Re: Firewall questions -- what is ...?

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 11/20/03 

Date: Wed, 19 Nov 2003 21:13:56 -0500

comments inline:

"Gabriella" <gsetter@hotmail.com> wrote in message
news:090801c3ad3e$8ddacc10$a001280a@phx.gbl...

In addition to the other fine answers you already received...

> -- I assume it's a good thing that the firewall blocks
> incoming TCPs, UDPs etc but what might be contained in
> these packets that could cause a problem?

Most personal firewalls contain only rudimentary intrusion detection /
packet payload inspection. You could run a better IDS software such as
Snort free from www.snort.org to try to get more detail, though note that
IDS is not a firewall and does not necessarily protect you. You can capture
network data to a log file using Snort or a sniffer like Ethereal and then
run it through Snort or Ethereal for analysis at a later date, if you
wished. For the most part, as a home user, you should just block this stuff
using a firewall and forget about it. [But on the other hand, the more you
learn about how TCP/IP protocols are supposed to work, the more you learn
about how to use your firewall to protect yourself, e.g. what to allow and
what to deny.]

> -- Does it matter which port these packets have been sent
> to or from (most seem to come from 80)?

This makes all the difference. If the remote port is under 1024 or is a
port number for a well known service and the destination port is above 1023,
it could be your firewall is false alarming on a packet that is really a
response to something your computer sent out. By searching www.google.com,
www.google.com/advanced_group_search and/or finding and opening up the
SERVICES file on your computer using Notepad, you can look up what various
ports do, and try to guess what might have been the intention of that
packet.

> -- What about outgoing TCPs? What is my computer trying /
> being asked to send?

Again, IDS or sniffer data would be helpful, as well as using a firewall
that logs what executable generated the packet. Looking up the remote IP
address or host name using www.network-tools.com can also give you a good
guess about the most likely purpose of the packet. Again, all these are
guesses and you are not likely to be able to confirm the purpose of every
packet in your firewall log.

> -- What kind of attack should make me grateful for having
> installed the firewall (port scan, SYN port scan and New
> Tear are among those to which I have been alerted). What
> is happening here?

You may never know. Since you have a firewall, some of those scans could
have turned into attacks later, had your firewall not prevented your
computer from replying to the scan. Teardrop and Newtear attacks are quite
old and I suspect a false alarm there. Port scans and SYN scans can be
false alarms too. Firewalls and IDS are prone to frequent false alarms.

> -- When I trace the route of some of these things (Sam
> Spade), many have no valid / fake / dubious / badly
> configured DNS, some in foreign countries. How crazy
> should I get? And is there anything I can do to protect
> myself besides running the firewall, and turning off file
> sharing?

Antivirus that is configured to download updates automatically at least once
a week, and use http://windowsupdate.microsoft.com to install Microsoft
patches about once a month, after the second Tuesday of each month.

> I apologize for what are likely fairly basic questions,
> but try as I might, I can't get the information I need to
> educate myself. Any answers / pointers in the right
> direction would be very much appreciated. I won't even
> rant about the fact that laundry detergent comes with
> better instructions and information than software ...

Well, there's plenty of information in www.google.com if you want more.
It's hard to go into more detail in the documentation on security without
confusing a lot of people. There's no perfect solution.

Relevant Pages

  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    (Pen-Test)
  • Re: Basic NAT / Firewall Question
    ... There are two basic types of NAT (Network Address Translation) which you ... NAPT simply maps port numbers to a given address. ... Your firewall will make a note from where the connection was ... with its own address and then sends this "new" packet out on its local ...
    (Security-Basics)
  • Re: FTP Window of opportunity?
    ... Your computer sent a SYN packet... ... a SYN/ACK back, ... > well as blocked by the firewall. ... > When I scan with ISS, the FTP port shows up. ...
    (Pen-Test)
  • Re: Firewalls: whats the use?
    ... >> control the types of ICMP message sent and received. ... Do I really need to implement a firewall just to prevent ICMP? ... packet to crash the OS. ... especially in cases where the packet was destined to a port where no ...
    (comp.os.linux.security)
  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
    (comp.security.firewalls)