Re: Some help interpreting log snipped please?
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Sat, 03 Dec 2005 16:03:33 -0600
On Sat, 3 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in article
<dmqqjf$jmu$1@xxxxxxxxxxxxxxxxxx>, watson wrote:
>I'm running kerio 2.1x. Have rules defined for small number of internet
>apps only, with fw set to block anything else -all protocols,even dns,
>unless explicitly stated for a particular app (dns rules are specified
>for each app).
Given the concept of a "personal firewall", that's probably a good
solution.
>This is a new ISP, an I am getting alot of UDP blocked packets in the
>log from it and from all over the globe.
1. UDP Source address _can_ and usually IS faked.
2. The last time I bothered to look at the UDP crap that was not DNS (to
and from port 53 on the nameservers my systems are configured to look to),
I was seeing over a thousand hits a day - mainly aimed at my ports 1025
to 1035. Inspecting representative packets showed it to be messenger spam
(fake windoze warning messages directing me to this or that web site to
get my computer "fixed"). As I'm not stupid enough to be using windoze,
I knew these packets could not be from my computer.
>When the block all else rule is at the end of the ruleset and set to
>log, I get the snippet shown below.
Snippit not found. I rarely (like once a year) bother to log packets
that have been dropped. My systems work, and have not been r00ted or
0w3n3d, so my firewall must be working correctly.
>The fw reports three ports listening p 137-139 for nbname, nbdatagram
>and nbsession, yet no data exchange for these ports presumably due to my
>block all else setting.
You have windoze sharing turned on. You probably also have windoze
messenger enabled. Turning both off would help, do a google search to
find out how.
>If I explicitly write a rule to block udp send and receive at the
>beginning of the set, I cannot get get anything to communicate on the
>net,
Because it takes precedence over the other rules - and is blocking DNS
>but when the fw is just set to block all else I can communicate,
>but I still see these blocked, mostly udp to p137 entries in my logs.
After turning off sharing, I'd suggest turning off this log function too.
>Why am I getting udp blocks incoming and outgoing from addresses from
>other networks?
Clueless people running a fools operating system. It's amazing that the
aftermarket is full of firewall programs that can be used by the average
user, and more amazing that they are needed because microsoft can't seem
to write the same quality programs. Still, the sheep keep buying it, and
that's all that matters to microsoft.
>Please take a look at the snippet below and advise what
>is going on and if this is normal or not?
Check the help screen, and try again - NO MORE THAN 30 LINES, NO MORE THAN
2400 CHARACTERS PLEASE.
Old guy
.
- Prev by Date: Re: Firewall/Router necessary?
- Next by Date: Re: Free HTTPS tunnel: Calling for beta testers
- Previous by thread: Re: Some help interpreting log snipped please?
- Next by thread: Re: Some help interpreting log snipped please?
- Index(es):
Relevant Pages
|
