my understanding of
it.

| Of course SYSINTERNALS/WINTERNALS has some nice tools - look on
| Microsoft's TechNet
|

OK, I see here again are the other "no owner's"...

||
|| | 1,[28/Jul/2007 01:34:06] Rule 'Packet to unopened port received':
|| | Blocked: In UDP, 218.10.137.139:55190-localhost:1026, Owner: no
|| | owner

This is an attempt to send a UDP packet to port 1026. I still doubt it
really needs to be blocked, if the port indeed does not exist. For UDP,
I favor PERMITs of trusted apps from trusted addresses-- & one single
block of UPD afterwards that will cover all others. (But I'm not even
totally set up that way, myself, yet.) And I want to do it that way for
TCP too.

....snip of other In UDP.

1,[28/Jul/2007 01:36:04] Rule 'Packet to unopened port
|| | received': Blocked: In TCP, 219.148.119.6:12200-localhost:7212,
|| | Owner: no owner

Ah-- a TCP! Soon, I must do with TCP what I nearly am finishing with
UDP!

....snip
|| | 1,[28/Jul/2007 01:36:08] Rule 'TCP ack packet attack': Blocked: In
|| | TCP, msnews.microsoft.com [207.46.248.16:119]-localhost:1186,
|| | Owner: no owner

I don't believe I've seen one of those. Could be I'm just not tracking
the rule that does it. Looks like msnews.microsoft.com was still trying
to communicate after the NET connection was closed. What app controlled
localhost:1186?

....snip of a bunch more of In UDPs & possibly In TCPs.

"Curt Christianson" wrote in message
...
| Hi MEB, and all,
|
|
| I'm actually running a rather old version of ZA; v. 3.1.291. My
philosophy
| is *unlike* AV apps. etc., there just isn't much to improve IMHO. I don't
| want or need any additional bells and whistles.

Well, I certainly can't say otherwise, I now use a Kerio PF version, long
ago supposedly left in the dust, yet it seems, so far, to provide what is
needed.

|
| And you were close, I'm running XP Pro, but I keep perusing this group,
| because this is where it all started for me. I still have my copy of
W98SE,
| but it's kind of a pain to install that *after* XP is already there. I was
a
| die-hard 98 fan, and swore I would *never* switch to XP, but the computer
I
| inherited already had it on it. I figured I'd give it a try, and if I
| didn't like it, well, then back to good ol' 98. The way I have XP set up,
| you'd almost think it was 98. I turned off *all* the cutesy eye-candy
etc.,
| mainly for performance reasons. Besides, I *hate* pastels! This box was
| built for W98.

Hey, I tested a XP PRO box for a few years [using ZA], and yeah, to think
that users actually like those glitsy aspects. I turned most of it off as
well, cause it seemed to make everything much more difficult [though I
suppose I can trace that to all those years of command prompt usage]... and
slooooooow.. I felt like I was being dumbed down ...

| I have to admit that it is extremely stable, but then again so was my 98
| install. It's the "junk" we add later that tends to muck things up.

Yeah, and that junk does accumulate... gees, with this last 98SE testing
install I dumped another couple of dozen MORE progs,, I couldn't remember
the last time I even thought about using them... then again I had to dig out
some old testing programs CDs that I hadn't installed for at least two prior
testing installations [old video test stuff]...

|
| Sorry I digressed.

Hey, your still a die hard 98 user at heart, PCR would say that tin foil
hat did some good, still got a few bits of brain matter left ;-Q ...

So what words of wisdom for ZA could you give to its users?

|
| --
| HTH,
| Curt
|
| Windows Support Center
| www.aumha.org
| Practically Nerded,...
| http://dundats.mvps.org/Index.htm
|
| "MEB" meb@not wrote in message
| ...
| |
| |
| | "Curt Christianson" wrote in message
| | ...
| || Some real food for thought gentlemen. Thank you.
| ||
| || P.S. I've been using ZA since 2000.
| ||
| || --
| || HTH,
| || Curt
| ||
| || Windows Support Center
| || www.aumha.org
| || Practically Nerded,...
| || http://dundats.mvps.org/Index.htm
| |
| | We aim to please...
| |
| | I also used ZA for a number of years on the various 9X boxes and XP. The
| | rules aspect of other firewalls always drew me [having a Linux, Zenix,
NT
| | background] but I thought it wise to use what others might be using [for
| | comparison purposes].
| | Now however, with the use of highly questionable activities on the
| | Internet, and my personal questions related to ZA, and no support from
| | Microsoft and ZoneLabs, I thought I would return to something which gave
| | considerably more control during my final testing days under 9X.
| |
| | I have an old ZA version [forgot which version though, and have no
| | intention of re-installing it] about 1.4meg which actually seemed to
| supply
| | MOST of the normal functions required, at least semi-adequately.
Sometimes
| I
| | thought the newer versions were attempting aspects which were not well
| | implimented or implimented in a fashion I thought not user friendly. Of
| | course there is an ability to setup *rules like* activities within ZA,
but
| I
| | would imagine most users do not do so.
| |
| | In the spirit of this discussion, which is to include any firewalls
[and
| I
| | hope it eventually does. Note this has ZONEALARM now in its subject
| | heading]:
| |
| | What version and product are you or others using?
| |
| | Have you or others run monitoring/sniffing programs while using ZA to
see
| | if it actual performs as advertised?
| |
| | What settings or other seemed to be the most useful to you or other
users?
| |
| | What advise would users give concerning settings, configuration, etc. to
| | other users of ZA, [noting in Curt's case, I think your using it under
| W2K,
| | so does that offer anything different as far as you know]?
| |
| | Have you or other users created any similar rules within ZA to the below
| | [referencing Kerio PFW rules]?
| |

--
MEB
http://peoplescounsel.orgfree.com
________

|
| So what words of wisdom for ZA could you give to its users?

Words of wisdom, well, after spending 1 1/2 years under XP's spell, PCR
might claim I don't have any words at all, let alone "wise" ones.

I can only say that if one is running an older machine as I am, and would
like to use a software firewall, you're not stuck with having to use the
newest and fanciest (and usually most resource intensive). Old versions of
ZA, and I imagine other names can be found all over the Internet. The fist
place that comes to mind is http://www.oldversion.com/ . Firewalls and AV
apps. are notorious for causing longer boot times, and resource usage--and
newer usually means even more overhead. I *need* the latest/greatest, most
up-to-date AV, but when it comes to firewalls newer is *not* necessarily
better.
I also encountered a problem between AOL and ZA back in the days. ZA would
block AOL, no matter what kind of permissions etc. I gave unless I dropped
the "Internet Security Zone" from "High" to "Medium", then all was well.
MEB, I believe you are using AOL or Netscape, am I correct?
I finally turned off the "casual" alerts, as they were coming too fast and
furious. I just sat back and let ZA do its' job.
One final note, if one has logging enabled, be sure to occasionally clean
out the old ZA logs--not a whole lot of use for them usually. On old ZA
installations, it's not located in the ZA folder, but rather at
C:\Windows\Internet Logs.

That's more than I've said in the whole time I used to hang out here!


--
HTH,
Curt

Windows Support Center
www.aumha.org
Practically Nerded,...
http://dundats.mvps.org/Index.htm

"MEB" meb@not wrote in message
...
|
snipped