Sign in with
Sign up | Sign in
Your question

What is the Pattern here ?

Last response: in Networking
Share
July 29, 2004 11:37:49 PM

Archived from groups: comp.security.firewalls (More info?)

Hello,

This is a piece of my Log and would like some comments of the patterns
of hits it logged.
I keep seeing the same Ports hit in the same order every time with a
NetBIOS or other probes added in the end from time to time.

All IP's I checked so far come back to Dialup Accounts although I didn't
check the 445 and ICMP hit IP's.

7/29/04 12:25:16 Rule "Block ICMP Inbound (Echo Request) " blocked
(12.76.80.12,8). Details:
Inbound ICMP request
Local address is (-)
Remote address is (12.76.80.12)
Message type is "Echo Request"
Process name is "N/A"
7/29/04 12:21:09 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is (12.76.202.102,4602)
Process name is "N/A"
7/29/04 12:16:07 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3127). Details:
Inbound TCP connection
Local address,service is (-,3127)
Remote address,service is (219.156.116.164,2591)
Process name is "N/A"
7/29/04 12:16:01 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3127). Details:
Inbound TCP connection
Local address,service is (-,3127)
Remote address,service is (219.156.116.164,2591)
Process name is "N/A"
7/29/04 12:15:59 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3127). Details:
Inbound TCP connection
Local address,service is (-,3127)
Remote address,service is (219.156.116.164,2591)
Process name is "N/A"
7/29/04 12:15:02 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is (12.76.8.76,3698)
Process name is "N/A"
7/29/04 12:07:48 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.207.162,4194)
Process name is "N/A"
7/29/04 12:07:45 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.207.162,4194)
Process name is "N/A"
7/29/04 12:07:37 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.184.147,2554)
Process name is "N/A"
7/29/04 12:07:32 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.184.147,2554)
Process name is "N/A"
7/29/04 12:01:27 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.69.219,1989)
Process name is "N/A"
7/29/04 12:01:24 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.69.219,1989)
Process name is "N/A"
7/29/04 11:58:59 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,4020)
Process name is "N/A"
7/29/04 11:58:56 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,4020)
Process name is "N/A"
7/29/04 11:58:18 Rule "Default Block NetBIOS Networking Port 139"
blocked (-,nbsession). Details:
Inbound TCP connection
Local address,service is (-,nbsession)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4531)
Process name is "N/A"
7/29/04 11:58:11 Rule "Default Block NetBIOS Networking Port 139"
blocked (-,nbsession). Details:
Inbound TCP connection
Local address,service is (-,nbsession)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4531)
Process name is "N/A"
7/29/04 11:58:10 Rule "Default Block NetBIOS Networking Port 139"
blocked (-,nbsession). Details:
Inbound TCP connection
Local address,service is (-,nbsession)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4531)
Process name is "N/A"
7/29/04 11:57:56 Rule ">Default Block711 Trojan Port 80 http<" blocked
(-,http). Details:
Inbound TCP connection
Local address,service is (-,http)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,2322)
Process name is "N/A"
7/29/04 11:57:50 Rule ">Default Block711 Trojan Port 80 http<" blocked
(-,http). Details:
Inbound TCP connection
Local address,service is (-,http)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,2322)
Process name is "N/A"
7/29/04 11:57:46 Rule ">Default Block711 Trojan Port 80 http<" blocked
(-,http). Details:
Inbound TCP connection
Local address,service is (-,http)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,2322)
Process name is "N/A"
7/29/04 11:57:34 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3140). Details:
Inbound TCP connection
Local address,service is (-,3140)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4040)
Process name is "N/A"
7/29/04 11:57:29 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3140). Details:
Inbound TCP connection
Local address,service is (-,3140)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4040)
Process name is "N/A"
7/29/04 11:57:26 Rule "?Default Block MyDoom Ports 3127-3198<" blocked
(-,3140). Details:
Inbound TCP connection
Local address,service is (-,3140)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,4040)
Process name is "N/A"
7/29/04 11:57:14 Rule ">Default DameWare Buffer overflow Exploit<"
blocked (-,6129). Details:
Inbound TCP connection
Local address,service is (-,6129)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1961)
Process name is "N/A"
7/29/04 11:57:06 Rule ">Default DameWare Buffer overflow Exploit<"
blocked (-,6129). Details:
Inbound TCP connection
Local address,service is (-,6129)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1961)
Process name is "N/A"
7/29/04 11:56:51 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3553)
Process name is "N/A"
7/29/04 11:56:43 Rule "Default Block Sokets de Trois v1. Trojan" blocked
(-,5000). Details:
Inbound TCP connection
Local address,service is (-,5000)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3553)
Process name is "N/A"
7/29/04 11:56:30 Rule "> Block Bagle/Beagle/Tanx" blocked (-,2745).
Details:
Inbound TCP connection
Local address,service is (-,2745)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1458)
Process name is "N/A"
7/29/04 11:56:21 Rule "> Block Bagle/Beagle/Tanx" blocked (-,2745).
Details:
Inbound TCP connection
Local address,service is (-,2745)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,1458)
Process name is "N/A"
7/29/04 11:56:08 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3019)
Process name is "N/A"
7/29/04 11:56:02 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is
(163.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net,3019)
Process name is "N/A"
7/29/04 11:55:58 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.100.241,2756)
Process name is "N/A"
7/29/04 11:55:55 Rule ">Default Block Kaung 2 The Virus<" blocked
(-,17300). Details:
Inbound TCP connection
Local address,service is (-,17300)
Remote address,service is (12.76.100.241,2756)
Process name is "N/A"
7/29/04 11:55:31 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,3687)
Process name is "N/A"
7/29/04 11:55:29 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.172.189,3687)
Process name is "N/A"
7/29/04 11:54:49 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.187.217,1847)
Process name is "N/A"
7/29/04 11:54:48 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.198.93,2106)
Process name is "N/A"
7/29/04 11:54:43 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.187.217,1847)
Process name is "N/A"
7/29/04 11:54:42 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.198.93,2106)
Process name is "N/A"
7/29/04 11:54:40 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.187.217,1847)
Process name is "N/A"
7/29/04 11:54:39 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.198.93,2106)
Process name is "N/A"
7/29/04 11:53:06 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.168.39,2593)
Process name is "N/A"
7/29/04 11:53:03 Rule ">Default Block Port 445 Microsoft DS<" blocked
(-,445). Details:
Inbound TCP connection
Local address,service is (-,445)
Remote address,service is (12.76.168.39,2593)
Process name is "N/A"

Sorry it's so long.
Any Ideas ?

Kevin

More about : pattern

Anonymous
July 30, 2004 2:41:21 PM

Archived from groups: comp.security.firewalls (More info?)

!:?) wrote:

> This is a piece of my Log ...
> [...]
> Any Ideas ?

Why do install a piece of software though you don't understand its output?

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980
July 30, 2004 2:41:22 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Wolfgang Kueter wrote:
>
> Why do install a piece of software though you don't understand its output?
>
> Wolfgang


It's a pretty strait forward question and yes I do understand the output
but either you don't understand the question or you don't understand the
Output.

The Log speaks for itself and is why I didn't go into detail.

Your reply appears to be Trollish in looking to insult the poster from
the get go.

If this wasn't your intent I'm sorry but if it was then Kill File will
soon have you talking to yourself.


The Question was "What is the Pattern the Log shows" ?

You can see the Probes on 4 or 5 ports 3x on each one, one after the
other by the same IP that is the Pattern in the Log.

There are others that show a small group of 2 to 4 IP's doing it
together but I'm not sure that one of those types of probes is in this
Log I Posted.

And they are ALL Dial-Up Accounts !

At first I thought they were Zombies probing Server Ports for other
Zombied DNS or Web Servers with low TTL's but now they're hitting Ports
up to 60,000 at times.

However most are the same probed ports day after day.
2745
5000
6169
3127
80
139

Sometimes I see port 445 or an ICMP block at the beginning or end with
the same IP but this is rare and has nothing to do with the pattern.

There is one IP that comes back to my area that probes me every day that
must do whole IP Blocks because I'm a Dial-up too with the same ISP.

179.cambridge-10rh16rt-11rh15rt.ma.dial-access.att.net

If I do a DNS, Traceroute, and NetBios ect... in return they drop the
connection but come back with a new IP to probe again.
Most times after I do the Traces they can detect they go away for hours.

These must be Zombied Machines because this is every day all day but the
way they act when I probe back makes me wonder if they are Zombies.
And the fact I see the same ATT Dial-up IP's from cambridge, pitsburg
and NJ.

Almost all are ATT but some are not.
And when they do it as a group there are like 2 to 4 att and 1 to 3 non att.

I've also seen other probers (don't think they are the same ones) that
think I'm running a Lenix Box by the ports they sometimes probe looking
for a specific venerability.

But they give up and go away where these others don't.

Kevin
Related resources
Anonymous
July 30, 2004 4:34:08 PM

Archived from groups: comp.security.firewalls (More info?)

!:?) wrote:
> However most are the same probed ports day after day.
> 2745
> 5000
> 6169
> 3127
> 80
> 139

This pattern characterizes the Virus/Worm Agobot/Gaobot.

Lots of infected machines out there, indeed.
August 1, 2004 10:06:44 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Jens,

Jens Hektor wrote:

>
> This pattern characterizes the Virus/Worm Agobot/Gaobot.
>
> Lots of infected machines out there, indeed.

Could they be looking to compromize Web Accellerators that are nothing
more than Web Servers added by some ISP's ?
If so this could explain the DNS and Web Server Zombies with low TTL's
used by Spam Websites.

Keeping them out of my Machine is not hard but trying to figure out what
it is they are trying to do in a bigger picture is.
Thanks, I'll look up Agobot/Gaobot.
I didn't see those on my prepost searches on those ports.

Kevin
Anonymous
August 5, 2004 1:37:59 AM

Archived from groups: comp.security.firewalls (More info?)

In article <2FVPc.170589$OB3.85399@bgtnsc05-news.ops.worldnet.att.net>,
@*.com wrote:

>> -D <decoy1 [,decoy2][,ME],...>
>> Causes a decoy scan to be performed which makes it appear

>Interesting tool, not something I think I need but I like to check it
>out anyway, thanks

There have been win32 versions for at least several of the last releases.

>If they are Honeypots they are broken.

Not impossible

>Why are they activly probing me ? I didn't probe them and many time I
>Ignore them for hours before I check them out.

How do you know they aren't being spoofed, and you are doing the "attack"
of their real target for them.

>I wonder if the Web Accellerators that are nothing more than Servers are
>being abused by Spammers.

Given that nearly all dialup hosts are run by people who shouldn't be using
a computer - I'd certainly believe it. Last I looked at my spam email logs,
a third of the spam was coming from r00ted windoze boxes on Comcast and
ATT, and only a tiny fraction from professional spam servers in .cn, .it,
or .kr.

>I should have added that was true but MS leaving the door open
>by default deserves some of the blame too.

They are just doing what the sheep that buy it want. A _very_ large
percentage of windoze users don't want to know anything, and even the
smallest security function that gets in the way of these fools clicking
on some icon (about half of which don't even know what the icon means),
annoys them. That's why microssoft has included the options of "remember
my password", and open (or install) everything by default without asking
me stupid questions. It's obviously an enormous security hole, but the
sheep don't know (or want to know) or care.

>No but I have a rule for each one to give me more info on my searches
>for that service.
>I use a Block All at the end of the Rules List and all the other Trojan
>Rules are just notes for general info.

Why bother? Block the stuff and ignore it.

>I could delete the whole Trojan list and it wouldn't make any difference
>in security.

No, but it would waste a lot less of your time, CPU cycles, and diskspace.

>Sorry, I wrote PCTool and meant PCAnywhere (I don't use it much).
>I don't run ANY tools from a Website and mostly use a Dos Batch File.

Are you sure about that? You might want to run a sniffer while using
those tools, and see where the packets are going. Remember, 53 is DNS,
and 43 is whois. Neither service found on port 80 of some server.

>I allow it for my ISP only at the moment but am still undecided about
>that as I can block that with no effect.
>I've read pro's and con's on it and haven't made up my mind about it.

NSA recommends denying echo, redirect, and netmask, and allowing the rest.
http://www.nsa.gov/snac/index.html. I disagree, suggesting that you allow
0, 3, 4 and 11 INBOUND, 3, 4, and 8 OUTBOUND, while denying all else. Some
may consider type 4 (Source Quench) as undesirable (possible DOS). YMMV

>The Port 443 I block.

[compton ~]$ grep -w 443 rfcs/port-numbers
https 443/tcp http protocol over TLS/SSL
https 443/udp http protocol over TLS/SSL
[compton ~]$

Inbound, I'd agree, as you are not running a Secure web site, but
outbound? Why?

>I always use a Block all except when adding a new App that requires a
>lot of rules.

That's the difference in philosophy between a so-called personal firewall
and a real firewall box. We don't worry about applications needing
specific access, because we only look at the service and protocol involved.
We also don't install rouge applications.

>> Are you saying 'Block All' doesn't mean Block _ALL_ ??? What happens if
>> someone sends you a protocol Type 2 (IGMP) or Type 92 (MTP) packet? Does
>> your firewall toss up it's hands and go into the corner to cry?
>
>No the Block All (UDP/TCP) works.

[compton ~]$ egrep '(icmp|tcp|udp)' /etc/protocols
icmp 1 ICMP # internet control message protocol
tcp 6 TCP # transmission control protocol
udp 17 UDP # user datagram protocol
[compton ~]$

That's great, but protocol 6 is not protocol 17, is not protocol 2 or any
of the other 135 protocols that can be carried in an IP frame. See
http://www.iana.org/assignments/protocol-numbers

>Without the Block All and the Rules Assistant on sometimes a UDP drops
>through the list and no action is logged.

As long as it's dropped, and no one on the inside of the firewall is not
complaining about broken services, then that's fine.

>> Why do you care? The firewall blocked it. Anything else you may do is
>> just wasting CPU cycles, and not providing a useful service to you.
>
>Why not have a info box to list what uses that service both good and bad ?

If you have nothing better to do than to look at each and every packet you
see - that's fine. People like me don't have time for that.

>Just like some Files when you click Properties and you get the info Tab.

You forget that not all of us are running windoze. This system doesn't have
a single icon, menu bar, or similar in sight. Or do you think those commands
I've been showing are from some exotic section of windoze that you haven't
seen before?

Old guy
August 5, 2004 10:26:54 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Moe,

Moe Trin wrote:

>>If they are Honeypots they are broken.
>
>
> Not impossible

These are all Dialup Connections that I had no connection with at the time.

>>Why are they activly probing me ? I didn't probe them and many time I
>>Ignore them for hours before I check them out.
>
>
> How do you know they aren't being spoofed, and you are doing the "attack"
> of their real target for them.
>

True and one of the reasons I asked in this NG if there was a pattern
here that could show this or other possibilities.
I only do the one scan back and only when the same IP hits me over and
over again.
They Scan the same Ports 3 times each (2745, 5000, 6129) every few minutes.
The Scans usually stop right away or soon after (to complete the Scan
Pattern) and don't return with that IP.
They sometimes run NetBIOS at the end of a scan after I probe back but
lately I've seen them using it at the end of their Scans that they never
did before even when I don't probe back.

>
>>I wonder if the Web Accellerators that are nothing more than Servers are
>>being abused by Spammers.
>
>
> Given that nearly all dialup hosts are run by people who shouldn't be using
> a computer - I'd certainly believe it. Last I looked at my spam email logs,
> a third of the spam was coming from r00ted windoze boxes on Comcast and
> ATT, and only a tiny fraction from professional spam servers in .cn, .it,
> or .kr.
>

Doesn't surprise me and I have ATT.
The ATT Web Accelerator is like a Web Server and I think could be abused
to Host Zombie Web and DNS Servers for Spammers and Crackers.

>
>>I should have added that was true but MS leaving the door open
>>by default deserves some of the blame too.
>
>
> They are just doing what the sheep that buy it want. A _very_ large
> percentage of windoze users don't want to know anything, and even the
> smallest security function that gets in the way of these fools clicking
> on some icon (about half of which don't even know what the icon means),
> annoys them. That's why microssoft has included the options of "remember
> my password", and open (or install) everything by default without asking
> me stupid questions. It's obviously an enormous security hole, but the
> sheep don't know (or want to know) or care.

Many Sheep didn't have a choice because all the new software was
comparable only with Windows for the home user.
Those of us that wanted to sick with DOS were left high and dry for a
long time.
But the worm turns.
Now Security and Stability have become more of an Issue today and that's
come back to bite MS in the butt.

>>No but I have a rule for each one to give me more info on my searches
>>for that service.
>>I use a Block All at the end of the Rules List and all the other Trojan
>>Rules are just notes for general info.
>
>
> Why bother? Block the stuff and ignore it.

I did but I changed ISP's and turn everything on to see what it's doing.
(Why I don't like the ATT Web Accelerator)

>>I could delete the whole Trojan list and it wouldn't make any difference
>>in security.
>
>
> No, but it would waste a lot less of your time, CPU cycles, and diskspace.

Those Rules can be unchecked from the list or I can move the Block All
TCP/UDP Rule at the end up above the Trojan List where it won't process
them.

>>Sorry, I wrote PCTool and meant PCAnywhere (I don't use it much).
>>I don't run ANY tools from a Website and mostly use a Dos Batch File.
>
>
> Are you sure about that? You might want to run a sniffer while using
> those tools, and see where the packets are going. Remember, 53 is DNS,
> and 43 is whois. Neither service found on port 80 of some server.

I'm not sure why you list port 80 with 53 and 43 ?
(I did get a few hits on Port 80 but not sure if it was in the log I
Posted and think that only happened once after this.)

A WhoIs uses Whois.exe, Traceroute.exe, Ping.exe, ect... are files and
has rules for each in and outbound.

>>I allow it for my ISP only at the moment but am still undecided about
>>that as I can block that with no effect.
>>I've read pro's and con's on it and haven't made up my mind about it.
>
>
> NSA recommends denying echo, redirect, and netmask, and allowing the rest.
> http://www.nsa.gov/snac/index.html. I disagree, suggesting that you allow
> 0, 3, 4 and 11 INBOUND, 3, 4, and 8 OUTBOUND, while denying all else. Some
> may consider type 4 (Source Quench) as undesirable (possible DOS). YMMV

At the moment I only allow Echo Request (out), Reply (in) and Time
Exceeded (in).
Type 3 I don't think I need and is abused by some ISP's if I remember right.

>>The Port 443 I block.
>
>
> [compton ~]$ grep -w 443 rfcs/port-numbers
> https 443/tcp http protocol over TLS/SSL
> https 443/udp http protocol over TLS/SSL
> [compton ~]$
>
> Inbound, I'd agree, as you are not running a Secure web site, but
> outbound? Why?

I added that and a few others to be sure I wasn't sending out and was
calling those Dialups to probe me.

>>I always use a Block all except when adding a new App that requires a
>>lot of rules.
>
>
> That's the difference in philosophy between a so-called personal firewall
> and a real firewall box. We don't worry about applications needing
> specific access, because we only look at the service and protocol involved.
> We also don't install rouge applications.

I don't have a newtork here and a Router isn't really a firewall but
does a good job filling the holes.

>>>Are you saying 'Block All' doesn't mean Block _ALL_ ??? What happens if
>>>someone sends you a protocol Type 2 (IGMP) or Type 92 (MTP) packet? Does
>>>your firewall toss up it's hands and go into the corner to cry?
>>
>>No the Block All (UDP/TCP) works.
>
>
> [compton ~]$ egrep '(icmp|tcp|udp)' /etc/protocols
> icmp 1 ICMP # internet control message protocol
> tcp 6 TCP # transmission control protocol
> udp 17 UDP # user datagram protocol
> [compton ~]$
>
> That's great, but protocol 6 is not protocol 17, is not protocol 2 or any
> of the other 135 protocols that can be carried in an IP frame. See
> http://www.iana.org/assignments/protocol-numbers

Sorry I first read IGMP as ICMP.
My Firewall blocks all IGMP.

>>Without the Block All and the Rules Assistant on sometimes a UDP drops
>>through the list and no action is logged.
>
>
> As long as it's dropped, and no one on the inside of the firewall is not
> complaining about broken services, then that's fine.

True and also if I were on a network.
I didn't like not seeing it Logged as Blocked or Permitted though.
If I didn't have a Log All Rule at the end of the list to see what went
by I would never have known that was happening.
AtGuard told you about this and suggested a Block All and or a Log Rule
at the end of the list.
But NIS hid that info in their help files and then you had to read
between the lines about adding a Block All Rule since it said some UDP's
drop through.

>>>Why do you care? The firewall blocked it. Anything else you may do is
>>>just wasting CPU cycles, and not providing a useful service to you.
>>
>>Why not have a info box to list what uses that service both good and bad ?
>
>
> If you have nothing better to do than to look at each and every packet you
> see - that's fine. People like me don't have time for that.

If you have them turned on all the time yes but when you want as much
information on a Port's Services and Abuses.

>
>
>>Just like some Files when you click Properties and you get the info Tab.
>
>
> You forget that not all of us are running windoze. This system doesn't have
> a single icon, menu bar, or similar in sight. Or do you think those commands
> I've been showing are from some exotic section of windoze that you haven't
> seen before?

Never liked windows because security and stability was a joke where they
are just now starting to address those problems.
DOS wasn't as pretty as Windows but it was a lot more stable.

Right after installing Win9x you have 80 plus errors in 90 plus
categories in the registry.
Installing programs on an unstable OS with that many errors won't show
problems right away but...
The more Programs you install the greater the load and Stability becomes
a problem.

Well looks like your the one I should ask this question to.
What OS is best to replace Windows for the home User that may or may not
be connected to a network.
I see Lindows gaining but with so many from Redhat and others which one
is best for home use ?

>
> Old guy


Another Old Guy !:) 
Kevin
August 5, 2004 10:31:28 PM

Archived from groups: comp.security.firewalls (More info?)

Hi Moe,

I forgot to thank you for your replies in my last post.
I should have added I was using Win98se.

Thanks again for your replies.

Kevin
!