UDP packet being blocked

Archived from groups: comp.security.firewalls (More info?)

Hello Group:

I notice on my firewall log that an outgoing UDP packet is frequently
being blocked. The source IP address is my IP address 192.168.1.100 --
router on a single computer -- and the destination address is
65.32.1.80, which is the IP address of my ISP, RoadRunner. The source
port is 1137, the destination port is 53.

I don't understand what this means. Why is an outgoing UDP packet
going to my ISP and why is it being blocked? The system seems to be
running OK.

Many thanks for advice.

Jack
15 answers Last reply
More about packet blocked
  1. Archived from groups: comp.security.firewalls (More info?)

    JClark wrote:

    (snipped)

    > being blocked. The source IP address is my IP address 192.168.1.100 --
    > and the destination address is 65.32.1.80
    > which is the IP address of my ISP
    > source port is 1137, the destination port is 53.

    This is a Domain Name Server (DNS) query. A program on
    your system is trying to attain DNS information. This
    is not a harmful activity, being outbound from your
    system not in response to a request, based on
    your description.

    Why it is being blocked is a firewall rule.

    Port 53 is reserved for DNS queries.

    Purl Gurl
  2. Archived from groups: comp.security.firewalls (More info?)

    Purl Gurl wrote:

    > JClark wrote:

    (snipped)

    > > being blocked. The source IP address is my IP address 192.168.1.100 --
    > > and the destination address is 65.32.1.80
    > > which is the IP address of my ISP
    > > source port is 1137, the destination port is 53.

    > This is a Domain Name Server (DNS) query. A program on
    > your system is trying to attain DNS information. This
    > is not a harmful activity, being outbound from your
    > system not in response to a request, based on
    > your description.

    Given this a bit more thought, although seemingly illogical,
    you might want to scan your system for malware and spyware.
    This is illogical because software of this type would not
    need DNS information to "phone home." Nonetheless, writers
    of malicious software like this, are not known for being
    logical nor bright people. Doubt this is the source but
    it is possible, albeit low probability.

    Purl Gurl
  3. Archived from groups: comp.security.firewalls (More info?)

    JClark schrieb:

    > I notice on my firewall log that an outgoing UDP packet is frequently
    > being blocked. The source IP address is my IP address 192.168.1.100 --
    > router on a single computer -- and the destination address is
    > 65.32.1.80, which is the IP address of my ISP, RoadRunner. The source
    > port is 1137, the destination port is 53.
    >
    > I don't understand what this means. Why is an outgoing UDP packet
    > going to my ISP and why is it being blocked? The system seems to be
    > running OK.

    Port 53 is DNS - Domain Name Service. It resolves the host names (e.g.
    www.apple.com) to IP addresses (among other things). 65.32.1.80 is most
    likely the configured DNS server for your connection (check with
    "ipconfig /all" in a command prompt) Basically any connection to the
    internet (except those, that use an IP address directly) requires the
    DNS server. My NIS 2004 (compared to 2003 I think) does not have a
    general DNS rule anymore but allows DNS only for configured application.
    So I assume, that you have a program running that tries to access the
    internet and that you block. Check the logs to find out which program it
    is...

    Gerald
  4. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 22 May 2004 12:29:08 -0700, Purl Gurl <purlgurl@purlgurl.net>
    wrote:

    >Purl Gurl wrote:
    >
    >> JClark wrote:
    >
    >(snipped)
    >
    >> > being blocked. The source IP address is my IP address 192.168.1.100 --
    >> > and the destination address is 65.32.1.80
    >> > which is the IP address of my ISP
    >> > source port is 1137, the destination port is 53.
    >
    >> This is a Domain Name Server (DNS) query. A program on
    >> your system is trying to attain DNS information. This
    >> is not a harmful activity, being outbound from your
    >> system not in response to a request, based on
    >> your description.
    >
    >Given this a bit more thought, although seemingly illogical,
    >you might want to scan your system for malware and spyware.
    >This is illogical because software of this type would not
    >need DNS information to "phone home." Nonetheless, writers
    >of malicious software like this, are not known for being
    >logical nor bright people. Doubt this is the source but
    >it is possible, albeit low probability.
    >
    >Purl Gurl
    Gerald, Purl:

    I appreciate the prompt reply and advice. I don't recall seeing this
    block in the firewall log before. But I recall disabling a number of
    services recently (win2k), and the DNS client service was one of them.
    I re-enabled it to automatic, rebooted. I thought this might take care
    of the "problem". Unfortunately, the blocking still occurs. Yet the
    browser activity seems pretty normal, although maybe a bit sluggish
    with an occasional failure to resolve message.

    Yes, Gerald, in ipconfig /all, the DNS server addresses are
    65.32.70 and 65.32.70.

    Purl, I doubt malware. I run antivirus and trojan software and check
    for spyware often. But I can certainly check again.

    I still don't know what is actually going on, but I could easily write
    a firewall rule to permit that UDP packet for those IP addresses. Is
    this what I should do?
    Thanks again!

    Jack
  5. Archived from groups: comp.security.firewalls (More info?)

    Purl Gurl schrieb:
    > Given this a bit more thought, although seemingly illogical,
    > you might want to scan your system for malware and spyware.
    > This is illogical because software of this type would not
    > need DNS information to "phone home." Nonetheless, writers

    On the contrary. What is easier to get: a fixed IP address or a hostname
    at let's say dyndns.org? Anyone will most likely use DNS to access the
    internet.

    Gerald
  6. Archived from groups: comp.security.firewalls (More info?)

    Gerald Vogt wrote:
    >
    > Purl Gurl schrieb:

    > > Given this a bit more thought, although seemingly illogical,
    > > you might want to scan your system for malware and spyware.
    > > This is illogical because software of this type would not
    > > need DNS information to "phone home." Nonetheless, writers

    > On the contrary. What is easier to get: a fixed IP address or a hostname
    > at let's say dyndns.org? Anyone will most likely use DNS to access the
    > internet.

    For these circumstances, it is not a "person" creating a
    DNS query on port 53, it is software and software does not
    care if one method is easier than another, it simply does
    what it is programmed to do.

    My thoughts are if I wrote malware software, I would simply
    use an URL entry similar to this,

    http... 192.168.1.1:8080/spy.cgi?spydata

    Simple method.

    However, malware writers, who are known to not be bright,
    might use a www.somesite.net type entry, requiring a DNS
    query, which adds additional complexity and an additional
    chance of being detected. Greater detection is afforded
    because a minimum of two port usages are needed instead
    of a single port usage. Port 53 is a common port which
    is blocked by firewalls. Other ports, not so common.

    There is a slight possibility the originating author has
    spyware on his system which generates this DNS query he
    is noting via his firewall. Personally, I would check.

    Purl Gurl
  7. Archived from groups: comp.security.firewalls (More info?)

    JClark schrieb:

    > I appreciate the prompt reply and advice. I don't recall seeing this
    > block in the firewall log before. But I recall disabling a number of
    > services recently (win2k), and the DNS client service was one of them.
    > I re-enabled it to automatic, rebooted. I thought this might take care
    > of the "problem". Unfortunately, the blocking still occurs. Yet the
    > browser activity seems pretty normal, although maybe a bit sluggish
    > with an occasional failure to resolve message.

    Again: find out what rule it is exactly and where it is configured. Your
    logs should tell you that (hopefully). If my NIS blocks something, it
    gives me the name of the rule. If the name is not clear enough, I can
    have a look in the statistics windows which lists all the active rules
    and usually by the rule before the one or after the one it is possible
    to find out for which program it is configured. (The statistics windows
    also tells you how often the rule blocks so it gives you a hint in the
    right direction)

    > Yes, Gerald, in ipconfig /all, the DNS server addresses are
    > 65.32.70 and 65.32.70.

    Well, these are no complete IP addresses and it is not the address you
    have given us in the first post. Check it again... This would worry me a
    little if some program uses a completely different DNS server than the
    one configured via DHCP...

    > Purl, I doubt malware. I run antivirus and trojan software and check
    > for spyware often. But I can certainly check again.

    You actually now that there is malware the antivirus and trojan software
    does not detect and/or that malware is able to reconfigure antivirus and
    trojan software to hide itself once it is actually running on your
    computer. If you don't exactly know what you have been running on your
    computer and that all that is clean that noone including a antivirus
    software can really help you...

    > I still don't know what is actually going on, but I could easily write
    > a firewall rule to permit that UDP packet for those IP addresses. Is
    > this what I should do?

    No. You have no idea who or what is making the request. Now opening the
    connection without knowing why is just making things worse. If it was
    malware you would actually get into the real trouble then. Find out,
    where and why this rule is defined. Find the program it is associated
    with (if it is not a general rule). Once you find that place you can
    reconfigure that rule.

    If you cannot find the rule I would rather consider resetting all
    firewall rules than just randomly allowing connections.

    Gerald
  8. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 22 May 2004 13:27:52 -0700, Purl Gurl <purlgurl@purlgurl.net>
    wrote:

    >Gerald Vogt wrote:
    >>
    >> Purl Gurl schrieb:
    >
    >> > Given this a bit more thought, although seemingly illogical,
    >> > you might want to scan your system for malware and spyware.
    >> > This is illogical because software of this type would not
    >> > need DNS information to "phone home." Nonetheless, writers
    >
    >> On the contrary. What is easier to get: a fixed IP address or a hostname
    >> at let's say dyndns.org? Anyone will most likely use DNS to access the
    >> internet.
    >
    >For these circumstances, it is not a "person" creating a
    >DNS query on port 53, it is software and software does not
    >care if one method is easier than another, it simply does
    >what it is programmed to do.
    >
    >My thoughts are if I wrote malware software, I would simply
    >use an URL entry similar to this,
    >
    >http... 192.168.1.1:8080/spy.cgi?spydata
    >
    >Simple method.
    >
    >However, malware writers, who are known to not be bright,
    >might use a www.somesite.net type entry, requiring a DNS
    >query, which adds additional complexity and an additional
    >chance of being detected. Greater detection is afforded
    >because a minimum of two port usages are needed instead
    >of a single port usage. Port 53 is a common port which
    >is blocked by firewalls. Other ports, not so common.
    >
    >There is a slight possibility the originating author has
    >spyware on his system which generates this DNS query he
    >is noting via his firewall. Personally, I would check.
    >
    >Purl Gurl
    Gerald and Purl:

    Yes, there are actually two DNS server addresses listed in ipconfig
    /all
    65.32.1.70 and 65.32.1.80
    I did an unfortunate typo in my reply to you, and left off the .80
    which is the one that shows up in my firewall log.

    I'm not having an easy time finding which program is actually trying
    to send that UDP packet. My firewall (Deerfield) blocks the UDP packet
    by default since it blocks everything which does not have a specific
    rule to permit it. So there is no specific rule which is preventing
    the packet from being sent, it is the general block of everything
    which is not permitted. Here is the exact message I get:

    blocked outgoing UDP packet (no matching rule), src= 192.168.100.1,
    dst=65.32.1.80, sport=1039, dport=53

    The source port actually varies from 1029-1137

    A "whois" query for the address 65.32.1.80 yields the following:

    OrgName: Road Runner
    OrgID: RRSW
    Address: 13241 Woodland Park Road
    City: Herndon
    StateProv: VA
    PostalCode: 20171
    Country: US

    ReferralServer: rwhois://ipmt.rr.com:4321

    NetRange: 65.32.0.0 - 65.34.31.255
    CIDR: 65.32.0.0/15, 65.34.0.0/19
    NetName: ROADRUNNER-SOUTHEAST
    NetHandle: NET-65-32-0-0-1
    Parent: NET-65-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.RR.COM
    NameServer: DNS2.RR.COM
    NameServer: DNS3.RR.COM
    NameServer: DNS4.RR.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2000-08-22
    Updated: 2002-08-30

    (Road Runner is my ISP)

    >No. You have no idea who or what is making the request. Now opening the
    >connection without knowing why is just making things worse.

    I agree now that I consider your cogent analysis. Thanks for keeping
    me out of potential trouble.

    Any other suggestions will be greatly appreciated. I'm willing to
    learn and work on this.

    Jack
  9. Archived from groups: comp.security.firewalls (More info?)

    JClark wrote:

    > Purl Gurl wrote:
    > >Gerald Vogt wrote:
    > >> Purl Gurl wrote:

    (snipped)

    > >There is a slight possibility the originating author has
    > >spyware on his system which generates this DNS query he
    > >is noting via his firewall. Personally, I would check.

    > there are actually two DNS server addresses listed in ipconfig
    > 65.32.1.70 and 65.32.1.80

    Confirmed, both are DSN servers in the Tampabay, Florida region.


    > I'm not having an easy time finding which program is actually trying
    > to send that UDP packet.

    Quickest and most easy solution would be to download
    a free version of Zone Alarm, install it and wait for
    Zone Alarm to pop alerts. Each alert will inform what
    program is trying to access the internet. Zone Alarm
    is easy to uninstall later.

    Here is a small checklist which might help you. Some
    of these items only appear in Win9.x others for the
    NT5 types like Win2K and XP. Some appear for all
    recent Win systems; both Win9.x and NT5 types.

    Keep in mind NT5 types automatically run a handful
    of programs upon machine boot, without your knowledge.
    These are daemon or "services" which boot load.

    Press "Control Alternate Delete" all together.
    This pops a task manager window which lists
    most but not all active processes.

    Open your NT5 task manager facility.

    Run msconfig.exe in your windows\system
    folder. Look in the startup section.
    That will list program which start
    upon boot which you may enable or
    disable easily. Be careful. You may
    also look at your autoexec.bat file,
    config.sys file and others, which
    are mentioned below. Additionally,
    your win.ini and system.ini files
    are included in this program. Lot
    easier to look at those through
    notepad, wordpad or any text editor.
    Be very careful about changes.

    Run regedit.exe in your Windows folder.
    Use "search" and look for "run" then
    "run1" then "run2" entries. Those will
    provide data on which programs are
    being automatically loaded upon reading
    of your registry. Be extremely careful
    if you edit. A single mistake can leave
    your machine unable to boot to Windows.
    Lots of tutorials on how to backup then
    edit your registry are available.

    Do NOT mess with your registry until
    have learned and fully understand how
    to edit it safely.

    Open your win.ini file found in your
    Windows folder. Notepad or wordpad
    can be used. Look for "load device"
    entries. Mostly related to hardware
    support but not strictly.

    Open your system.ini as above. Mostly
    drivers, dll files and VXD files but
    you might some device loaders.

    If you are processing an autoexec.bat
    file on boot, take a look in there to
    determine if there is anything being
    loaded at a DOS level which could be
    a source. Unlikely, but possible.
    Many antiquated viruses show there.

    Same for your config.sys file on boot.
    Lots of devices can be loaded there.

    Both autoexec.bat and config.sys are
    found in your root C:\ directory.

    Consider there are many programs which
    automatically check for updates. Others
    establish a net connection automatically
    such as Netzip and some "Napster" like
    software for music sharing.

    Adobe Acrobat is well known for establishing
    a net connecton if using the free version.
    Really annoying. A serious problem is when
    you access a pdf acrobat file via your browser,
    then close it, acrobat will remain running in
    the background without you knowing this.
    Adobe Acrobat does have a "phone home" feature
    which does connect to your Windows default
    DNS servers. Zone Alarm will alert you.

    Lot easier to simply install Zone Alarm
    which will immediately inform you which
    programs are trying to access the net.
    Do not use the Zone Alarm automatic
    configuration feature. Select the
    manual configuration so no programs
    will be allowed until you ok them.

    I am placing a bet you have software which
    phones home periodically. This is not always
    malware. Might be software which periodically
    checks for software updates as a courtesy.


    Purl Gurl
  10. Archived from groups: comp.security.firewalls (More info?)

    JClark schrieb:
    > Yes, there are actually two DNS server addresses listed in ipconfig
    > /all
    > 65.32.1.70 and 65.32.1.80
    > I did an unfortunate typo in my reply to you, and left off the .80
    > which is the one that shows up in my firewall log.

    Well, that is much better then...

    > I'm not having an easy time finding which program is actually trying
    > to send that UDP packet. My firewall (Deerfield) blocks the UDP packet
    > by default since it blocks everything which does not have a specific
    > rule to permit it. So there is no specific rule which is preventing
    > the packet from being sent, it is the general block of everything
    > which is not permitted. Here is the exact message I get:
    >
    > blocked outgoing UDP packet (no matching rule), src= 192.168.100.1,
    > dst=65.32.1.80, sport=1039, dport=53
    >
    > The source port actually varies from 1029-1137

    That is normal. The source port can be anything. It does not matter. If
    you firewall does not log any information about the program trying to do
    it, that you must contact your support and ask them how to find it out.
    The DNS works for all your other applications that means your firewall
    does have per-application rules. A firewall blocking outgoing traffic
    for an application with a general rule without telling you which
    application it actually is, well, is IMHO a bad firewall. It would mean
    you must know exactly which of your applications need connections and
    with which ports.

    > A "whois" query for the address 65.32.1.80 yields the following:

    That is not interesting as it is the correct DNS server.

    >>No. You have no idea who or what is making the request. Now opening the
    >>connection without knowing why is just making things worse.
    >
    > I agree now that I consider your cogent analysis. Thanks for keeping
    > me out of potential trouble.
    >
    > Any other suggestions will be greatly appreciated. I'm willing to
    > learn and work on this.

    The only thing I could think of at the moment (as you said you've added
    some rules and later removed them again because it wasn't working) is to
    reset your firewall rules to the initial setting. However, if your
    firewall blocks with telling you which application it is (which I just
    hope is not always the case), it won't help, because you still don't
    know. Check your firewall's documentation or the support pages. They
    should have some information about how to reset the rules so that you
    can start over again and do it right this time...

    Gerald
  11. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 22 May 2004 21:25:08 GMT, Gerald Vogt <vogt@spamcop.net>
    wrote:

    >JClark schrieb:
    >> Yes, there are actually two DNS server addresses listed in ipconfig
    >> /all
    >> 65.32.1.70 and 65.32.1.80
    >> I did an unfortunate typo in my reply to you, and left off the .80
    >> which is the one that shows up in my firewall log.
    >
    >Well, that is much better then...
    >
    >> I'm not having an easy time finding which program is actually trying
    >> to send that UDP packet. My firewall (Deerfield) blocks the UDP packet
    >> by default since it blocks everything which does not have a specific
    >> rule to permit it. So there is no specific rule which is preventing
    >> the packet from being sent, it is the general block of everything
    >> which is not permitted. Here is the exact message I get:
    >>
    >> blocked outgoing UDP packet (no matching rule), src= 192.168.100.1,
    >> dst=65.32.1.80, sport=1039, dport=53
    >>
    >> The source port actually varies from 1029-1137
    >
    >That is normal. The source port can be anything. It does not matter. If
    >you firewall does not log any information about the program trying to do
    >it, that you must contact your support and ask them how to find it out.
    >The DNS works for all your other applications that means your firewall
    >does have per-application rules. A firewall blocking outgoing traffic
    >for an application with a general rule without telling you which
    >application it actually is, well, is IMHO a bad firewall. It would mean
    >you must know exactly which of your applications need connections and
    >with which ports.
    >
    >> A "whois" query for the address 65.32.1.80 yields the following:
    >
    >That is not interesting as it is the correct DNS server.
    >
    >>>No. You have no idea who or what is making the request. Now opening the
    >>>connection without knowing why is just making things worse.
    >>
    >> I agree now that I consider your cogent analysis. Thanks for keeping
    >> me out of potential trouble.
    >>
    >> Any other suggestions will be greatly appreciated. I'm willing to
    >> learn and work on this.
    >
    >The only thing I could think of at the moment (as you said you've added
    >some rules and later removed them again because it wasn't working) is to
    >reset your firewall rules to the initial setting. However, if your
    >firewall blocks with telling you which application it is (which I just
    >hope is not always the case), it won't help, because you still don't
    >know. Check your firewall's documentation or the support pages. They
    >should have some information about how to reset the rules so that you
    >can start over again and do it right this time...
    >
    >Gerald
    Gerald:

    You have been very helpful. Perhaps if I am going to go to a lot of
    trouble, it might be energy and time conserving to just uninstall the
    current firewall and purchase another. I have put Sygate Pro on
    computers for my wife and kids, since it seemed rather simple. But I
    liked (what I thought was) the ability to fine tune my own (Deerfield
    Visnetic). Now that I'm having a "crise de confiance" in my firewall,
    can you recommend a strong one?

    Many thanks again.

    Jack
  12. Archived from groups: comp.security.firewalls (More info?)

    > You have been very helpful. Perhaps if I am going to go to a lot of
    > trouble, it might be energy and time conserving to just uninstall the
    > current firewall and purchase another. I have put Sygate Pro on
    > computers for my wife and kids, since it seemed rather simple. But I
    > liked (what I thought was) the ability to fine tune my own (Deerfield
    > Visnetic). Now that I'm having a "crise de confiance" in my firewall,
    > can you recommend a strong one?

    Don't use a firewall at all but configure your computer properly. Let me
    explain:

    Why do you need a firewall at all? Generally, the reason is: a standard
    Windows system comes with a lot of services running. Some of these
    services listen to ports on the internet. Usually, however, you do not
    need these services at all and there is no reason for them to run in the
    first place. So a firewall blocks the traffic to open ports of the
    services you don't want. It basically covers things that should not be
    there at all. Simple solution: turn off all these services and no one is
    listening to ports and you don't need a firewall because there is no
    service that someone could attack. This requires some effort of you to
    understand how this works and how to configure it. There are books and
    many websites, tough, that explain these things in great detail. But I
    always believe that this effort is worth it: you will understand a great
    deal more about your computer and how it works instead of relying on
    some other software that still needs your assistence. (Despite of that,
    a software firewall is also vulnerable to attacks as the latest Symantec
    Personal Firewall exploits have shown...) Something that is not running
    cannot make problems and simpler is always better in the long run.

    This is my recommendation. I cannot really recommend a personal
    firewall. The only one I know and have is NIS and the main reason I have
    it on my computer, is to know how it works because I installed it on my
    wifes computer and it is easier to manage a software that you have
    yourself than on a computer that you can put your hand on only once in a
    while. And I use NIS because I started with Norton AntiVirus 6-7 years
    ago and upgrades where cheaper. I can tell you, though, that I will not
    upgrade to NIS 2005 in fall. I will only go for AntiVirus and use the
    Windows XP firewall, instead, which should make things at least a little
    bit faster than NIS with all that other stuff running around...

    Gerald
  13. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 22 May 2004 22:04:58 GMT, Gerald Vogt <vogt@spamcop.net>
    wrote:

    >> You have been very helpful. Perhaps if I am going to go to a lot of
    >> trouble, it might be energy and time conserving to just uninstall the
    >> current firewall and purchase another. I have put Sygate Pro on
    >> computers for my wife and kids, since it seemed rather simple. But I
    >> liked (what I thought was) the ability to fine tune my own (Deerfield
    >> Visnetic). Now that I'm having a "crise de confiance" in my firewall,
    >> can you recommend a strong one?
    >
    >Don't use a firewall at all but configure your computer properly. Let me
    >explain:
    >
    >Why do you need a firewall at all? Generally, the reason is: a standard
    >Windows system comes with a lot of services running. Some of these
    >services listen to ports on the internet. Usually, however, you do not
    >need these services at all and there is no reason for them to run in the
    >first place. So a firewall blocks the traffic to open ports of the
    >services you don't want. It basically covers things that should not be
    >there at all. Simple solution: turn off all these services and no one is
    >listening to ports and you don't need a firewall because there is no
    >service that someone could attack. This requires some effort of you to
    >understand how this works and how to configure it. There are books and
    >many websites, tough, that explain these things in great detail. But I
    >always believe that this effort is worth it: you will understand a great
    >deal more about your computer and how it works instead of relying on
    >some other software that still needs your assistence. (Despite of that,
    >a software firewall is also vulnerable to attacks as the latest Symantec
    > Personal Firewall exploits have shown...) Something that is not running
    >cannot make problems and simpler is always better in the long run.
    >
    >This is my recommendation. I cannot really recommend a personal
    >firewall. The only one I know and have is NIS and the main reason I have
    >it on my computer, is to know how it works because I installed it on my
    >wifes computer and it is easier to manage a software that you have
    >yourself than on a computer that you can put your hand on only once in a
    >while. And I use NIS because I started with Norton AntiVirus 6-7 years
    >ago and upgrades where cheaper. I can tell you, though, that I will not
    >upgrade to NIS 2005 in fall. I will only go for AntiVirus and use the
    >Windows XP firewall, instead, which should make things at least a little
    >bit faster than NIS with all that other stuff running around...
    >
    >Gerald
    Hello Gerald:

    >a standard
    >Windows system comes with a lot of services running.

    I have tried to lean out my system as much as possible by disabling or
    making manual many of the services. But I have read your advice
    carefully and will try to follow it. Your principles are those I share
    and value. I've just been a bit slow to get an understanding of this
    internet protocol stuff.

    Many thanks...

    Jack
  14. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 22 May 2004 19:15:08 -0700, Purl Gurl <purlgurl@purlgurl.net>
    wrote:
    Purl:
    >Quickest and most easy solution would be to download
    >a free version of Zone Alarm,

    I'll copy your post and use it as my checklist. The free version of
    Zone alarm sounds like an excellent idea.
    Just checking what is happening in a crude manner, I think my
    "problem" is likely just an innocent DNS thing, as you originally
    suggested. Everytime I use the browser to go to any site, I get the
    firewall message about port 53, which it resolves anyway. I did have a
    rule written originally to permit the UDP packet for the DNS server
    ending in .70, but not for .80. So probably all I have to do is edit
    that rule. But I'll check it first.

    I'm comfortable editing the registry, but I've found nothing in the
    run or run once sections that looks suspicious. Also Win2k doesn't
    have msconfig, but Mike Linn's "startup control" (freeware) does a
    great job of doing the same thing and I use it regularly.

    I will go through your list.
    Thanks again to you and Gerald.

    Jack
  15. Archived from groups: comp.security.firewalls (More info?)

    JClark wrote:

    > Purl Gurl wrote:

    (snipped)

    > Everytime I use the browser to go to any site, I get the
    > firewall message about port 53, which it resolves anyway. I did have a
    > rule written originally to permit the UDP packet for the DNS server
    > ending in .70, but not for .80.

    There ya go. You have two DNS servers. One is allowed.
    One is blocked. Your primary DNS server appears to be
    the one which is blocked. It fails and your system
    falls back to your secondary, which is not blocked.


    Purl Gurl
Ask a new question

Read More

Firewalls IP Address Internet Service Providers UDP Networking