Archived from groups: comp.security.firewalls (More info?)
I'm using a router-firewall as the first line of defense, along with
Zone Alarm as the second. I've seen some entries that shouldn't be in
my Zone Alarm's log -- the examples are below.
FWIN,2005/09/22,21:18:10 +2:00 GMT,81.106.248.60:2500,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:28:34 +2:00 GMT,81.106.248.60:3101,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:38:32 +2:00 GMT,81.106.248.60:3719,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:45:40 +2:00 GMT,81.106.248.60:4184,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:55:56 +2:00 GMT,81.106.248.60:4917,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:04:32 +2:00 GMT,81.106.248.60:1256,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4661,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4663,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4664,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4665,TCP
(flags:S)
FWIN,2005/09/22,22:14:54 +2:00 GMT,81.106.248.60:1594,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:29:44 +2:00 GMT,81.106.248.60:1880,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:43:54 +2:00 GMT,81.106.248.60:2132,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/23,09:18:22 +2:00 GMT,81.249.136.83:3207,my.ip:2136,TCP
(flags:S)
FWIN,2005/09/23,09:28:26 +2:00 GMT,81.249.136.83:3438,my.ip:2136,TCP
(flags:S)
Basically: ports 4661-4665 shouldn't have been blocked since they were
connected to eMule at that time. As for ports 2561 and 2136 -- I have
no clue how they got there: they are not portforwarded in the router,
and should have been blocked at the first line of defense.
Any thoughts on this? My only suspect right now is Kademlia network in
eMule, but I don't know how it can confuse the readings since it should
only be using UDP port 4672.
I'm using a router-firewall as the first line of defense, along with
Zone Alarm as the second. I've seen some entries that shouldn't be in
my Zone Alarm's log -- the examples are below.
FWIN,2005/09/22,21:18:10 +2:00 GMT,81.106.248.60:2500,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:28:34 +2:00 GMT,81.106.248.60:3101,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:38:32 +2:00 GMT,81.106.248.60:3719,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:45:40 +2:00 GMT,81.106.248.60:4184,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,21:55:56 +2:00 GMT,81.106.248.60:4917,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:04:32 +2:00 GMT,81.106.248.60:1256,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4661,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4663,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4664,TCP
(flags:S)
FWIN,2005/09/22,22:12:30 +2:00 GMT,4.79.142.206:35117,my.ip:4665,TCP
(flags:S)
FWIN,2005/09/22,22:14:54 +2:00 GMT,81.106.248.60:1594,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:29:44 +2:00 GMT,81.106.248.60:1880,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/22,22:43:54 +2:00 GMT,81.106.248.60:2132,my.ip:2561,TCP
(flags:S)
FWIN,2005/09/23,09:18:22 +2:00 GMT,81.249.136.83:3207,my.ip:2136,TCP
(flags:S)
FWIN,2005/09/23,09:28:26 +2:00 GMT,81.249.136.83:3438,my.ip:2136,TCP
(flags:S)
Basically: ports 4661-4665 shouldn't have been blocked since they were
connected to eMule at that time. As for ports 2561 and 2136 -- I have
no clue how they got there: they are not portforwarded in the router,
and should have been blocked at the first line of defense.
Any thoughts on this? My only suspect right now is Kademlia network in
eMule, but I don't know how it can confuse the readings since it should
only be using UDP port 4672.
Facebook
Twitter
Instagram