Re: Norton Personal Firewall 2003
From: Alsvik Ture (ture@alsvik.dk)
Date: 12/07/02
- Next message: kyra: "Re: attention: anyone with info about "the trackers", aka "debbie""
- Previous message: Miles: "Re: Zone Alarm Finally Updated 3.5.166-Different Description?"
- In reply to: Joseph V. Morris: "Re: Norton Personal Firewall 2003"
- Next in thread: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- Reply: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- Reply: Joseph V. Morris: "Re: Norton Personal Firewall 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alsvik Ture" <ture@alsvik.dk> Date: Sat, 7 Dec 2002 17:01:53 +0100
Thanks you Joseph. I replied to your questions below:
> First thing I would do is put the GRC test site into the Exclusions List.
> (I think they're now using two different IP addresses to do these scans,
> so you may have one, but not the other.) Not much point in running port
> scans if NPF is simply going to block the site totally from access for the
> next 30 minutes! You won't know if you've got problems or not -- and you
> won't have any logs to decide whether the stuff is actually reaching you.
> (Matter of fact, you should do this for all the port scan sites that you
> routinely use.)
That would be cheating, wouldn't it? I mean if anyone scans my computers
ports they will not get the same result being in my blocklist, right? So
blocking www.grc.com will not make my ports stealthed on other sites or from
other users, and i cant add everybody!!!
>
> Second, you should now be able to find events from the GRC port scan in
> your firewall event log. Do you see events for 21, 25, 80, 110, 443? I
> realize this is going to be a bit tedious, given the firewall event log
> display available in NPF 2003. In earlier versions, you could have used
> Sven Schaefer's NIS Log Viewer to quickly ascertain if these events are or
> are not present.
There are not log entries with the adress of grc.com or their ip (at
grc.com they write that alarms can go on in your firewall with entried from
ip: xxx.xxx.xx.xx ). But it doesn't report any alerts while doing a scan -
and i doesn't create any entries while the scan is done . That is why i
think something is wrong!
>
> Now, we get to the complications:
> 1) Do you (or your ISP) have a proxy server between you and GRC?
> What about a router? (That's the most common source of this
> kind of result. If it's probing your router or even your ISP's
> proxy server, it will most definitely report these ports as
> open in 9 cases out of 10.)
They used to be reported as stealth. I haven't changed anything but
upgrading to NPF2003.
To answer another of your questions, i uninstalled NPF2002 first, and since
i also used NAV2002 and upgraded that product at the same time, i also
uninstalled that. When i first noticed the problem i now seem to have, i
uninstalled both programs and deleted all entries i could find matching
"symantec" and "norton" in regedit.
>
> 2) Did you have all these multiple servers running when you had
> NPF 2002 installed? If so, what inbound TCP rules did you
> have in place for them at that time?
NPF2002 created these rules on it's own. It detected the IIS5.0-service and
the ftp-server, and it created the rules for the mailserver. I only had to
choose "permit all" or "automatic" - and i choose "automatic" where
possible.
>
> 3) What are your _current_ inbound TCP rules for these servers?
> (Remember, the rules you had in place in NPF 2002 don't
> automatically upgrade to NPF 2003; you have to re-enter.)
> (I know answering that one is going to be tedious, because
> you can't use Albert Schaefer's AtGuard NIS Rules Viewer
> with NPF 2003.)
I haven't created any rules but one, allowing any traffic from/to any
computer to my local ports 4661-4665
>
> 4) Okay, I assume you've confirmed that the firewall component
> is actually enabled. Do you have the Security Level set
> to HIGH?
The firewall is enabled (everthing is default) except i've raised it to
HIGH.
Alert level is set to MIN. Changing this to high will not create any alerts
from grc.com or their ip or create any log entries from their adress / ip.
So the scan just isn't detected!
>
> 5) If you've done all of the above and still can't identify
> the source of the problem, then you need to add a custom
> rule to the System-Wide Settings. This would be a
> MONITOR rule for TCP inbound for these particular ports.
> ENABLE Logging for this rule and position it at the top
> (beginning) of your System-Wide Rule Settings. Run GRC's
> "Probe My Ports" again. If THIS rule doesn't generate
> log events, then these probes are, in fact, not getting
> to your machine. If THIS rule DOES generate log events,
> it should also tell you what Process is accepting them.
I will try that - but somehow i've lost my sense of security with NPF.
I'll try to create a custom rule that monitores the open ports 21, 25, 80,
110, and 443 and see if that creates any entries in the log.
I'll post the result here!
>
> I know this is kind of complicated, but that's the way it is.
>
> I can't say much about the following until we get the above cleared up.
> Hopefully that may point the way to the solutions necessary below.
>
> . . . .
> --
> Regards,
> Joseph V. Morris
> jvmorris@erols.com
> ICQ #29438199
Thank you Joseph.
- Next message: kyra: "Re: attention: anyone with info about "the trackers", aka "debbie""
- Previous message: Miles: "Re: Zone Alarm Finally Updated 3.5.166-Different Description?"
- In reply to: Joseph V. Morris: "Re: Norton Personal Firewall 2003"
- Next in thread: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- Reply: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- Reply: Joseph V. Morris: "Re: Norton Personal Firewall 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
