Re: How to tell if a firewall alert is suspicious or not

From: Karl Levinson, mvp (
Date: 09/16/05

Date: Fri, 16 Sep 2005 08:32:32 -0400

"Gerard Schroeder" <> wrote in message

> Where would YOU go when you received any one of the messages previously
> posted when you didn't explicitly ask for that IP address to connect to
> you?

I do the same things I suggested in my post.

> With Sygate Personal Firewall (and I suspect all software firewalls), you
> can tell the program to silently ignore and simply LOG all these
> connections! My question was really WHICH OF THESE WOULD YOU IGNORE?

I think the best firewall configuration is one that doesn't give you any
popups whatsoever. Corporate firewalls don't give the firewall
administrator popups and ask him or her questions. They just work. The
same thing is true of hardware firewalls used in homes. Firewalls should
have just two situations: packets it knows are bad and it blocks without
question, and everything else that it lets through.

> > Having a firewall ask the user to make decisions is a security accident
> > waiting to happen, and is also a significant consumption of your time.
> Is there any other choice?

Yes... I don't have the latest version of Sygate, but I believe most
software firewalls have a configuration choice that does not cause any
popups. If Sygate doesn't, there's also,,
both of which are free. If you are already protected by a hardware
firewall, you may not really totally need that software firewall.

> 1. Which of these common requests is truly something to ignore

All of them.

> machine. It doesn't tell me WHY they would be contacting me. (Remember,

The problem is all you've got is what the firewall tells you, and it hasn't
told you everything you need to know. Very often, you will not be able to
100% determine the cause. You'll have to make a best guess, go with a gut
feeling, and move on. Even professionals who monitor computer networks for
intrusions do this as well.

Another possibly strategy would be to deny any packets you have questions
about. If something breaks, then you know it was probably something you
needed to allow. This is also the safest strategy.

> that server only contacted me once and I have been using this same setup
> for years). So, why, all of a sudden, would a machine which purports to be
> a DNS server, be contacting me?

I believe it is more likely that this was a reply to a connection your
computer made. The reply took too long to come back, and your firewall
stopped watching that connection, was surprised when the reply came back and
considered it a new connection. DNS servers should never be contacting you.
This situation can happen when you look up the IP address for a host name
where the DNS server is troubled or down and does not respond, and the
request times out 45 seconds or more later. It's happened to me.

> In defence of the Sygate Personal Firewall, there is a DETAILS button
> spits out a huge amount of cryptic (to a novice) information about
> something called a "packet" so the remote port MIGHT be in that listing.

Ah, that might help us a little. But I'm still leaning towards ignoring
this one, moving on, and pursuing a silent firewall configuration.

> I could post the DETAILED information if it would help (caution, it's
> cryptic at best).

Sure, go ahead.