Re: ZoneAlarm log shows probes *from* 127.0.0.1 ?

From: Peter (nospam_at_nospam.com)
Date: 10/05/03 

Date: Sun, 5 Oct 2003 20:20:48 +0000 (UTC)

David wrote:
> Yes I would agree that they are coming in from the internet now. The TTL's
> back this, and shows at least two separate machines in that particular
> dump,probably windows machines.
>
> Take a look at this link: http://www.dshield.org/port_report.php?port=80
> Do your firewall log entries correspond with the dates shown here,
> particularly the spike in activity Sept 23-26? Just wondering.
>

Its difficult to see as I've just got and bunch of text files (one per
day) and since its a dialup connection, it would be related to howoften
I connected!

However, it looks like these started on 3-Sep-2003 (only two that day)
and the volume has gradually increased since then.

But unlike with MS-Blaster where I always get hits appearing in the
firewall log, this only happens sometimes... thinking about it, it might
be where the previous owner the IP address I've been allocated has been
doing something or connecting to something strange!
That may explain why it doesn't always happen.

> The TCP standard basically says this:If the connection does not exist then a
> reset is sent in response to any incoming segment "except another reset". So
> since the OS shouldn't be responding to these RST packets for nonexistent
> connections then one could assume that the entries in your firewall log
> correspond to the initial packets coming from over the internet. This
> assumes that your OS has an RFC standard stack in regards to this specific
> characteristic.

Its got a Microsoft stack - does that count? (don't answer that!)

> In all I don't whether ZA is blocking the packets due to them being spoofed,
> or simply because there is no open socket or listening server related to
> them. You would think that if it was due to spoof protection that the
> developers would be smart enough to have this indicated in alerts or log
> entries. Use a port listener,bind it to port 80 on the loopback, play around
> with ZA's application control settings for the listener and you will find
> out.
>

Port 80 is the source port! The destination port varies, although it is
not random, but it does try quite a few different ports.

There's a new screen grab from Zone Alarm here:
http://www.btinternet.com/~peter.ryan/20031005/zone-alarm.png

As regards ZoneAlarm blocking or not, I *think* its safe! I set up a
listener on port 23012 (picked out of hat) and tried to connect to it
(localhost:23012) and ZoneAlarm did block it.

Cheers!!!

Peter.

>
>
>>True!
>>So, I connected to the internet using a laptop running Linux (SuSE 8.2)
>>and run tcpdump.
>>
>>http://www.btinternet.com/~peter.ryan/20031003/tcpdump.png
>>
>>The last group of tcpdumps are where I had disconnected my local network
>>(I figured I should make sure the Linux machine was completely issolated
>>from anything on my local network).
>>
>>
>>I think this proves that the source of these packets is external, and is
>>nice from my point of view in that I feel happy my Windows 2000 machine
>>hasn't been compromised... probably! I guess I still need to confirm if
>>ZoneAlarm is actually blocking everything to localhost that arrives via
>>my modem though.
>>
>>
>>Thanks again for all your help!!
>>
>>Peter.
>>
>
>
>

Relevant Pages

  • [SLE] SuSEfirewall2 and games
    ... eth0 connected to the internet ... Internal machines can access the web, external machines can access ssh and the ... The game I want to play is using port 2325, and some others show up for source ... running pretty quickly, but I had to initiate the connection with my friend, the ...
    (SuSE)
  • Re: Remote Assistance, One Way Connect
    ... Make certain that the IP address in the Ticket is the EXTERNAL IP address ... the router supports port forwarding for such things as FTP, ... > Both machines are running Windows XP SP2 Home Edition. ... >> name or ip address is being used to attempt connection. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Routing http & email in a home network
    ... connection. ... > to other machines to provide those services. ... you not only open the external port ... >> Ian Blackwell ...
    (microsoft.public.win2000.networking)
  • Re: Win XP Firewall Question
    ... > I wonder if I should activate the Internet Connection Firewall for the ... Three XP Pro machines connect to the internet ... Port forwarding on a Linksys router only allows for one IP/machine to ...
    (comp.security.firewalls)
  • Re: [opensuse] Firewall & UDP [ERRATA]
    ... correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific source-port. ... If so you can add a custom rule allowing all connections from that specific source port and from the samba server. ... What I asked you to confirm is that if the response from the samba-server has a specific source port, mentioned in the firewall log as STP. ...
    (SuSE)