Re: What should I block out with my new firewall software?
From: Bob Ladbury (rladbury_at_kittymail.com)
Date: 02/14/04
- Next message: steve h.: "Gates takes swipe at Apple, Linux security"
- Previous message: Lars M. Hansen: "Re: Winksys WPC54G for laptop question"
- In reply to: NeoSadist: "Re: What should I block out with my new firewall software?"
- Next in thread: Duane Arnold: "Re: What should I block out with my new firewall software?"
- Reply: Duane Arnold: "Re: What should I block out with my new firewall software?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Feb 2004 13:17:34 -0800
NeoSadist <neosad1st@charter.net> wrote in message news:<102r8k0911fn1f8@corp.supernews.com>...
> Bob Ladbury wrote:
>
> > After much deliberation, it looks like I'm sticking to my good ol'
> > Kerio Personal Firewall v2.15. I still don't know much about net
> > communications, but I'm learning by entering configurations from
> > people like SpongeBob. I'm wondering if there are major things I can
> > block out that I don't use or need, like UDP or TCP. Reason I ask is
> > that I believe I'm getting "pinged";
>
> In my opinion, pinging is no big deal. Say your internet address is
> 24.240.225.88, you should allow pings from 24.240.225.1 (your ISP's
> router), so that they don't terminate your connection thinking you've gone
> offline.
I know about that. I did whois traces on some of the IP's that try to
ping me, and some seem
trace to the Bell Nexxia network (I'm currently on Bell Sympatico).
But its the largest network
in Canada, and I don't know if any of these are from my service
provider, since the IP addresses
do not match the ones that are listed with the documentation I was
provided by my ISP. So I
blocked echo 8 on ICMP, which I think are the "pings" that people do,
and so far, I've not been
dropped...
> > one of my rules is telling me
> > that a couple of different remote addresses are trying to use XP's
> > "Generic Hosts Processes for Win32 Services" at local ports
> > 2265,2266,2267 through the TCP out protocol.
>
> Don't have a clue what that is -- go read online.
I've done a lot of research on firewalls lately, but never found any
documentation that for
beginners that clearly laid out the basics of what should and
shouldn't be blocked on XP systems
in regards to stuff like UDP/ICMP/TCP etc. If anyone can point me in
such a direction, please do!
> > Hence the reason I'd like to block ALL UDP and TCP, if I can get away
> > with it,
>
> I think you're confused. TCP and UDP are the internet backbone -- without
> them, there is no internet. You should block 135-139 coming from the
> internet, true, but services are based on ports. For example, without 53
> UDP (which is DNS, or how your computer knows that www.yahoo.com is
> actually 66.218.71.94), you'd have a horrible day wondering why your
> internet doesn't seem to work.
Yeah, that's what I've been doing lately. I used "Sponge's" Kerio
configuration, which
has an allowance for UDP 53. Then I think I blocked everything else on
UDP. Besides port
53, I just don't know what should and shouldn't be blocked on
protocols like UDP/TCP etc.
I'm getting so many confusing alerts since I installed Kerio, that I'm
trying to be extra
cautious with my firewall config, because I have reason to believe
someone or someones
is actively trying to hack into my system.
> I could send you a sample configuration, but you'd have to translate it from
> english to kerio lol.
Sure, I'd appreciate that. I could have a look at it, try to figure
out if it should
apply to me, and manually type it into Kerio. (Although SPonge's list
is so long, I actually
have very few entries left that I can add, before Kerio complains the
ruletable is full!)
> > and tell Kerio to eliminate whatever other net services I
> > don't need. I don't know what these protocols are used for, but here's
> > what programs I use on my HOME system, that access the net:
> >
> > - Web
>
> This is port 80 for HTTP, and port 443 for HTTPS (secure web sites). That,
> and find out what servers your ISP uses for DNS (UDP port 53) and add a
> rule allowing dns to and from only those servers (but HTTP and HTTPS can be
> allowed to/from any server).
> FTP, by the way, (or downloading) is over ports 20-21 TCP/UDP (don't have
> time to explain it further).
Thanks, I didn't know that rule about FTP. I already knew to add a
rule for UDP53
using my ISP's servers, thanks to Sponge's ruleset.
> > - P2p
>
> Peer to peer is a very dangerous thing to use. Not only because the RIAA is
> out hunting down copyright law violators (yes, copyright is the law), but
> more importantly most viruses/trojans/worms are spread this way. I mean,
> do you trust these anonymous people you're downloading from? I wouldn't if
> I were you.
I don't trust anybody, hence the firewall! I have AVG anti-virus
guard, a
free but good virus software which has been effective in catching
virus
infected files before I even open them. P2P has all kinds of files,
including
files outside of the RIAA's domain and business, including NON
copyright protected
files. Those are the only kinds I download, of course.
> > - occasionally software that needs to be updated
>
> This would be HTTP/HTTPS/FTP (windows update, etc).
>
> >
> > What I DON'T use or want to use is:
> >
> > - Microsoft's web updates
>
> ? This is more of a "go configure the thing not to do it" than blocking,
> since it's using HTTP/HTTPS/FTP.
Yeah, I only just realized yesterday how difficult it is to "go
configure"!
I THOUGHT I had done everything I could to configure my system to not
accept
anything from Microsoft by unchecking the Windows update option in My
Computer.
Then I read something on a site that led me to explore the deep
recesses of XP
services, where I found the Windows update was nevertheless,
automatically enabled! I went one
better and used a Sponge rule, that blocked microsoft's web site via
my Kerio.
Just in case Gates has sneaked in a "phone home" process somewhere
else in XP.
> This program sometimes accesses the internet for other programs, so I'd go
> online and read up on it. I usually just allowed it, so long as I did
> frequent virus scans and browser security checks.
This is the thing that scares me the most; I've had the most alerts
from Kerio because
of svchost. It has many processes in memory, so its all over the
place, and if I could
do away with it, I'd like to. I don't trust what Microsoft may be able
to do with svchost,
let alone what hackers are able to do using svchost on my computer. So
I'm not sure
what I can do to limits its abilities. If I tell Kerio to only allow
the svchost in
system32 folder, is it not possible for a hacker using a
trojan/worm/whatever to use svchost
in that folder for malicious purposes?
> > It runs like a half dozen processes in the background, and
> > really gobbles up memory and keeps bothering my firewalls.
>
> Then maybe you should let it do its thing. Try this: unplug or disconnect
> from the internet, delete all kerio rules, and then allow everything that
> svchost does while the internet is OFF. Then, plug the internet back in
> (or reconnect) and from there don't allow anything further for that program
> only.
Interesting. If Kerio is able to recognize processes while the inet
system is
not connected, I'll see what goes on.
Thanks for your time and helpful info, and to others who responded.
- Next message: steve h.: "Gates takes swipe at Apple, Linux security"
- Previous message: Lars M. Hansen: "Re: Winksys WPC54G for laptop question"
- In reply to: NeoSadist: "Re: What should I block out with my new firewall software?"
- Next in thread: Duane Arnold: "Re: What should I block out with my new firewall software?"
- Reply: Duane Arnold: "Re: What should I block out with my new firewall software?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
