Firewall Log

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I find that in C:\windows there is a
"pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
delete the file the restart the firewall.

The log contains entries like
2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - -
- - - - - RECEIVE
2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - -
- - - - - RECEIVE
2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - -
- - - - - RECEIVE
2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - -
- - - -
2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - -
- - - -

What do these entries mean? Is a "drop" a putative attack?!

Rick
Merrill
3 answers Last reply
More about firewall
  1. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    "Rick Merrill" <RickMerrill@comTHROW.net> wrote in message
    news:%23PVh7%23B9EHA.1524@TK2MSFTNGP09.phx.gbl
    > I find that in C:\windows there is a
    > "pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
    > delete the file the restart the firewall.
    >
    > The log contains entries like
    > 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 -
    > - - - - - - RECEIVE
    > 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 -
    > - - - - - - RECEIVE
    > 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 -
    > - - - - - - RECEIVE
    > 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - -
    > - - - - - -
    > 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - -
    > - - - - - -
    >
    > What do these entries mean? Is a "drop" a putative attack?!
    >
    > Rick
    > Merrill

    I don't have that file.

    --
    Frank Saunders, MS-MVP, IE/OE
    Please respond in Newsgroup only. Do not send email
    http://www.fjsmjs.com
    Protect your PC
    http://www.microsoft.com./athome/security/protect/default.aspx
  2. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    The contents of the firewall log can be frightening. unfortunately XP's
    firewall log isn't very informative - hence I don't use it, simply because
    it monitors incoming traffic but not outgoing traffic. As a suggestion I
    would say download the free version of zone alarm www.zonelabs.com and use
    that instead. Your system is then protected both ways and the log is more
    informative, telling you what program accesses the web and what ip address
    it contacted.
    Judging by the contents of the log you have supplied and the IP addresses I
    wouldn't say that they were punitive attacks. The UDP 192.168.0.90 is
    probably svhost.exe contacting the server. the previous packages obviously
    failing. You should also be aware that your isp regularly 'pings' your
    connection to make sure you are still using it. This can account for a
    substantial amount of the data in the log files. If you are a dial up
    connection customer your ISP contract probably contains the following clause
    'if you don't use the connection for 10 minutes (or whatever) your ISP can
    disconnect you. The 'pinging' help check for this use.
    On balance your machine is probably attacked 30 or 40 times an hour,
    sometimes more depending upon the time of day. I know mine is but I don't
    even bother checking the zone alarm log now. I know zone alarm is doing it's
    job.

    --
    John Barnett MVP
    Associate Expert
    http://freespace.virgin.net/john.freelanceit/index.htm
    "Rick Merrill" <RickMerrill@comTHROW.net> wrote in message
    news:%23PVh7%23B9EHA.1524@TK2MSFTNGP09.phx.gbl...
    >I find that in C:\windows there is a
    > "pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
    > delete the file the restart the firewall.
    >
    > The log contains entries like
    > 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162
    > 135 - - - - - - - RECEIVE
    > 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162
    > 135 - - - - - - - RECEIVE
    > 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162
    > 135 - - - - - - - RECEIVE
    > 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038
    > 53 - - - - - - - - -
    > 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282
    > 80 - - - - - - - - -
    >
    > What do these entries mean? Is a "drop" a putative attack?!
    >
    > Rick
    > Merrill
  3. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    To answer your question, the 3rd column is the action. Open means a
    port was opened. If a dropped packet was inbound, it might have been
    pests wandering the Internet, probes wandering the Internet, or just
    background noise (e.g. broadcast messages) on the Internet. Like radio
    broadcasts, broadcast messages are intended for everybody, but no
    individual in particular. Among other reasons, outbound packets might
    be dropped if an outbound communication request was made (e.g. request
    for email or a web page) with no connection to the Internet, or if a
    request was redirected internally and could not be resolved.

    TCP and UDP are communication protocols you will often see in a log.
    ICMP is a protocol used by Ping and Tracert. Ping does not use TCP or UDP.

    Addresses on the Internet (IP addresses) are the 4 numbers separated by
    dots. The first IP address is the source IP address, and the second IP
    address is the destination. Among many others, addresses starting with
    192.168 are internal inside your PC, not external. So all 5 packets
    originated internally, and the first 3 had internal destinations.

    the last 2 numbers are the port number used by the source system, and
    the port number used by the target system, respectively. Sometimes your
    PC is the source, and sometimes your PC is the target, depending on
    whether your PC is sending or receiving the transmission. Port 80 is
    used by Internet browsers for communicating in HTTP protocol. Port 53
    is used to communicate with a DNS server (that translates www addresses
    into IP addresses that computers understand). The meaning of other
    TCP/UDP ports can be found at http://www.iana.org/assignments/port-numbers

    You can quickly find your own IP address by clicking on the icon in the
    lower right that looks 2 monitors (if you have 2 icons like this, it's
    the one that shows the name of your Internet connection, when you rest
    your mouse pointer on it.), and clicking the tab labeled Details.

    As your firewall log grows, you will see that most dropped packets are
    just background noise, or pests and probes that wander and search the
    Internet looking for an opportunity (but not you or any particular
    individual). If something/somebody were specifically targeting you for
    an attack, you would likely see a sudden series of many dropped packets
    from the same external IP address, using many different ports.

    http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp
    Switching to one of the firewalls recommended in this article is very
    good advice. Go with ZoneAlarm if you love to learn and are not
    impatient with learning curves.

    After installing TrendMicro's security suite and dropping XP's firewall,
    i found that TrendMicro's initial settings left some ports on my PC
    visible (open or closed) to predators on the internet, before i figured
    out how to make them invisible. which ports were visible depended on
    whether i was running with XP SP1 or SP2.

    TrendMicro's security suite and the purchased versions of ZoneAlarm have
    many other nice, additional features. TrendMicro's security suite has a
    very good antivirus component, along with Wi-Fi and personal data
    protection, though the spyware component had poor results in the tests
    cited in the article. ZoneAlarm is much more versatile (herein lies the
    learning curve) in allowing you to allow/disallow inbound requests
    depending on IP address, and in filtering different types of cookies and
    different types of mobile code (ActiveX, VBscript, Java script, etc.) on
    a website-by-website basis.


    Rick Merrill wrote:
    > I find that in C:\windows there is a
    > "pfirewall.log" that gets bigger (>6MB) - I can stop the firewall and
    > delete the file the restart the firewall.
    >
    > The log contains entries like
    > 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - -
    > - - - - - RECEIVE
    > 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - -
    > - - - - - RECEIVE
    > 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - -
    > - - - - - RECEIVE
    > 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - -
    > - - - -
    > 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - -
    > - - - -
    >
    > What do these entries mean? Is a "drop" a putative attack?!
    >
    > Rick
    > Merrill
Ask a new question

Read More

Firewalls UDP Windows XP