How to tell if a firewall alert is suspicious or not

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?
56 answers Last reply
More about firewall alert suspicious
  1. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message > Firefox
    (firefox.exe) is being contacted from a remote machine
    > [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?
    >
    > How can I tell if this is suspicious or not?

    Look at your TCP/IP configuration. Isn't that your SBC DNS server?

    nf
  2. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    There are ways you can research these things... however, you will get so
    many of these alerts, and it is so fruitless to research them all, that I
    strongly recommend you consider a firewall configuration that does not alert
    you all the time with these things. Having a firewall ask the user to make
    decisions is a security accident waiting to happen, and is also a
    significant consumption of your time.

    If and when you do want to research these things, you should look up what
    the remote IP address is, for example starting with the DNS name lookup and
    whois lookup at www.nwtools.com [which also gets the DNS name and a lot of
    other things] or www.netsol.com to find out what that IP address is and
    whether you or your computer could have had reason to contact it. This IP
    is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this
    is probably normal.

    It's also useful to know what the protocol [e.g. TCP] and remote port number
    is... the firewall alert below didn't seem to tell you, which is really
    dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you
    some level of assurance that this is a response to something your computer
    requested. There is no such thing as "port 1258." There's TCP port 1258,
    and UDP port 1258. Any firewall that doesn't know that this is important
    information is dumb [although I generally like Sygate].

    A really smart firewall would let you inspect the TCP flags and contents of
    the incoming packet, but I guess that's too much to ask.


    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:9pl87nx3tjpg$.1ugbsdw9mmwkz$.dlg@40tude.net...
    > How can I tell if a Sygate firewall alert is suspicious or not?
    >
    > For example, I received this message from Sygate just now:
    >
    > Sygate Personal Firewall:
    > Firefox (firefox.exe) is being contacted from a remote machine
    > [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?
    >
    > How can I tell if this is suspicious or not?
  3. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Karl Levinson, mvp wrote:

    > There are ways you can research these things... however, you will get so
    > many of these alerts, and it is so fruitless to research them all, that I
    > strongly recommend you consider a firewall configuration that does not alert
    > you all the time with these things. Having a firewall ask the user to make
    > decisions is a security accident waiting to happen, and is also a
    > significant consumption of your time.
    >
    > If and when you do want to research these things, you should look up what
    > the remote IP address is, for example starting with the DNS name lookup and
    > whois lookup at www.nwtools.com [which also gets the DNS name and a lot of
    > other things] or www.netsol.com to find out what that IP address is and
    > whether you or your computer could have had reason to contact it. This IP
    > is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this
    > is probably normal.
    >
    > It's also useful to know what the protocol [e.g. TCP] and remote port number
    > is... the firewall alert below didn't seem to tell you, which is really
    > dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you
    > some level of assurance that this is a response to something your computer
    > requested. There is no such thing as "port 1258." There's TCP port 1258,
    > and UDP port 1258. Any firewall that doesn't know that this is important
    > information is dumb [although I generally like Sygate].
    >
    > A really smart firewall would let you inspect the TCP flags and contents of
    > the incoming packet, but I guess that's too much to ask.
    >

    You make good points, and I really like your nwtools.com and netsol.com
    suggestions.

    However, to expect the average user to understand what the different
    protocols are, what they do, and what ports are used for what, is a bit
    over the top. Like you hinted at, the firewall responses to incoming and
    outgoing packets should be as automated as possible for the average user.

    And, yes, it is a bit too much to ask your firewall to let you inspect
    the packets. 99% of the users wouldn't have a clue anyway. And if you're
    competent enough to know what to look for, and have the time, then
    you're going to have to invest a bit more than fifty bucks for the
    privilege of doing so.

    Since so many users don't even HAVE a decent software firewall
    installed, this poster is at least making an attempt to protect his
    system - I commend him for that!


    --
    The reader should exercise normal caution and backup the Registry and
    data files regularly, and especially before making any changes to their
    PC, as well as performing regular virus and spyware scans. I am not
    liable for problems or mishaps that occur from the reader using advice
    posted here. No warranty, express or implied, is given with the posting
    of this message.
  4. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > How can I tell if a Sygate firewall alert is suspicious or not?
    > For example, I received this message from Sygate just now:
    > Sygate Personal Firewall:
    > Firefox (firefox.exe) is being contacted from a remote machine
    > [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?
    > How can I tell if this is suspicious or not?

    You can't. This is, why such messages are nonsense. BTW, they're useless,
    too, because also Sygate cannot prevent "phoning home" from malicious
    programs anyway, as my simple POC here shows:

    http://www.dingens.org/breakout.c

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  5. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:9pl87nx3tjpg$.1ugbsdw9mmwkz$.dlg@40tude.net...
    > How can I tell if a Sygate firewall alert is suspicious or not?
    >
    > For example, I received this message from Sygate just now:
    >
    > Sygate Personal Firewall:
    > Firefox (firefox.exe) is being contacted from a remote machine
    > [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?
    >
    > How can I tell if this is suspicious or not?

    That's for you to determine by using a link like to one below and entering
    the IP into the WhoIs search box and finding out of the IP is
    dubious or not.

    http://www.arin.net/index.html

    However, the above is one of the problems with personal FW solutions with
    features that try to control programs on the machine as they confuse the
    end-user as they whine about nothing.

    Duane :)
  6. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:

    > There are ways you can research these things... however, you will get so
    > many of these alerts, and it is so fruitless to research them all
    ....
    > you should look up what the remote IP address is
    > www.nwtools.com or www.netsol.com
    ....
    > A really smart firewall would let you inspect the TCP flags and contents of
    > the incoming packet

    I thank you for your detailed suggestions summarized below as:
    1. There exists innocent common connections reported by the firewall
    2. We can find the NAME of the IP address contacting us for clues
    3. The content of the incoming packet may contain clues

    Regarding the first interesting comment above:
    - Is there a site where all the common innocent connections are listed?
    - I searched (before I posted) and did not find one (but it may exist).
    - If not, I don't mind starting a list (in this post perhaps?).

    Regarding looking up the NAME of the IP address:
    - WHY would my DNS provider suddently connect (this does not happen often)?
    - I keep a list of the common contact requests & this isn't one of them.
    - I said NO to the request & I don't see negative consequences.

    Regarding the content of the incoming packets:
    - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
    - The DETAILS button gives more information (cryptic to me, a novice).
    - Again I wonder if there is a list of known non-dangerous contacts.

    For we novices who still desire basic firewall protection, it would be nice
    to refer to a list of known generally non-dangerous requests to accept.
    I'll post separately (as it's slightly OT) the list I maintain of what I
    THINK are innocent requests (but I'm not sure) that I get every day so as
    to START this desired list (if it doesn't exist already).

    The particular message I posted from my DNS server does NOT happen often so
    that is what startled me.
  7. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:

    > "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    >> How can I tell if this is suspicious or not?
    > Look at your TCP/IP configuration. Isn't that your SBC DNS server?

    Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
    was my DNS server ... but I maintain a list of daily requests and this is
    NOT one of them.

    So, why, all of a sudden, would my DNS server be contacting me, out of the
    blue. And, why, does my network still (apparently) work even though I said
    NO to the request?

    What would be nice is for users to post (and for experts to doublecheck)
    what they consider to be innocuous requests uninitiated by them which
    appear in their yes/no request list from Sygate.

    I am willing to START that list of what appears to be common innocuous
    requests (for expert review).

    Here is my list of common requests not explicitly initiated by me which my
    Sygate Personal Firewall seems to report daily so that others may consult
    it before accepting or rejecting a Sygate Personal Firewall request to
    allow access:

    NDIS User mode I/O Driver (ndisuio.sys)
    has received a Multicast packet from the remote machine [192.168.0.1].
    Do you want to allow this program to access the network?

    NDIS Filter Intermediate Driver (eacfilt.sys)
    has received a Multicast packet from the remote machine [192.168.0.1].
    Do you want to allow this program to access the network?

    NDIS Filter Intermediate Driver (eacfilt.sys)
    is trying to broadcast to [192.168.0.255]
    using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
    TCP/IP).
    Do you want to allow this program to access the network?

    NDIS User mode I/O Driver (ndisuio.sys)
    has received a Broadcast packet from the remote machine [192.168.0.100].
    Do you want to allow this program to access the network?

    Firefox (firefox.exe)
    is being contacted from a remote machine news.google.com [216.239.37.147]
    using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
    Do you want to allow this program to access the network?

    Firefox (firefox.exe)
    is being contacted from a remote machine [206.13.28.12]
    using local port 1258 (OPENNL - Open Network Library).
    Do you want to allow this program to access the network?

    Generic Host Process for Win32 Services (svchost.exe)
    is trying to connect to [207.46.157.60]
    using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
    Do you want to allow this program to access the network?

    Generic Host Process for Win32 Services (svchost.exe)
    is trying to connect to time.windows.com [207.46.130.100
    using remote port 123 (NTP - Network Time Protocol).
    Do you want to allow this program to access the network?

    Firefox (firefox.exe)
    is being contacted from a remote machine [80.237.203.14]
    using local port 4503
    Do you want to allow this program to access the network?
  8. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    The packet filter/personal FW solution is in serious whine mode asking the
    end-user unnecessary questions that the average home user just doesn't
    understand.

    If the user's machine was sitting behind a simple NAT router for the
    protection and not running the PFW solution on the machine, none of the
    ridiculous authorization questions the end-user is dealing with would be
    asked.

    Duane :)
  9. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:
    > On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:
    >
    >
    >>"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    >>
    >>>How can I tell if this is suspicious or not?
    >>
    >>Look at your TCP/IP configuration. Isn't that your SBC DNS server?
    >
    >
    > Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
    > was my DNS server ... but I maintain a list of daily requests and this is
    > NOT one of them.
    >
    > So, why, all of a sudden, would my DNS server be contacting me, out of the
    > blue. And, why, does my network still (apparently) work even though I said
    > NO to the request?
    >
    > What would be nice is for users to post (and for experts to doublecheck)
    > what they consider to be innocuous requests uninitiated by them which
    > appear in their yes/no request list from Sygate.
    >
    > I am willing to START that list of what appears to be common innocuous
    > requests (for expert review).

    <Snip pointless list>

    Without knowing what you were doing at the time, what applications you
    need to run, how your network is configured, if you indeed have a
    network and a host of other detail, there is no way of knowing. There is
    no 'correct' answer.

    Example:-
    Generic Host Process for Win32 Services (svchost.exe)
    is trying to connect to time.windows.com [207.46.130.100
    using remote port 123 (NTP - Network Time Protocol).
    Do you want to allow this program to access the network?

    Well I might want to allow that because I want my clock to synchronise
    to time.windows.com but you may not want to use that server preferring
    uk.pool.ntp.org which is on a round robin DNS which will respond from a
    different server each time giving rise to yet another problem and so on
    and so on...

    Ditch the stupid software and get a router.
  10. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Mike wrote:

    >
    > Ditch the stupid software and get a router.


    You made a good point about the inability to give good advice on how to
    respond, when we know nothing about his network or applications.

    However, to tell him to trash the software firewall and rely strictly on
    a router is simply bad advice.

    Unless the router performs stateful packet inspection and is highly
    configurable, etc., etc., etc., then the router alone will not be
    providing sufficient protection.

    His use of a software firewall is not unreasonable, and your advice to
    get rid of it is unwise.

    --
    The reader should exercise normal caution and backup the Registry and
    data files regularly, and especially before making any changes to their
    PC, as well as performing regular virus and spyware scans. I am not
    liable for problems or mishaps that occur from the reader using advice
    posted here. No warranty, express or implied, is given with the posting
    of this message.
  11. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:
    > On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:
    >
    >
    >>There are ways you can research these things... however, you will get so
    >>many of these alerts, and it is so fruitless to research them all
    >
    > ...
    >
    >>you should look up what the remote IP address is
    >>www.nwtools.com or www.netsol.com
    >
    > ...
    >
    >>A really smart firewall would let you inspect the TCP flags and contents of
    >>the incoming packet
    >
    >
    > I thank you for your detailed suggestions summarized below as:
    > 1. There exists innocent common connections reported by the firewall
    > 2. We can find the NAME of the IP address contacting us for clues
    > 3. The content of the incoming packet may contain clues
    >
    > Regarding the first interesting comment above:
    > - Is there a site where all the common innocent connections are listed?
    > - I searched (before I posted) and did not find one (but it may exist).
    > - If not, I don't mind starting a list (in this post perhaps?).
    >
    > Regarding looking up the NAME of the IP address:
    > - WHY would my DNS provider suddently connect (this does not happen often)?
    > - I keep a list of the common contact requests & this isn't one of them.
    > - I said NO to the request & I don't see negative consequences.
    >
    > Regarding the content of the incoming packets:
    > - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
    > - The DETAILS button gives more information (cryptic to me, a novice).
    > - Again I wonder if there is a list of known non-dangerous contacts.
    >
    > For we novices who still desire basic firewall protection, it would be nice
    > to refer to a list of known generally non-dangerous requests to accept.

    No!! Novices do not have the knowledge as you so patently demonstrate.
    You need a hardware firewall like the ones built into Zyxel routers etc.
    Tick the box that says enable firewall and just get on with using your
    computer without all the silly pointless and misleading popups from your
    software firewall.

    > The particular message I posted from my DNS server does NOT happen often so
    > that is what startled me.

    If you had a router you would not have seen it or been startled plus you
    would have been protected.
  12. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:125fddwsx0agz.8ux1n0q8ec5.dlg@40tude.net...
    > So, why, all of a sudden, would my DNS server be contacting me, out of the
    > blue.

    Dunno, and wish one of the experts had answered that. But DHCP simply
    assigns YOU an IP address, it doesn't eliminate the need for DNS. And you
    will have at least one alternate DNS server.

    > NDIS User mode I/O Driver (ndisuio.sys)
    > has received a Multicast packet from the remote machine [192.168.0.1].

    NDIS messages from 192.168.x.x suggest you have a wireless NAT router and
    your firewall is responding to messages from it. (Surely you are behind some
    kind of NAT, ICS perhaps.) If you're not using a wireless network, disable
    wireless configuration service.

    As for such terms as HTTPS, SSL and NTP, Google them (and NAT, if necessary)
    and expand your understanding. HTTPS means you're connecting to a secure
    website.

    You're suggesting the compilation of what could be an ever-expanding
    database of mostly-irrelevant details. Seems to me time would be better
    spent becoming more of an expert. Your choice of firewall apparently demands
    it.

    Sygate has a product forum. Air your concerns there. Those dialogs are too
    obscure for "even inexperienced users" unwilling to spend time researching
    them.

    nf
  13. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Firefox is a browser of the Mozilla.
    then, you can do the command line: tracert 206.13.28.12 and to know
    what/where this IP (or any) is, if it really works....

    alf


    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:9pl87nx3tjpg$.1ugbsdw9mmwkz$.dlg@40tude.net...
    > How can I tell if a Sygate firewall alert is suspicious or not?
    >
    > For example, I received this message from Sygate just now:
    >
    > Sygate Personal Firewall:
    > Firefox (firefox.exe) is being contacted from a remote machine
    > [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?
    >
    > How can I tell if this is suspicious or not?
  14. Archived from groups: comp.security.firewalls (More info?)

    null <null@planetzero.com> wrote:
    > However, to tell him to trash the software firewall and rely strictly on
    > a router is simply bad advice.

    No. It's a very good advice. Also he could use the Windows-Firewall.

    > Unless the router performs stateful packet inspection and is highly
    > configurable, etc., etc., etc., then the router alone will not be
    > providing sufficient protection.

    The "Personal Firewalls" we tested all were terribly incompetently
    implemented. I doubt, that with a "Personal Firewall" he will be secure
    in any way.

    > His use of a software firewall is not unreasonable, and your advice to
    > get rid of it is unwise.

    The opposite is true.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  15. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > I thank you for your detailed suggestions summarized below as:
    > 1. There exists innocent common connections reported by the firewall

    Yes.

    > Regarding the first interesting comment above:
    > - Is there a site where all the common innocent connections are listed?

    I don't know one. And I think, this will not be possible. There are
    too many possibilities for these. Why using a "Personal Firewall" at all,
    which is showing useless Popups?

    > Regarding looking up the NAME of the IP address:
    > - WHY would my DNS provider suddently connect (this does not happen often)?

    There may be many reasons for this.

    > Regarding the content of the incoming packets:
    > - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
    > - The DETAILS button gives more information (cryptic to me, a novice).
    > - Again I wonder if there is a list of known non-dangerous contacts.

    The point is, that this is a b0rken concept to ask the only person,
    who for sure does not know what to do here - you, the user.

    It's OK, that not everybody is a networking expert. A good security solution
    has to work _without_ asking the user.

    > For we novices who still desire basic firewall protection, it would be nice
    > to refer to a list of known generally non-dangerous requests to accept.

    Why not using the Windows-Firewall and not having such problems?

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  16. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:
    > How can I tell if a Sygate firewall alert is suspicious or not?
    >
    > For example, I received this message from Sygate just now:
    >
    > Sygate Personal Firewall:
    > Firefox (firefox.exe) is being contacted from a remote machine
    > [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?
    >
    > How can I tell if this is suspicious or not?


    Do you have another computer on your internal network with that
    specific IP address? Is that computer allowed to connect to the
    Internet via your computer?


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
  17. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 15:44:45 +0100, Mike wrote:

    > <Snip pointless list>
    >
    > Without knowing what you were doing at the time, what applications you
    > need to run, how your network is configured, if you indeed have a
    > network and a host of other detail, there is no way of knowing. There is
    > no 'correct' answer.

    Sorry about not being specific. I already pared the list down to those
    event which occur WITHOUT the users' explicit action. For example, I
    removed any request to/from the NNTP software which occur while using it.
    Likewise with POP3/SMTP clients, explicit actions from HTTP clients, etc.

    The Sygate Personal Firewall software has the ability to "remember" a
    decision so the user, if they knew which to ignore, would not see those
    which make it into the innocuous list. That is mainly why I ask.

    > Example:-
    > Generic Host Process for Win32 Services (svchost.exe)
    > is trying to connect to time.windows.com [207.46.130.100
    > using remote port 123 (NTP - Network Time Protocol).
    > Do you want to allow this program to access the network?

    Again, I should have noted, I never explicitly told the Windows XP machine
    to synchronize the time so that is why this unasked for request made it
    onto the posted listing. Said another way, if I KNEW I had explicitly asked
    WinXP to synchronize the time, I would have removed that request from the
    list (by telling Sygate Personal Firewall to simply accept all of those
    requests in the future).

    > Ditch the stupid software and get a router.

    Isn't the D-Link wired and wireless box connected to the DSL modem a
    "router"?
  18. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 11:02:57 -0400, null wrote:

    > However, to tell him to trash the software firewall and rely strictly on
    > a router is simply bad advice.

    I'm confused whether the D-Link wired and wireless box I have connected to
    the DSL modem is considered the "router" you bespeak of. Is it?
  19. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 18:11:47 GMT, nutso fasst wrote:

    > NDIS messages from 192.168.x.x suggest you have a wireless NAT router and
    > your firewall is responding to messages from it. (Surely you are behind some
    > kind of NAT, ICS perhaps.) If you're not using a wireless network, disable
    > wireless configuration service.

    I am using a wireless D-Link (is that the router you bespeak of)?

    > You're suggesting the compilation of what could be an ever-expanding
    > database of mostly-irrelevant details. Seems to me time would be better
    > spent becoming more of an expert.

    I do run http://www.dnsstuff.com checks on all requests that the Sygate
    Personal Firewall pops up before putting the messages on the list of
    suspicious items. Also I don't put on the list messages which pop up from
    KNOWN events. For example, when I start the NNTP client, a message pops up
    which I tell the Sygate Personal Firewall program to accept forever (so
    that message only pops up once). Likewise with the web browser, email
    client, Microsoft Anti-Spyware update program, Windows Updater, Real Audio
    client, etc.

    I only posted what I considered the unasked for messages (not the obvious
    ones).
  20. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:

    > There are ways you can research these things...

    Generally I do two obvious things each time I get a NEW message.
    1. I run a reverse-IP address lookup at www.dnsstuff.com
    2. I search Google Groups for the exact message (often I find others have
    the exact same question, with the exact same message, and IP address).

    Should I do more?
    I'm hoping others can find THIS THREAD, for example, when they get the
    messages I just posted and therefore they'd get the advice we all so
    desperately need.

    Where would YOU go when you received any one of the messages previously
    posted when you didn't explicitly ask for that IP address to connect to
    you?


    > however, you will get so many of these alerts, and it is so
    > fruitless to research them all, that I strongly recommend you consider
    > a firewall configuration that does not alert you all the time with
    > these things.

    THAT's THE WHOLE POINT OF THIS THREAD!
    With Sygate Personal Firewall (and I suspect all software firewalls), you
    can tell the program to silently ignore and simply LOG all these
    connections! My question was really WHICH OF THESE WOULD YOU IGNORE?


    > Having a firewall ask the user to make decisions is a security accident
    > waiting to happen, and is also a significant consumption of your time.

    Is there any other choice?
    These requests were made to my machine and I must respond to them.
    Of course, I could simply say "Accept All Requests" but that would be
    folly. The question really becomes two questions:
    1. Which of these common requests is truly something to ignore
    2. Of those which aren't ignorable, HOW DO NOVICES FIGURE THEM OUT?

    > If and when you do want to research these things, you should look up what
    > the remote IP address is

    I generally use http://www.dnsstuff.com but your suggestion of adding for
    www.nwtools.com or www.netsol.com is valid. I did that, for example, with
    the DHCP server request. But, that really only tells me who owns the
    machine. It doesn't tell me WHY they would be contacting me. (Remember,
    that server only contacted me once and I have been using this same setup
    for years). So, why, all of a sudden, would a machine which purports to be
    a DNS server, be contacting me?

    > It's also useful to know what the protocol [e.g. TCP] and remote port number
    > is... the firewall alert below didn't seem to tell you, which is really
    > dumb.

    In defence of the Sygate Personal Firewall, there is a DETAILS button which
    spits out a huge amount of cryptic (to a novice) information about
    something called a "packet" so the remote port MIGHT be in that listing.

    > A really smart firewall would let you inspect the TCP flags and contents of
    > the incoming packet, but I guess that's too much to ask.

    I could post the DETAILED information if it would help (caution, it's
    cryptic at best).
  21. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote:

    > Novices do not have the knowledge as you so patently demonstrate.
    > You need a hardware firewall like the ones built into Zyxel routers etc.

    Is the D-Link wireless/wired box connected to the DSL modem set up in the
    default configuration sufficient?

    Or is there something ELSE I should purchase to get this "hardware
    firewall"?

    > If you had a router you would not have seen it or been startled plus you
    > would have been protected.

    I've been using this setup for more than a year and this is the FIRST time
    that particular server contacted me (for whatever reason). That is what
    startled me and made me suspicious.
  22. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 18:14:23 -0300, alfranze wrote:

    > Firefox is a browser of the Mozilla.
    > then, you can do the command line: tracert 206.13.28.12 and to know
    > what/where this IP (or any) is, if it really works....

    Since NOBODY has mentioned the problem that this is only HALF the story, I
    wonder if I understand this correctly.

    Knowing the machine "name" and "owner" is only HALF the story (isn't it)?
    The other half is for what PURPOSE did the machine contact my machine.

    For example, when Adobe Acrobat 6.0 (Acrobat.exe) [206.13.31.12] contacts
    me on local port 1880 (VSAT-CONTROL - Gilat VSAT Control), I can find the
    name of the machine contacting me from www.dnsstuff.com as
    "dns1.scrmca.sbcglobal.net" ... but that does not tell me anything about
    WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port
    1880 (whatever that port is for).

    Knowing ONLY the name of the server contacting you, would YOU want to allow
    this program to access the network?
  23. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote:

    >> Sygate Personal Firewall:
    >> Firefox (firefox.exe) is being contacted from a remote machine
    >> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    >> Do you want to allow this program to access the network?

    > Do you have another computer on your internal network with that
    > specific IP address? Is that computer allowed to connect to the
    > Internet via your computer?

    Of course not!

    If I had another machine on the same tiny home network with that IP address
    (which would be highly unlikely in a 192.168.0.XXX network), then I would
    NOT have posted that specific request in the list above as it would have
    been an obvious innocuous request.

    Again, knowing the machine name & owner is only HALF the story. Actually,
    it's only 1/3 the story as the following is important:
    1. WHO is the owner of that machine?
    2. WHAT is the purpose of the port being used?
    3. WHY is that machine contacting me?

    Is this information available somewhere?

    Note that the WHO part is trivial to obtain, e.g., we can obtain that from:
    http://www.dnsstuff.com
    http://www.nwtools.com
    http://www.netsol.com
    http://remote.12dt.com/rns
    http://www.zoneedit.com/lookup.html
    etc.; but that doesn't tell us WHAT or WHY.


    The WHAT part, albeit often highly technical, is not too very difficult to
    obtain, e.g., we can use any of the following which describe the ports:
    http://www.bekkoame.ne.jp/~s_ita/port/port1200-1299.html
    http://www.seifried.org/security/ports/1000/1258.html
    http://www.iana.org/assignments/port-numbers
    http://www.sonomawireless.com/~ports/port1200-1299.html
    http://www.auditmypc.com/freescan/readingroom/portlist.asp
    etc.; but that doesn't tell us WHY they contacted us.

    The WHY part is the key question.

    For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp
    tdp/udp port 1258 named the Open Network Library?

    The question becomes:
    1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
    2. HOW do we obtain possible REASONS for a machine contacting us on this
    port?

    That advice was the purpose of the original question.
  24. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On 15 Sep 2005 10:10:51 +0200, Volker Birk wrote:

    >> Firefox (firefox.exe) is being contacted from a remote machine
    >> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    >> Do you want to allow this program to access the network?
    >> How can I tell if this is suspicious or not?
    >
    > You can't. This is, why such messages are nonsense. BTW, they're useless,
    > too, because also Sygate cannot prevent "phoning home" from malicious
    > programs anyway, as my simple POC here shows:
    >
    > http://www.dingens.org/breakout.c

    Unfortunately, I don't know what a POC (point of contact?) is nor do I have
    a c compiler.

    What does the breakout.c program do for us? Does it slip past the Sygate
    Personal Firewall somehow secretly and silently?

    I think there are 3 parts to the problem, one of which is trival, the other
    of which is technical, and the third of which is the crux of the matter:

    1. WHO is it that is contacting us (all agree this is trivial to obtain but
    nearly meaningless in many cases as it doesn't tell us WHAT they are doing
    when they contact us or WHY they are doing it).

    2. WHAT the machine is doing when it contacts us (I suspect this is
    explained somewhere on the Internet based on the port being contacted, but
    so far all I've found is the posted listings of a NAME and quick
    DESCRIPTION of the port used). This is INCOMPLETE information as merely
    knowing the name of a protocol doesn't always help to understand WHAT is
    occurring. Plus, I routinely DENY all these requests and my machine seems
    to work fine so what is it that it is doing anyway?

    3. WHY would the machine contact us on the specified port. I believe this
    is the crux of the question. My question to you experts is to ask if there
    is a good web site which would explain WHY any particular machine would be
    contacting us on any particular port. If we knew WHY, we could then decide
    whether to allow this connection or now.

    For example, WHY would Adobe Acrobat 6.0 (Acrobat.exe) be contacted from an
    SBCGlobal DNS machine [206.13.31.12] using local port 1880 (VSAT-CONTROL -
    Gilat VSAT Control)?

    What could it possibly want?
    Why doesn't anything bad happen when I deny the request?
  25. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On 15 Sep 2005 19:14:08 +0200, Volker Birk wrote:

    > It's OK, that not everybody is a networking expert. A good security solution
    > has to work _without_ asking the user.
    >
    >> For we novices who still desire basic firewall protection, it would be nice
    >> to refer to a list of known generally non-dangerous requests to accept.
    >
    > Why not using the Windows-Firewall and not having such problems?

    Since the remote machine is gonna try to contact us anyway, wouldn't we
    have the same three problems no matter which personal firewall solution we
    used?

    For example, if I used Windows XP Firewall, or ZoneAlarm (
    http://snipurl.com/6ohg ) or Kerio Personal Firewall (
    http://www.kerio.com/kpf_download.html ) or Sygate Personal Firewall (
    http://smb.sygate.com/free/spf_download.php ) or Outpost Firewall (
    http://www.agnitum.com/products/outpost ) or whatever, WOULDN'T the
    offending machine STILL try to contact my machine?

    And then, if it did, wouldn't we STILL have the THREE QUESTIONS:
    1. Who is trying to contact us?
    2. On what port are they trying to contact us?
    3. Why are they trying to contact us?

    This seems, to me, to be such a common need for virtually every one of the
    millions of computer users out there, that the ANSWER to these three
    questions SHOULD be somewhere very easy to locate for we novice users?

    I can't believe there is a single person out there on the Internet who
    doesn't have this very same problem. That's why it's so frustrating to me
    to not be able to find the all-important WHY information so desperately
    needed by millions of us users.

    GS

    > Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    >> I thank you for your detailed suggestions summarized below as:
    >> 1. There exists innocent common connections reported by the firewall
    >
    > Yes.
    >
    >> Regarding the first interesting comment above:
    >> - Is there a site where all the common innocent connections are listed?
    >
    > I don't know one. And I think, this will not be possible. There are
    > too many possibilities for these. Why using a "Personal Firewall" at all,
    > which is showing useless Popups?
    >
    >> Regarding looking up the NAME of the IP address:
    >> - WHY would my DNS provider suddently connect (this does not happen often)?
    >
    > There may be many reasons for this.
    >
    >> Regarding the content of the incoming packets:
    >> - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
    >> - The DETAILS button gives more information (cryptic to me, a novice).
    >> - Again I wonder if there is a list of known non-dangerous contacts.
    >
    > The point is, that this is a b0rken concept to ask the only person,
    > who for sure does not know what to do here - you, the user.
    >
    > It's OK, that not everybody is a networking expert. A good security solution
    > has to work _without_ asking the user.
    >
    >> For we novices who still desire basic firewall protection, it would be nice
    >> to refer to a list of known generally non-dangerous requests to accept.
    >
    > Why not using the Windows-Firewall and not having such problems?
    >
    > Yours,
    > VB.
  26. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    On 15 Sep 2005 19:09:09 +0200, Volker Birk wrote:

    > null <null@planetzero.com> wrote:
    >> However, to tell him to trash the software firewall and rely strictly on
    >> a router is simply bad advice.
    >
    > No. It's a very good advice. Also he could use the Windows-Firewall.
    >
    >> Unless the router performs stateful packet inspection and is highly
    >> configurable, etc., etc., etc., then the router alone will not be
    >> providing sufficient protection.
    >
    > The "Personal Firewalls" we tested all were terribly incompetently
    > implemented. I doubt, that with a "Personal Firewall" he will be secure
    > in any way.
    >
    >> His use of a software firewall is not unreasonable, and your advice to
    >> get rid of it is unwise.
    >
    > The opposite is true.

    If Adobe Acrobat 6.0 (Acrobat.exe) is going to be contacted from a remote
    machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT
    Control), what would Windows Firewall do differently from what Sygate,
    ZoneAlarm, Kerio, Outpost, etc. would do?
  27. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "null" <null@planetzero.com> wrote in message
    news:OBgtyifuFHA.3252@TK2MSFTNGP10.phx.gbl...

    > However, to expect the average user to understand what the different
    > protocols are, what they do, and what ports are used for what, is a bit
    > over the top. Like you hinted at, the firewall responses to incoming and
    > outgoing packets should be as automated as possible for the average user.

    I don't expect the user to know that. But I expect the firewall to include
    that information in the error message, for situations like this one where
    the user copies and pastes the error message to their firewall support or to
    a newsgroup for assistance. Not having those details really cripples
    whoever is trying to help the user. If necessary, the vendor can hide this
    information under a "Details" button on the message, and put them into the
    log file for posterity.
  28. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:1q08azyjwaa34.bf3jp27hl5dk.dlg@40tude.net...

    > Where would YOU go when you received any one of the messages previously
    > posted when you didn't explicitly ask for that IP address to connect to
    > you?

    I do the same things I suggested in my post.

    > THAT's THE WHOLE POINT OF THIS THREAD!
    > With Sygate Personal Firewall (and I suspect all software firewalls), you
    > can tell the program to silently ignore and simply LOG all these
    > connections! My question was really WHICH OF THESE WOULD YOU IGNORE?

    I think the best firewall configuration is one that doesn't give you any
    popups whatsoever. Corporate firewalls don't give the firewall
    administrator popups and ask him or her questions. They just work. The
    same thing is true of hardware firewalls used in homes. Firewalls should
    have just two situations: packets it knows are bad and it blocks without
    question, and everything else that it lets through.

    > > Having a firewall ask the user to make decisions is a security accident
    > > waiting to happen, and is also a significant consumption of your time.
    >
    > Is there any other choice?

    Yes... I don't have the latest version of Sygate, but I believe most
    software firewalls have a configuration choice that does not cause any
    popups. If Sygate doesn't, there's also www.kerio.com, www.zonealarm.com,
    both of which are free. If you are already protected by a hardware
    firewall, you may not really totally need that software firewall.

    > 1. Which of these common requests is truly something to ignore

    All of them.

    > machine. It doesn't tell me WHY they would be contacting me. (Remember,

    The problem is all you've got is what the firewall tells you, and it hasn't
    told you everything you need to know. Very often, you will not be able to
    100% determine the cause. You'll have to make a best guess, go with a gut
    feeling, and move on. Even professionals who monitor computer networks for
    intrusions do this as well.

    Another possibly strategy would be to deny any packets you have questions
    about. If something breaks, then you know it was probably something you
    needed to allow. This is also the safest strategy.

    > that server only contacted me once and I have been using this same setup
    > for years). So, why, all of a sudden, would a machine which purports to be
    > a DNS server, be contacting me?

    I believe it is more likely that this was a reply to a connection your
    computer made. The reply took too long to come back, and your firewall
    stopped watching that connection, was surprised when the reply came back and
    considered it a new connection. DNS servers should never be contacting you.
    This situation can happen when you look up the IP address for a host name
    where the DNS server is troubled or down and does not respond, and the
    request times out 45 seconds or more later. It's happened to me.

    > In defence of the Sygate Personal Firewall, there is a DETAILS button
    which
    > spits out a huge amount of cryptic (to a novice) information about
    > something called a "packet" so the remote port MIGHT be in that listing.

    Ah, that might help us a little. But I'm still leaning towards ignoring
    this one, moving on, and pursuing a silent firewall configuration.

    > I could post the DETAILED information if it would help (caution, it's
    > cryptic at best).

    Sure, go ahead.
  29. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:125fddwsx0agz.8ux1n0q8ec5.dlg@40tude.net...

    > So, why, all of a sudden, would my DNS server be contacting me, out of the
    > blue. And, why, does my network still (apparently) work even though I said
    > NO to the request?

    See my other post. More likely, this was a reply to your computer, but the
    reply took so long, your firewall wrongly considers this a new inbound
    connection. DNS especially does this due to having timeout values that are
    greater than the timeout values in many stateful firewalls.

    > What would be nice is for users to post (and for experts to doublecheck)
    > what they consider to be innocuous requests uninitiated by them which
    > appear in their yes/no request list from Sygate.
    >
    > I am willing to START that list of what appears to be common innocuous
    > requests (for expert review).

    It's not really that easy. If it was, someone would have done it already.
    One problem is that each firewall reports things in different ways. Another
    problem is that some Firefox traffic is good, and some might not be so good.
    These sorts of things are very variable and conditional. However, you can
    find some informative resources by searching www.google.com for firewall-faq
    and also search for ids-faq. In particular, there are some good IDS FAQs on
    Robert Graham's web site [google says it's at
    http://www.robertgraham.com/pubs/network-intrusion-detection.html but I
    can't get to that web site currently] and especially this, I strongly
    recommend reading this:

    http://www.mynetwatchman.com/kb/res-falsepos.htm

    By the way, you may want to sign up with a free service like
    www.mynetwatchman.com or www.dshield.org Those sites automatically report
    hacking attempts blocked in your firewall to the ISPs responsible, and they
    also let you see useful relevant information from other people's firewall
    logs, which helps you determine whether something is just hitting you or is
    hitting a lot of other people. You can't get that information any other
    way.
  30. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    news:jwds0e2ucftd.hz4moqapcoq2.dlg@40tude.net...

    > I am using a wireless D-Link (is that the router you bespeak of)?

    Not specifically, but it qualifies. I'd OK the NDIS messages.

    > I only posted what I considered the unasked for messages (not the obvious
    > ones).

    Unasked for... You weren't visiting a secure web page when you got the HTTPS
    message? Weren't looking at a PDF when the DNS server tried to contact
    Acrobat? That would be odd indeed. As for some of the others, is it possible
    a web page you were visiting pulled an advertisement or graphic from a
    different address? Have you looked at the relevant transactions in context
    in the firewall logs? Do you understand that local ports 1024-5000 are
    typically ones YOUR system uses to connect to a remote system? And that once
    a connection is made, the remote system communicates FROM the destination
    port TO the port your system has connected from?

    Next time you get a prompt referring to any of those local ports, try
    opening a command prompt and typing 'netstat -a' and see if the port's
    currently connected to something. I suspect the references to 'Open Network
    Library' and 'NetBill Authorization Server' are bogus (pulled from the list
    of 'registered ports'). But then, I'm no expert.

    Ask on the Sygate forum.

    nf
  31. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > If Adobe Acrobat 6.0 (Acrobat.exe) is going to be contacted from a remote
    > machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT
    > Control), what would Windows Firewall do differently from what Sygate,
    > ZoneAlarm, Kerio, Outpost, etc. would do?

    Nothing. And why should it do so?

    If you're trusting in Adobe and like their products, just use them.
    Before you use them, configure them as you like. The online update
    feature can be switched off (and should not BTW).

    Your "Personal Firewall" is only making a show to "stop" this "perhaps
    malicious" connect() to make _you_ feel good and safe. Your computer is
    not more secure because of this in any way. This is, why I'm calling it
    a placebo software.

    (BTW: Acrobat is contacting to the outside host, not vice versa).

    If Adobe would want to do someting really bad, they would do it in a way,
    your "Personal Firewall" does not recognize, and it would not show any
    popus, just like with my POC.

    This is what I'm trying to tell - if the application want's to be
    controllable, usually because it's not malware, then and only then your
    "Personal Firewall" is able to control.

    But this has nothing to do with security.

    There is one exception: the malware, which is programmed as dumb as the
    "Personal Firewals" themselves ;-) But, believe me: this is not the malware
    which is dangerous and you should frighten ;-)

    For fighting malware, there is only one way, which really works: do not
    run it on your computer. How to achieve this, is a good topic for a
    discussion about security.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  32. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > I'm confused whether the D-Link wired and wireless box I have connected to
    > the DSL modem is considered the "router" you bespeak of. Is it?

    It is.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  33. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > > You can't. This is, why such messages are nonsense. BTW, they're useless,
    > > too, because also Sygate cannot prevent "phoning home" from malicious
    > > programs anyway, as my simple POC here shows:
    > > http://www.dingens.org/breakout.c
    > Unfortunately, I don't know what a POC (point of contact?) is nor do I have
    > a c compiler.

    Oh, sorry ;-) A POC is a proof of concept, some code, which shows, that
    it's working what I'm saying. In this case, it's some code which is
    "phoning home".

    > What does the breakout.c program do for us? Does it slip past the Sygate
    > Personal Firewall somehow secretly and silently?

    No, it does it visible and obvious ;-) Because it's a POC, I didn't want
    to hide what it does.

    Anyway, on http://www.dingens.org/breakout.exe you'll find a precompiled
    version. This one needs Internet Explorer already running, when you start
    it.

    > I think there are 3 parts to the problem, one of which is trival, the other
    > of which is technical, and the third of which is the crux of the matter:
    > 1. WHO is it that is contacting us (all agree this is trivial to obtain but
    > nearly meaningless in many cases as it doesn't tell us WHAT they are doing
    > when they contact us or WHY they are doing it).
    > 2. WHAT the machine is doing when it contacts us (I suspect this is
    > explained somewhere on the Internet based on the port being contacted, but
    > so far all I've found is the posted listings of a NAME and quick
    > DESCRIPTION of the port used). This is INCOMPLETE information as merely
    > knowing the name of a protocol doesn't always help to understand WHAT is
    > occurring. Plus, I routinely DENY all these requests and my machine seems
    > to work fine so what is it that it is doing anyway?
    > 3. WHY would the machine contact us on the specified port. I believe this
    > is the crux of the question. My question to you experts is to ask if there
    > is a good web site which would explain WHY any particular machine would be
    > contacting us on any particular port. If we knew WHY, we could then decide
    > whether to allow this connection or now.

    All what you're discussing here, is not the topic. We're not talking about
    applications on hosts in the Internet, which try to contact your host, but
    about applications running on your host trying to contact hosts in the
    Internet.

    > For example, WHY would Adobe Acrobat 6.0 (Acrobat.exe) be contacted from an
    > SBCGlobal DNS machine [206.13.31.12] using local port 1880 (VSAT-CONTROL -
    > Gilat VSAT Control)?
    > What could it possibly want?
    > Why doesn't anything bad happen when I deny the request?

    Nothing happens if you deny that. But: why are you asked such questions
    by your "Personal Firewall", if that has nothing to do with security?

    BTW: sorry, that I have to remove the microsoft.* hierarchy, because my
    news server does not have it.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  34. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > On 15 Sep 2005 19:14:08 +0200, Volker Birk wrote:
    > > It's OK, that not everybody is a networking expert. A good security solution
    > > has to work _without_ asking the user.
    > >> For we novices who still desire basic firewall protection, it would be nice
    > >> to refer to a list of known generally non-dangerous requests to accept.
    > > Why not using the Windows-Firewall and not having such problems?
    > Since the remote machine is gonna try to contact us anyway, wouldn't we
    > have the same three problems no matter which personal firewall solution we
    > used?

    No.

    Inbound connections can be filtered by any host based packet filter, like
    the Windows-Firewall or any "Personal Firewall", too.

    The difference is with outbound connections.

    > For example, if I used Windows XP Firewall, or ZoneAlarm (
    > http://snipurl.com/6ohg ) or Kerio Personal Firewall (
    > http://www.kerio.com/kpf_download.html ) or Sygate Personal Firewall (
    > http://smb.sygate.com/free/spf_download.php ) or Outpost Firewall (
    > http://www.agnitum.com/products/outpost ) or whatever, WOULDN'T the
    > offending machine STILL try to contact my machine?

    Yes, with inbound connections. But: why should your "Firewall" inform
    you about that with a popup the user usually does not understand?

    Why not blocking, and that's all?

    > And then, if it did, wouldn't we STILL have the THREE QUESTIONS:
    > 1. Who is trying to contact us?
    > 2. On what port are they trying to contact us?
    > 3. Why are they trying to contact us?

    If you don't want to be contacted any way, just like most of the home users,
    why not just denying anything, and that's it? It's not your problem then.

    > This seems, to me, to be such a common need for virtually every one of the
    > millions of computer users out there, that the ANSWER to these three
    > questions SHOULD be somewhere very easy to locate for we novice users?

    This is not possible.

    The 1st question, you will not be able to answer, because you don't know
    the person (if any), who triggered the contact, and you will not be able
    to localize her/him.

    The second question is not interesting, if you don't want to offer any
    services at all, as most of the home users do (usually, they want to use
    the web, email, perhaps some games or IM, or the usenet ;-) and that's it).

    The third question usually you never will find out any way.

    So what?

    > I can't believe there is a single person out there on the Internet who
    > doesn't have this very same problem. That's why it's so frustrating to me
    > to not be able to find the all-important WHY information so desperately
    > needed by millions of us users.

    I personally think,

    millions of users just want to use their PC for using email and web,
    some work, and playing games.

    And they want doing this in a safe way. They want reliable systems, which
    they can use for doing this, and they don't want to have such problems at
    all.

    Good and secure systems have to be designed this way. This means the
    opposite of opening such useless popups with such confusing texts and
    questions, which a regular user cannot decide, because she/he not only
    is missing the background information about it, but also does not want
    to decide and to deal with anyway.

    I think, you might be an exception here ;-)

    If you're interested in computing security, then there is only one way
    to learn: learn about how all is working with this computer stuff and the
    networking things ;-)

    A good start is Craig Hunts book "TCP/IP", published by O'Reilly.
    And then lern to program yourself. For learning, how the TCP/IP
    protocol family really works, try Richard Stevens Book "UNIX Network
    Programming", read at least the first volume. For understanding this,
    you sould first learn (if you didn't yet) how to use the programming
    language C.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  35. Archived from groups: comp.security.firewalls (More info?)

    Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    > For example, when Adobe Acrobat 6.0 (Acrobat.exe) [206.13.31.12] contacts
    > me on local port 1880 (VSAT-CONTROL - Gilat VSAT Control), I can find the
    > name of the machine contacting me from www.dnsstuff.com as
    > "dns1.scrmca.sbcglobal.net" ... but that does not tell me anything about
    > WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port
    > 1880 (whatever that port is for).

    I think, you're misinterpreting this message completely. I assume, that
    the Acrobat program is running on your own host, and if you're reciting
    correctly, then 206.13.31.12 was your own IP address.

    Perhaps you first should try to understand what an IP address is, what
    a port is (it's not a "door" or even a "harbour", but only a maintainance
    number), and how sockets are working and what they're used for.

    Perhaps you could start with Craig Hunt's book, as I mentioned already.

    First you should understand, how classical operating systems work, like
    *NIX systems or Windows.

    They have to parts, a kernel and the userland, in which programs, which are
    running, are called "processes".

    The kernel is a program, which controlles anything which is going on,
    including the other programs, the processes.

    To make a stable system, code of processes may not influence memory
    of the other processes at all - this the kernel is asserting with a
    technic called "protection". This means, if code of a process tries
    to do any I/O itself, or tries to influence the memory of other processes,
    then the kernel just stops this process immediately - on Windows systems,
    "Dr. Watson" arrives ;-)

    But sometimes it's necessary, that two processes can communicate. For
    example, you want to have results of your spreadsheet in your wordprocessor.
    Technics, which are allowing this as exceptions from the protection,
    are called "Inter-Process Communication", IPC.

    (IPC has to be controlled by the kernel, BTW. It is a big design flaw
    in Windows, that uncontrolled IPC with Windows messages is possible
    between processes which open Windows on the same Desktop.)

    Sometimes, IPC has to be done through the network. For example, if the
    process, which represents/implements your webbrowser should show information
    from a webserver, which is represented by another process, perhaps on
    another machine, then this will be implemented with IPC also: IPC through
    the net.

    Usually, it's implemented with network protocols like TCP, and with an
    API like the BSD socket API (this is i.e. with Linux, BSDs and Windows,
    with commercial UNIXes you'll have XTI as an alternative to the socket
    API).

    With Internet Protocol and TCP it is so, that any network interface in the
    network has a unique number, the IP address. This is a 32bit number,
    unfortunately usually written in a very strange way (writing decimal
    numbers for each single octet, separated by dots like "206.13.31.12").

    TCP sockets are a technic to have a bidirectional communication connection
    from one process running on one machine to a second process running on
    the same machine or another one in the network.

    It is possible, that more than one process can communicate through one
    network interface with a TCP socket at one time; so we need a second
    maintainance number to identify one connection from one process to
    another.

    This is done by adding a port number. The protocol, TCP, the interface
    number, the IP address, and third the port number are identifying one
    endpoint of a TCP connection; two sets of those three numbers (also the
    protocols are numbered, TCP is number 6) identify one single connection.

    The port number is a 16bit number, which is not 0.

    With TCP, all communication is following the client/server pattern.
    That means, one process has the role of the server, and one process
    has the role of the client.

    For example, a webserver has the role of the server, and a webbrowser
    has the role of the client.

    To initiate a TCP connection, first the server has to "listen" on a port.
    That means, it opens one endpoint with the system call listen(), which
    means, that the process tells the kernel, that if there will be information
    arriving on this network interface (or any network interface, if the
    endpoint is opened for interface 0.0.0.0), which leads into initiating
    a TCP connection, then the kernel should send this information to the
    server process, which called listen() for this type of connection, say:
    for this port number.

    If a webbrowser now wants to open a TCP connection to our webserver (in
    this example), then it sends a speacial IP packet, which is called a
    SYN cookie, see RFC 793, together with the information, on which port
    it wants to send this information. To do this, also the webbrowser has
    to open an TCP endpoint first on it's own machine and on one interface
    there. It does this by using the system call connect(), which opens
    such an endpoint from the process, in which the webbrowser is running,
    to the network kernel, and second such a TCP syncookie is being sent
    to the other machine by the kernel (you remember, only the kernel code
    is allowed to do I/O ;-)

    If the other kernel is answering with SYN,ACK, then it want's to
    communicate and is trying to establish the TCP connection with it's
    webserver. The kernel with the webbrowser then answers with ACK, which
    means, that now all is clear, and the connection is established (see
    3.4 in RFC 793).

    Since then, when one of both processes is writing data to its endpoint
    of the TCP connection, its kernel is sending this in a reliable way to
    the other kernel, which is transmitting this data to the other process,
    which can read it and vice versa.

    This is how TCP works.

    Perhaps you now can start to interpret the message of your "Personal
    Firewall" ;-)

    Hint: you only know the names of the files, in which the programs are
    stored, which are building processes when run, like "acrobat.exe", for
    your own machine.

    About processes of other machines you know nothing like that. You only
    know, with what maintainance number - port number - their network
    connection to you is being managed by the kernel of the other machine.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  36. Archived from groups: comp.security.firewalls (More info?)

    On 15 Sep 2005 10:10:51 +0200, Volker Birk <bumens@dingens.org> wrote:

    >Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
    >> How can I tell if a Sygate firewall alert is suspicious or not?
    >> For example, I received this message from Sygate just now:
    >> Sygate Personal Firewall:
    >> Firefox (firefox.exe) is being contacted from a remote machine
    >> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    >> Do you want to allow this program to access the network?
    >> How can I tell if this is suspicious or not?
    >
    >You can't. This is, why such messages are nonsense. BTW, they're useless,
    >too, because also Sygate cannot prevent "phoning home" from malicious
    >programs anyway, as my simple POC here shows:
    >
    >http://www.dingens.org/breakout.c

    Volker, what do you recommend for finding malicious outbound? Is there
    some freeware packet logging sw that can be set to be smart enough to
    alert users? Payware? If so, what would something like that cost?

    Art

    http://home.epix.net/~artnpeg
  37. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:

    > The question becomes:
    > 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
    > 2. HOW do we obtain possible REASONS for a machine contacting us on this
    > port?
    >
    > That advice was the purpose of the original question.
    >

    I don't know of a simple answer to your questions. The only people I
    have ever had contact with that could *possibly* explain the reasons for
    *every* incoming/outgoing packet are security experts - most notably
    firewall experts.

    So, one of the posters gave a solution for you, a solution that I use
    frequently: deny the request and see if anything breaks.

    Good luck.

    --
    The reader should exercise normal caution and backup the Registry and
    data files regularly, and especially before making any changes to their
    PC, as well as performing regular virus and spyware scans. I am not
    liable for problems or mishaps that occur from the reader using advice
    posted here. No warranty, express or implied, is given with the posting
    of this message.
  38. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:

    > I'm confused whether the D-Link wired and wireless box I have connected to
    > the DSL modem is considered the "router" you bespeak of. Is it?

    I can't say with 100% certainty if the D-Link is a router, but it
    probably is.

    --
    The reader should exercise normal caution and backup the Registry and
    data files regularly, and especially before making any changes to their
    PC, as well as performing regular virus and spyware scans. I am not
    liable for problems or mishaps that occur from the reader using advice
    posted here. No warranty, express or implied, is given with the posting
    of this message.
  39. Archived from groups: comp.security.firewalls (More info?)

    Art <null@zilch.com> wrote:
    > Volker, what do you recommend for finding malicious outbound? Is there
    > some freeware packet logging sw that can be set to be smart enough to
    > alert users? Payware? If so, what would something like that cost?

    Unfortunately, it is not possible to reliably detect hidden outgoing
    information without dropping connectivity. This is because of the existence
    of tunneling.

    Even what professional IDSes are doing, is lacking reliability.

    Therefore, I don't recommend trying to find "malicious outbound" at all;
    instead of this, I'm recommending preventing malware from running on your
    PC.

    I think, this is a much better concept.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  40. Archived from groups: comp.security.firewalls (More info?)

    "Volker Birk" <bumens@dingens.org> wrote in message
    news:432adf61@news.uni-ulm.de...
    > Art <null@zilch.com> wrote:
    > > Volker, what do you recommend for finding malicious outbound? Is there
    > > some freeware packet logging sw that can be set to be smart enough to
    > > alert users? Payware? If so, what would something like that cost?
    >
    > Unfortunately, it is not possible to reliably detect hidden outgoing
    > information without dropping connectivity. This is because of the
    existence
    > of tunneling.
    >
    > Even what professional IDSes are doing, is lacking reliability.
    >
    > Therefore, I don't recommend trying to find "malicious outbound" at all;
    > instead of this, I'm recommending preventing malware from running on your
    > PC.
    >
    > I think, this is a much better concept.
    >
    > Yours,
    > VB.
    > --

    True, but you can catch lots of outbound malware traffic that exists because
    machines were taken out of the defence perimeter, then brought back into the
    network, with outgoing IDS at the gateway. It happens, unless you take
    extreme measures on the PC's. Even if, it gives you a second line of defence
    and/or warning when something does go wrong with a PC.

    With regards to tunnels, you can also only permit tunnels to appropriate
    destinations and block the rest.

    -Russ.
  41. Archived from groups: comp.security.firewalls (More info?)

    On 16 Sep 2005 17:06:09 +0200, Volker Birk <bumens@dingens.org> wrote:

    >Art <null@zilch.com> wrote:
    >> Volker, what do you recommend for finding malicious outbound? Is there
    >> some freeware packet logging sw that can be set to be smart enough to
    >> alert users? Payware? If so, what would something like that cost?
    >
    >Unfortunately, it is not possible to reliably detect hidden outgoing
    >information without dropping connectivity. This is because of the existence
    >of tunneling.
    >
    >Even what professional IDSes are doing, is lacking reliability.
    >
    >Therefore, I don't recommend trying to find "malicious outbound" at all;
    >instead of this, I'm recommending preventing malware from running on your
    >PC.
    >
    >I think, this is a much better concept.

    Sure, but to press my question more ... what about some external
    device?

    Art
  42. Archived from groups: comp.security.firewalls (More info?)

    Somebody. <somebody.@spamout.russdoucet.com> wrote:
    > With regards to tunnels, you can also only permit tunnels to appropriate
    > destinations and block the rest.

    How do you do this, without losing connectivity to the rest of the
    network?

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  43. Archived from groups: comp.security.firewalls (More info?)

    Art <null@zip.com> wrote:
    > >Art <null@zilch.com> wrote:
    > >> Volker, what do you recommend for finding malicious outbound? Is there
    > >> some freeware packet logging sw that can be set to be smart enough to
    > >> alert users? Payware? If so, what would something like that cost?
    > >Unfortunately, it is not possible to reliably detect hidden outgoing
    > >information without dropping connectivity. This is because of the existence
    > >of tunneling.
    > >Even what professional IDSes are doing, is lacking reliability.
    > >Therefore, I don't recommend trying to find "malicious outbound" at all;
    > >instead of this, I'm recommending preventing malware from running on your
    > >PC.
    > >I think, this is a much better concept.
    > Sure, but to press my question more ... what about some external
    > device?

    If you want an IDS, then there are many in the market - including
    open source and free software implementations, like http://www.snort.org/
    or http://www.cs.tut.fi/~rammer/aide.html

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  44. Archived from groups: comp.security.firewalls (More info?)

    In article <432bbe19@news.uni-ulm.de>, bumens@dingens.org says...
    > Somebody. <somebody.@spamout.russdoucet.com> wrote:
    > > With regards to tunnels, you can also only permit tunnels to appropriate
    > > destinations and block the rest.
    >
    > How do you do this, without losing connectivity to the rest of the
    > network?

    It's called a firewall - we can setup Tunnels between locations and once
    in the tunnel you don't have connectivity to anything in the local
    network except the path for the tunnel.

    VB, it's starting to seem like you only have experience in Home network.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  45. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:
    > On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:
    >
    > > "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
    <snip>
    > What would be nice is for users to post (and for experts to doublecheck)
    > what they consider to be innocuous requests uninitiated by them which
    > appear in their yes/no request list from Sygate.
    >
    > I am willing to START that list of what appears to be common innocuous
    > requests (for expert review).

    Google the name of the process initiating the outgoing connection.


    > Here is my list of common requests not explicitly initiated by me which my
    > Sygate Personal Firewall seems to report daily so that others may consult
    > it before accepting or rejecting a Sygate Personal Firewall request to
    > allow access:
    >
    > NDIS User mode I/O Driver (ndisuio.sys)
    > has received a Multicast packet from the remote machine [192.168.0.1].
    > Do you want to allow this program to access the network?

    that's not important. 192.168.0.1 is from your LAN. if you receive
    a packet from a computer on your LAN, it's not big deal!

    > NDIS Filter Intermediate Driver (eacfilt.sys)
    > has received a Multicast packet from the remote machine [192.168.0.1].
    > Do you want to allow this program to access the network?

    ditto

    > NDIS Filter Intermediate Driver (eacfilt.sys)
    > is trying to broadcast to [192.168.0.255]
    > using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
    > TCP/IP).
    > Do you want to allow this program to access the network?

    So now this process, (you may google it), but it's clearly being
    harmless. It is on your comp, and sending a packet to every computer on
    your LAN.
    Don't think that one of your computers is attacking another!

    > NDIS User mode I/O Driver (ndisuio.sys)
    > has received a Broadcast packet from the remote machine [192.168.0.100].
    > Do you want to allow this program to access the network?

    ditto


    > Firefox (firefox.exe)
    > is being contacted from a remote machine news.google.com [216.239.37.147]
    > using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
    > Do you want to allow this program to access the network?

    I juse use firefox as a web browser. It just makes outgoing
    connections. So, once the outgoing connection was made, packets go
    either way. Each outgoing connection may use a diff port, I don't see
    why this local port is called NETBILL-AUTH maybe i'm wrong. but
    this is firefox, nothing to worry about.


    > Firefox (firefox.exe)
    > is being contacted from a remote machine [206.13.28.12]
    > using local port 1258 (OPENNL - Open Network Library).
    > Do you want to allow this program to access the network?

    ditto. dunno what this opennl is about - even after googling. but this
    is firedox, surely not receiving an incoming connection .unless you're
    not using it as just a web browser or something.

    do you recognise OpenNL?!

    > Generic Host Process for Win32 Services (svchost.exe)
    > is trying to connect to [207.46.157.60]
    > using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
    > Do you want to allow this program to access the network?
    >
    > Generic Host Process for Win32 Services (svchost.exe)
    > is trying to connect to time.windows.com [207.46.130.100
    > using remote port 123 (NTP - Network Time Protocol).
    > Do you want to allow this program to access the network?

    windows does make these annoying outgoing connections. it may not be
    worth checking out waht windows is doing. any outgoing connection from
    svchost.exe should be considered fine. unless svchost.exe got
    overwritten by a malicious version. You can't be that paranoid on a
    windows system. trust svchost.exe ! it's a famous windows prcoess. as
    sygate knows

    > Firefox (firefox.exe)
    > is being contacted from a remote machine [80.237.203.14]
    > using local port 4503
    > Do you want to allow this program to access the network?

    yes
    you want to use your web browser.

    The windows firewall which blocks all incoming connections is very
    good. Yes, malware may make outgoing connections. But at least you'll
    let windows processes communicate outside. and you'll let your browser
    communicate.

    And has has been said. don't be afraid of some spyware transmitting.
    If it's there, then remove it. If it were dangerous, it'd get past
    your attempt at blocking outgoing connections anyawy.


    Blocking outgoing connections as paranoidly as you are now causes the
    mess that you have now. far more stress than any spyware!!!
  46. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:
    > On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote:
    >
    > > Novices do not have the knowledge as you so patently demonstrate.
    > > You need a hardware firewall like the ones built into Zyxel routers etc.
    >
    > Is the D-Link wireless/wired box connected to the DSL modem set up in the
    > default configuration sufficient?

    it is a great help. it blocks all incoming connections. Beyond that, do
    not block all outgoing connections, or allow yourself to be hassled by
    your personal firewall over it.

    Use software, like Active Ports, that will list Established
    Connections. At least it won't hassle you with popups. It gives the
    process name. Do not look for great lists . Just google the name of
    the process that is making the outgoing connection. And if you get 100
    links saying it's spyware, then you should start running different
    spyware removal utilities until you successfully get rid of it.

    > Or is there something ELSE I should purchase to get this "hardware
    > firewall"?

    your 'home router'(actually a NAT device) blocks incoming. I have a
    DLink one too.
    You can go to http://192.168.0.1 and configure it. Or if that dosen't
    work, find out its IP
    open a command prompt start..run..cmd<ENTER> and type
    ipconfig /all

    and see what it says for 'Gateway' (That is your 'router').
    do http://gatewayip

    see, it has a firewall built in. But still, don't bother blocking
    outgoing connections, even with that.

    if you have spyware, get rid of it properly.

    > > If you had a router you would not have seen it or been startled plus you
    > > would have been protected.


    and you do have a router. ('home router'). It blocks incoming. Which
    is very good. You should look at outgoing but not be hassled with
    popups. and not be paranoid. useg oogle on an unknown process making an
    outgoing connection. just see if google says it's spyware.
  47. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    Gerard Schroeder wrote:
    > On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote:
    >
    > >> Sygate Personal Firewall:
    > >> Firefox (firefox.exe) is being contacted from a remote machine
    > >> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
    > >> Do you want to allow this program to access the network?
    >
    > > Do you have another computer on your internal network with that
    > > specific IP address? Is that computer allowed to connect to the
    > > Internet via your computer?
    >
    > Of course not!
    >
    > If I had another machine on the same tiny home network with that IP address
    > (which would be highly unlikely in a 192.168.0.XXX network), then I would
    > NOT have posted that specific request in the list above as it would have
    > been an obvious innocuous request.
    >
    > Again, knowing the machine name & owner is only HALF the story. Actually,
    > it's only 1/3 the story as the following is important:
    > 1. WHO is the owner of that machine?
    > 2. WHAT is the purpose of the port being used?
    > 3. WHY is that machine contacting me?
    >
    > Is this information available somewhere?
    >
    > Note that the WHO part is trivial to obtain, e.g., we can obtain that from:
    > http://www.dnsstuff.com
    > http://www.nwtools.com
    > http://www.netsol.com
    > http://remote.12dt.com/rns
    > http://www.zoneedit.com/lookup.html
    > etc.; but that doesn't tell us WHAT or WHY.
    >
    >
    > The WHAT part, albeit often highly technical, is not too very difficult to
    > obtain, e.g., we can use any of the following which describe the ports:
    > http://www.bekkoame.ne.jp/~s_ita/port/port1200-1299.html
    > http://www.seifried.org/security/ports/1000/1258.html
    > http://www.iana.org/assignments/port-numbers
    > http://www.sonomawireless.com/~ports/port1200-1299.html
    > http://www.auditmypc.com/freescan/readingroom/portlist.asp
    > etc.; but that doesn't tell us WHY they contacted us.
    >
    > The WHY part is the key question.
    >
    > For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp
    > tdp/udp port 1258 named the Open Network Library?
    >
    > The question becomes:
    > 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
    > 2. HOW do we obtain possible REASONS for a machine contacting us on this
    > port?
    >
    > That advice was the purpose of the original question.

    difficult to know those answers, especially on a windows machine. So,
    ppl don't.

    the key thing is knowing that it isn't malware.

    Believe me, you can go further than you are in asking HOW and WHY. You
    could download Ethereal - a packet sniffer, and start asking why this
    program is sending this or that. It doesn't matter. You have to know
    what Processes/Programs you trust.
    I have no idea what that openNL was though. i'd have thought that local
    ports on the client side wouldn't have names. Anyhow. you trust
    firefox, don't you? And the Program/Process was firefox, so let it be.

    And if you see a process that you don't understnad what it does. then
    google, - Who cares what it does - all that matters is if it's a famous
    trojan process.

    if you're having problems with slow itnernet access, then it most
    probably is spyware. And if the spyware were really dangerous, it'd
    get past you. maybe replacing it'd have replaced a known microsoft
    process , added some code, that process now makes an outgoing
    connection. you may want to run spyware spyware checks.


    Try using the windows firewall only for a year, and see if you have
    problems. By the way. You are alraedy blocking incoming connections
    with your router. So the windows firewall is doing the same thing, but
    it's just another layer of security. Even turning off the windows
    firewall won't be a prob, 'cos you're still blocking incoming
    connections anyway.
  48. Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

    I always wonder what to do when you get a spoofed IP through your NAT.

    For example, this Sygate personal firewall message got me wondering what
    was REALLY going on here.

    NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
    Request) packet to [202.232.13.185].
    Do you want to allow this program to access the network?

    Yes No Details

    Details:
    File Version : 5.1.2600.2622
    File Description : NT Kernel & System (ntoskrnl.exe)
    File Path : C:\WINDOWS\system32\ntoskrnl.exe
    Process ID : 0x4 (Heximal) 4 (Decimal)

    Connection origin : local initiated
    Protocol : ICMP
    Local Address : 192.168.0.108
    ICMP Type : 8 (Echo Request)
    ICMP Code : 0
    Remote Name :
    Remote Address : 202.232.13.185

    Ethernet packet details:
    Ethernet II (Packet Length: 120)
    Destination: 00-80-c8-b0-33-8a
    Source: 00-20-e0-2d-07-a5
    Type: IP (0x0800)
    Internet Protocol
    Version: 4
    Header Length: 20 bytes
    Flags:
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset:0
    Time to live: 4
    Protocol: 0x1 (ICMP - Internet Control Message Protocol)
    Header checksum: 0x891b (Correct)
    Source: 192.168.0.108
    Destination: 202.232.13.185
    Internet Control Message Protocol
    Type: 8 (Echo Request)
    Code: 0
    Data (68 bytes)

    Binary dump of the packet:
    0000: 00 80 C8 B0 69 8A 00 20 : E0 8F 07 A5 08 00 45 00 | ....i.. ......E.
    0010: 00 5C 01 6B 00 00 04 01 : 1B 89 C0 A8 00 64 CA E8 | .\.k.........d..
    0020: 0D B9 08 00 E4 FF 03 00 : 10 00 00 00 00 00 00 00 | ................
    0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
    0040: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
    0050: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
    0060: 00 00 00 00 00 00 00 00 : 00 00 4A 45 44 45 46 43 | ..........JEDEFC
    0070: 41 43 41 43 41 43 41 43 : | ACACACAC
  49. Archived from groups: comp.security.firewalls (More info?)

    On 16 Sep 2005 11:28:22 +0200, Volker Birk <bumens@dingens.org> wrote:

    >> What does the breakout.c program do for us? Does it slip past the Sygate
    >> Personal Firewall somehow secretly and silently?
    >
    >No, it does it visible and obvious ;-) Because it's a POC, I didn't want
    >to hide what it does.
    >
    >Anyway, on http://www.dingens.org/breakout.exe you'll find a precompiled
    >version. This one needs Internet Explorer already running, when you start
    >it.

    How about making a english language version?

    Art

    http://home.epix.net/~artnpeg
Ask a new question

Read More

Firewalls Security Microsoft Networking