Re: What should I block out with my new firewall software?
From: Duane Arnold (notme_at_notme.com)
Date: 02/14/04
- Next message: Big Mac: "Re: Norton Personal Firewall 2004 problem"
- Previous message: NeoSadist: "Re: What should I block out with my new firewall software?"
- In reply to: Lisa: "Re: What should I block out with my new firewall software?"
- Next in thread: Lisa: "Re: What should I block out with my new firewall software?"
- Reply: Lisa: "Re: What should I block out with my new firewall software?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 14 Feb 2004 04:45:15 GMT
Lisa <noreply@noreply.com> wrote in news:c0k5pm$3le1$1@netnews.upenn.edu:
> On 2/13/2004 9:13 PM, Bob Ladbury wrote:
> > After much deliberation, it looks like I'm sticking to my good ol'
> > Kerio Personal Firewall v2.15. I still don't know much about net
> > communications, but I'm learning by entering configurations from
> > people like SpongeBob. I'm wondering if there are major things I can
> > block out that I don't use or need, like UDP or TCP. Reason I ask is
> > that I believe I'm getting "pinged"; one of my rules is telling me
> > that a couple of different remote addresses are trying to use XP's
> > "Generic Hosts Processes for Win32 Services" at local ports
> > 2265,2266,2267 through the TCP out protocol. At the same time, I'm
> > also getting warnings I don't understand from XP's SYSTEM, UDP IN and
> > TCP IN at ports 135-139. I got the W32 blaster worm yesterday that
> > went through port 135, so for all I know, this could be local worm
> > activity or attempts from outside hackers to penetrate these ports.
> > Hence the reason I'd like to block ALL UDP and TCP, if I can get away
> > with it, and tell Kerio to eliminate whatever other net services I
> > don't need. I don't know what these protocols are used for, but
here's
> > what programs I use on my HOME system, that access the net:
> >
>
> I block all incoming traffic trying to use SYSTEM with no problems, and
> I've seen other people's kerio configurations that do the same. I also
> block all incoming trying to use Genetic Host Processes
And that may be some of your problems as to why the wireless is not
working when Kerio is enabled.
I myself, never stop svchost from comunnicating on the Internet. That's
svchost's job is to do that. It's more along the lines of what's trying
to use svchost on its behalf that's trying to access the Internet that
needs to be stopped if needed, IMHO. But some people can stop svchost
from communicationg and get away with it.
and File and
> Printer Sharing, though I let Generic Host processes have outgoing
> traffic. I believe that Kerio 2.1.5 comes with some preset rules (like
> allow DNS, ICMP, etc) that are good to keep around. I don't fully
> understand them, however, so I can't explain why all of those rules are
> good to have. I also don't know what to do to specifically disallow
> blaster. I think most firewalls come able to do that by default.
The DNS is how the O/S takes www.microsoft.com and converts it into an IP
address when you eneter it into a broswer address line. The O/S goes to
the ISP's Domain Name Server to get the IP for a Domain Name like
www.microsoft.com.
File and Print services should be disabled on the O/S if not sharing
resouces between machines on a LAN. Some ICMP traffic is good and some
ICMP traffic is bad. A Ping of Death is a Denial of Service attack that
uses ICMP. I stop all ICMP traffic inbound the FW on its own stops all
outbound ICMP.
>
>
> > - Web
> > - Email
> > - P2p
> > - occasionally software that needs to be updated
>
> As for the specific things you use, here are some rules you can set:
>
> For all browsers:
> Allow TCP (out) any remote address, remote ports 80, 8080, 8010, 443,
21
> Allow TCP (out) remote address 127.0.0.1, any remote ports
> Allow TCP (in) any remote address, remote port 20
> IE may require you to allow TCP and UDP.
>
> For all mail clients:
> Allow TCP (out) any remote address, remote ports 110, 995, 119, 25
> Allow TCP (out) remote address 127.0.0.1, any remote ports
>
> FTP programs (other than servers):
> Allow TCP (out) any remote address, remote port 21
> Allow TCP (in) any remote address, remote port 20
>
> Most software (Norton, windows media player, quicktime, etc etc etc):
> Allow TCP (out) any remote address, remote port 80
> Depending on the software (like Norton, that only accesses certain
> update sites) you can specify a remote address or a range of addresses,
> but I can't tell you what those are.
>
> This "most software" category does NOT include things like AOL/AIM,
> which use port 5190 for most needs, and others if you're doing things
> like file transfers.
>
> P2P: This is a very different animal, because it involves opening more
> TCP in. Sometimes the program will allow you to specify what port you
> want to start at or a range of ports you want to use when using the
> downloading program. I'm less familiar with this so I'll let someone
> else handle it.
>
> > What I DON'T use or want to use is:
> >
> > - Microsoft's web updates
> > - local home networks
> > - file/printer sharing (already turned off)
>
> Web updates, as far as I know, are downloaded the same way that
anything
> else on the web is, using IE and its standard web ports, like 80 or
443.
> Now, if you don't want the web update PROGRAM to access the internet,
> just completely disallow TCP/UDP out the next time it tries to contact
> microsoft. Or just disable it. You can do that I think if you right
> click "my computer" and look under one of its tabs for windows updates.
I let the MS auto Update fly and let it tell me what it is and make the
decision then. The only time MS update notifies is on *critical update*
that gets applied asap. That's most of the times I have seen it notify.
>
> I don't know what you mean by local home networks.
>
>
> > ...and a bunch of other stuff I can't think of. Do I need MS's
> > "svchost"? It runs like a half dozen processes in the background, and
> > really gobbles up memory and keeps bothering my firewalls.
>
> It depends. svchost is used by a lot of programs, some of which you
need
> and some of which you don't.
The only time one should be concerned about svchost.exe is whan it not
running out of Winnt/system32 for Win NT and 2k or Windows/system32 XP
and 2K3, because if they are not running out of *system32*, it's a
Trojan.
The only thing you can do about them is to
> disable the program in question, because there's no way in the firewall
> to tell which svchosts are the ones that you want. Check out
> http://www.blackviper.com/WinXP/servicecfg.htm for more info on this.
- Next message: Big Mac: "Re: Norton Personal Firewall 2004 problem"
- Previous message: NeoSadist: "Re: What should I block out with my new firewall software?"
- In reply to: Lisa: "Re: What should I block out with my new firewall software?"
- Next in thread: Lisa: "Re: What should I block out with my new firewall software?"
- Reply: Lisa: "Re: What should I block out with my new firewall software?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
