new to firewalls - Firewalls

This is a discussion on new to firewalls - Firewalls ; I just installed comodo pro firewall. I have never really used a firewall before and I have a question. I keep getting inbound policy violation entries in the log every few minutes all from the same ip address. Can someone ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: new to firewalls

  1. new to firewalls


    I just installed comodo pro firewall.
    I have never really used a firewall before
    and I have a question. I keep getting
    inbound policy violation entries in the log
    every few minutes all from the same ip
    address. Can someone explain this?

    Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
    MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
    192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
    Reason: Network Control Rule ID = 5



    Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
    MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
    192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
    Reason: Network Control Rule ID = 5

    thanks

    tom

  2. Re: new to firewalls


    "Tom W." wrote in message
    news:cvmah3tqi44bm3ltj1fcen519e1km3jf13@4ax.com...
    >
    > I just installed comodo pro firewall.
    > I have never really used a firewall before
    > and I have a question. I keep getting
    > inbound policy violation entries in the log
    > every few minutes all from the same ip
    > address. Can someone explain this?
    >


    Something like Comodo is not FW technology. Comodo is a personal packet
    filter or machine level packet filter, and it's not FW technology.

    You can start with the links.

    http://www.vicomsoft.com/knowledge/r...irewalls1.html
    http://www.more.net/technical/netserv/tcpip/firewalls/

    > Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
    > MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    > 192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
    > 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
    > Reason: Network Control Rule ID = 5
    >
    >
    >
    > Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
    > MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    > 192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
    > 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
    > Reason: Network Control Rule ID = 5
    >


    It was denied the personal packet filter is doing its job of stopping
    unsolicited inbound traffic. What you need to worry about is the inbound
    traffic that's is coming through the packet filter and is not being denied.
    A connection is made due to some program running on the computer behind the
    FW or packet filter that has made a solicitation for traffic to a
    remote/Internet IP, because the program sent outbound traffic to the site,
    and inbound traffic is coming back -- the solicitation.

    There a two types of traffic a FW or a packet filter is going to deal with
    and is kind of a default. 1) Solicited inbound traffic. Traffic is coming
    inbound due to a program running behind the FW or packet filter has sent
    outbound traffic or the contract was initiated by the program behind the FW
    or packet filter. The FW or packet filter is going to let that type of
    inbound traffic pass. The traffic can or cannot be legit. It could be a
    legit program or a malware program that is doing the solicitation.


    2) Unsolicited inbound traffic is just the opposite. No program running
    behind the FW or packet filter has made a solicitation for inbound traffic.
    That type for inbound traffic is blocked or denied.






  3. Re: new to firewalls

    On Tue, 16 Oct 2007 23:14:29 -0400, "Mr. Arnold" Arnold@Arnold.com> wrote:

    >
    >"Tom W." wrote in message
    >news:cvmah3tqi44bm3ltj1fcen519e1km3jf13@4ax.com...
    >>
    >> I just installed comodo pro firewall.
    >> I have never really used a firewall before
    >> and I have a question. I keep getting
    >> inbound policy violation entries in the log
    >> every few minutes all from the same ip
    >> address. Can someone explain this?
    >>

    >
    >Something like Comodo is not FW technology. Comodo is a personal packet
    >filter or machine level packet filter, and it's not FW technology.
    >
    >You can start with the links.
    >
    >http://www.vicomsoft.com/knowledge/r...irewalls1.html
    >http://www.more.net/technical/netserv/tcpip/firewalls/
    >
    >> Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
    >> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    >> 192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
    >> 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
    >> Reason: Network Control Rule ID = 5
    >>
    >>
    >>
    >> Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
    >> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    >> 192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
    >> 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
    >> Reason: Network Control Rule ID = 5
    >>

    >
    >It was denied the personal packet filter is doing its job of stopping
    >unsolicited inbound traffic. What you need to worry about is the inbound
    >traffic that's is coming through the packet filter and is not being denied.
    >A connection is made due to some program running on the computer behind the
    >FW or packet filter that has made a solicitation for traffic to a
    >remote/Internet IP, because the program sent outbound traffic to the site,
    >and inbound traffic is coming back -- the solicitation.
    >
    >There a two types of traffic a FW or a packet filter is going to deal with
    >and is kind of a default. 1) Solicited inbound traffic. Traffic is coming
    >inbound due to a program running behind the FW or packet filter has sent
    >outbound traffic or the contract was initiated by the program behind the FW
    >or packet filter. The FW or packet filter is going to let that type of
    >inbound traffic pass. The traffic can or cannot be legit. It could be a
    >legit program or a malware program that is doing the solicitation.
    >
    >
    >2) Unsolicited inbound traffic is just the opposite. No program running
    >behind the FW or packet filter has made a solicitation for inbound traffic.
    >That type for inbound traffic is blocked or denied.
    >
    >
    >
    >


    Rebooting the computer seems to have cleared it up.
    Thanks for the response.

    Tom


  4. Re: new to firewalls



    "Tom W." wrote in message
    news:l20bh3l7pog4370vep6vkvrmn76trks1va@4ax.com...
    > On Tue, 16 Oct 2007 23:14:29 -0400, "Mr. Arnold" > Arnold@Arnold.com> wrote:
    >
    >>
    >>"Tom W." wrote in message
    >>news:cvmah3tqi44bm3ltj1fcen519e1km3jf13@4ax.com...
    >>>
    >>> I just installed comodo pro firewall.
    >>> I have never really used a firewall before
    >>> and I have a question. I keep getting
    >>> inbound policy violation entries in the log
    >>> every few minutes all from the same ip
    >>> address. Can someone explain this?
    >>>

    >>
    >>Something like Comodo is not FW technology. Comodo is a personal packet
    >>filter or machine level packet filter, and it's not FW technology.
    >>
    >>You can start with the links.
    >>
    >>http://www.vicomsoft.com/knowledge/r...irewalls1.html
    >>http://www.more.net/technical/netserv/tcpip/firewalls/
    >>
    >>> Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
    >>> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    >>> 192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
    >>> 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
    >>> Reason: Network Control Rule ID = 5
    >>>
    >>>
    >>>
    >>> Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network
    >>> MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    >>> 192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource:
    >>> 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138)
    >>> Reason: Network Control Rule ID = 5
    >>>

    >>
    >>It was denied the personal packet filter is doing its job of stopping
    >>unsolicited inbound traffic. What you need to worry about is the inbound
    >>traffic that's is coming through the packet filter and is not being
    >>denied.
    >>A connection is made due to some program running on the computer behind
    >>the
    >>FW or packet filter that has made a solicitation for traffic to a
    >>remote/Internet IP, because the program sent outbound traffic to the site,
    >>and inbound traffic is coming back -- the solicitation.
    >>
    >>There a two types of traffic a FW or a packet filter is going to deal with
    >>and is kind of a default. 1) Solicited inbound traffic. Traffic is coming
    >>inbound due to a program running behind the FW or packet filter has sent
    >>outbound traffic or the contract was initiated by the program behind the
    >>FW
    >>or packet filter. The FW or packet filter is going to let that type of
    >>inbound traffic pass. The traffic can or cannot be legit. It could be a
    >>legit program or a malware program that is doing the solicitation.
    >>
    >>
    >>2) Unsolicited inbound traffic is just the opposite. No program running
    >>behind the FW or packet filter has made a solicitation for inbound
    >>traffic.
    >>That type for inbound traffic is blocked or denied.
    >>
    >>
    >>
    >>

    >
    > Rebooting the computer seems to have cleared it up.
    > Thanks for the response.
    >


    I suspect that's not the case. Unsolicited inbound traffic which was what
    the packet filter was blocking is just everyday noise or traffic on the
    Internet. The booting of the computer is not going to clear it up, unless
    Comodo was doing false reporting, which can happen with any PFW/personal
    packet filter. But most likely, the unsolicited was stopped from whatever on
    the other end, because it couldn't get through, and it moved on.


  5. Re: new to firewalls

    On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold" Arnold@Arnold.com> wrote:

    >snipped for space.
    >>>
    >>>
    >>>
    >>>

    >>
    >> Rebooting the computer seems to have cleared it up.
    >> Thanks for the response.
    >>

    >
    >I suspect that's not the case. Unsolicited inbound traffic which was what
    >the packet filter was blocking is just everyday noise or traffic on the
    >Internet. The booting of the computer is not going to clear it up, unless
    >Comodo was doing false reporting, which can happen with any PFW/personal
    >packet filter. But most likely, the unsolicited was stopped from whatever on
    >the other end, because it couldn't get through, and it moved on.


    I just turned on the computer this morning adn got this:


    Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
    MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
    = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
    224.0.0.22 Reason: Network Control Rule ID = 5

    windows media player goes out on 192.168.1.64. I don't know what
    it is.

    tom


  6. Re: new to firewalls

    Tom W. wrote:


    > I just turned on the computer this morning adn got this:
    >
    >
    > Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
    > MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
    > = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
    > 224.0.0.22 Reason: Network Control Rule ID = 5
    >
    > windows media player goes out on 192.168.1.64. I don't know what
    > it is.



    If you don't have sufficient knowledge about networks and protocols, why do
    you even run a host-based packet filter and even further believe that you
    could actually achieve any level of security through it?

    The above is a simple multicast subscription initiated upon your very own
    request.

  7. Re: new to firewalls

    On Wed, 17 Oct 2007 16:04:12 +0200, "Sebastian G."
    wrote:

    >Tom W. wrote:
    >
    >
    >> I just turned on the computer this morning adn got this:
    >>
    >>
    >> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
    >> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
    >> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
    >> 224.0.0.22 Reason: Network Control Rule ID = 5
    >>
    >> windows media player goes out on 192.168.1.64. I don't know what
    >> it is.

    >
    >
    >If you don't have sufficient knowledge about networks and protocols, why do
    >you even run a host-based packet filter and even further believe that you
    >could actually achieve any level of security through it?
    >
    >The above is a simple multicast subscription initiated upon your very own
    >request.


    I had picked up a few trojans and decided to install a firewall.
    Comodo was supposed to be good so I installed it. It
    was blocking repeated connections from somewhere and
    I wondered why. It was recommended so I installed it.

    Tom


  8. Re: new to firewalls

    Tom W. wrote:
    > On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold" > Arnold@Arnold.com> wrote:
    >
    >> snipped for space.
    >>>>
    >>>>
    >>>>
    >>> Rebooting the computer seems to have cleared it up.
    >>> Thanks for the response.
    >>>

    >> I suspect that's not the case. Unsolicited inbound traffic which was what
    >> the packet filter was blocking is just everyday noise or traffic on the
    >> Internet. The booting of the computer is not going to clear it up, unless
    >> Comodo was doing false reporting, which can happen with any PFW/personal
    >> packet filter. But most likely, the unsolicited was stopped from whatever on
    >> the other end, because it couldn't get through, and it moved on.

    >
    > I just turned on the computer this morning adn got this:
    >
    >
    > Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
    > MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
    > = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
    > 224.0.0.22 Reason: Network Control Rule ID = 5
    >
    > windows media player goes out on 192.168.1.64. I don't know what
    > it is.
    >
    > tom
    >

    iirc 224.x.x.x is a multicast adress
    it seems to me wmp is trying to become part of the multicast group
    which could be normal behaviour iirc wmp could try this to accept
    multicast packets
    for information like MSN today, wmp loads things from the internet like
    advertisement, new
    bbc clips, ...

    i myself wouldn't allow this, but i myself will never use WMP.

  9. Re: new to firewalls

    On Wed, 17 Oct 2007 18:53:24 +0200, goarilla <"kevin DOT paulus AT
    skynet DOT be"> wrote:

    >Tom W. wrote:
    >> On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold" >> Arnold@Arnold.com> wrote:
    >>
    >>> snipped for space.
    >>>>>
    >>>>>
    >>>>>
    >>>> Rebooting the computer seems to have cleared it up.
    >>>> Thanks for the response.
    >>>>
    >>> I suspect that's not the case. Unsolicited inbound traffic which was what
    >>> the packet filter was blocking is just everyday noise or traffic on the
    >>> Internet. The booting of the computer is not going to clear it up, unless
    >>> Comodo was doing false reporting, which can happen with any PFW/personal
    >>> packet filter. But most likely, the unsolicited was stopped from whatever on
    >>> the other end, because it couldn't get through, and it moved on.

    >>
    >> I just turned on the computer this morning adn got this:
    >>
    >>
    >> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
    >> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
    >> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
    >> 224.0.0.22 Reason: Network Control Rule ID = 5
    >>
    >> windows media player goes out on 192.168.1.64. I don't know what
    >> it is.
    >>
    >> tom
    >>

    >iirc 224.x.x.x is a multicast adress
    >it seems to me wmp is trying to become part of the multicast group
    >which could be normal behaviour iirc wmp could try this to accept
    >multicast packets
    >for information like MSN today, wmp loads things from the internet like
    >advertisement, new
    >bbc clips, ...
    >
    >i myself wouldn't allow this, but i myself will never use WMP.


    Ok...Thanks. I didn't have problems until I let active x and
    scripting through on internet explorer. Almost every page
    wants to use active x and i gave in and let the browser use it.
    When I did I started to get loaded with adware and viruses.

    Tom

  10. Re: new to firewalls

    Tom W. wrote:


    >> If you don't have sufficient knowledge about networks and protocols, why do
    >> you even run a host-based packet filter and even further believe that you
    >> could actually achieve any level of security through it?
    >>
    >> The above is a simple multicast subscription initiated upon your very own
    >> request.

    >
    > I had picked up a few trojans and decided to install a firewall.



    Firewalls can't protect against trojan horses, and in fact nothing but
    education can. Even further, if you picked up some trojan horses, then you
    installed them intentionally and it's solely your very own fault - how
    should dumb software prevent you from doing what you want, and why would you
    not enforce your own stupid ideas against such software?

    > Comodo was supposed to be good so I installed it.



    If you had informed yourself properly, then you'd understand that Comodo is
    anything but good. It hooks into various kernel functions for no good, or
    better said: no serious reason, and thus adds a huge amount of complexity -
    and complexity is exactly the contrary of security.

    > It was blocking repeated connections from somewhere and
    > I wondered why.



    Don't worry, we also wonder why it does what it does. Since it has no actual
    goal, it seems like it acts particularly random / non-deterministic.

  11. Re: new to firewalls

    Tom W. wrote:

    > Ok...Thanks. I didn't have problems until I let active x and
    > scripting through on internet explorer.



    You don't need ActiveX or even the scripting stuff to get malware when
    visiting websites with MSIE.

    > Almost every page wants to use active x and i gave in and


    > let the browser use it.


    Now the real question is: Why are you abusing MSIE as a webbrowser and why
    do you even wonder that this would lead to security problems?

    And, as I see it now: As you're most likely not Michael Grossman, why are
    you abusing his domain here.com fro your mail address?

  12. Re: new to firewalls

    In article <5nnb4qFj51tgU1@mid.dfncis.de>, seppi@seppig.de says...
    > Firewalls can't protect against trojan horses, and in fact nothing but
    > education can.


    Trojans and other malware is a result of downloading some file that
    installs the malware.

    With HTTP, SMTP and FTP proxy services in firewalls, you can block
    attachments of types that commonly infect systems.

    As an example, we don't allow non-admin users to download any file that
    could be "Run" or Zip files, as well as about 30 other types....

    So, a firewall can protect against them, but it does it by keeping you
    from getting at them.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  13. Re: new to firewalls

    Tom W. wrote:

    >Can someone explain this?
    >
    >Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network
    >MonitorDescription: Inbound Policy Violation (Access Denied, IP =
    >192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource:
    >192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137)
    >Reason: Network Control Rule ID = 5


    Normal Micro$oft NetBIOS over TCP/IP traffic from a private network.
    If you connect to a network with other computers (like a private
    wireless network) you will normally see this traffic because M$ turns
    on NetBIOS over TCP/IP by default on all network interfaces. I
    recommend that people turn off this setting unless they have a need to
    reference computers on their network by NetBIOS name.

  14. Re: new to firewalls


    "Tom W." wrote in message
    news:urdch319p41isa5oip0bmcn0hpq10g18fj@4ax.com...
    > On Wed, 17 Oct 2007 18:53:24 +0200, goarilla <"kevin DOT paulus AT
    > skynet DOT be"> wrote:
    >
    >>Tom W. wrote:
    >>> On Tue, 16 Oct 2007 23:50:31 -0400, "Mr. Arnold" >>> Arnold@Arnold.com> wrote:
    >>>
    >>>> snipped for space.
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>> Rebooting the computer seems to have cleared it up.
    >>>>> Thanks for the response.
    >>>>>
    >>>> I suspect that's not the case. Unsolicited inbound traffic which was
    >>>> what
    >>>> the packet filter was blocking is just everyday noise or traffic on the
    >>>> Internet. The booting of the computer is not going to clear it up,
    >>>> unless
    >>>> Comodo was doing false reporting, which can happen with any
    >>>> PFW/personal
    >>>> packet filter. But most likely, the unsolicited was stopped from
    >>>> whatever on
    >>>> the other end, because it couldn't get through, and it moved on.
    >>>
    >>> I just turned on the computer this morning adn got this:
    >>>
    >>>
    >>> Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network
    >>> MonitorDescription: Outbound Policy Violation (Access Denied, Protocol
    >>> = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:
    >>> 224.0.0.22 Reason: Network Control Rule ID = 5
    >>>
    >>> windows media player goes out on 192.168.1.64. I don't know what
    >>> it is.
    >>>
    >>> tom
    >>>

    >>iirc 224.x.x.x is a multicast adress
    >>it seems to me wmp is trying to become part of the multicast group
    >>which could be normal behaviour iirc wmp could try this to accept
    >>multicast packets
    >>for information like MSN today, wmp loads things from the internet like
    >>advertisement, new
    >>bbc clips, ...
    >>
    >>i myself wouldn't allow this, but i myself will never use WMP.

    >
    > Ok...Thanks. I didn't have problems until I let active x and
    > scripting through on internet explorer. Almost every page
    > wants to use active x and i gave in and let the browser use it.
    > When I did I started to get loaded with adware and viruses.
    >


    I read your other post about picking up some Trojans. The machine has been
    compromised. You should consider what is in the link.

    http://www.microsoft.com/technet/com...mt/sm0504.mspx

    It's up to you to practice safe hex, like not using IE, if it's a problem
    for you. Only use IE when a site calls for the use of IE and not using OE or
    Outlook find alternatives to these solutions that are less susceptible to
    attack, in your case.

    http://www.claymania.com/safe-hex.html

    FireFox for the browser and Thunderbird for the email client are (free). FF
    has the touch and feel of IE but doesn't use ActiveX controls and is a
    little tighter in its vulnerabilities.

    But you should know this. None of this stuff and I mean *NONE* of this stuff
    is bullet proof. I don't care what O/S, like MS, Linux, Apple, whatever or
    what applications are running on the platforms as all of it is venerable to
    attack.

    On the MS platform such as XP or other NT classed MS O/S(s), you have to go
    look from time to time for yourself with other tools. You cannot think that
    any one solution is providing stop all protection and notification. They
    cannot do it.

    http://www.windowsecurity.com/articl...vironment.html


    You should harden or tighten the O/S to attack as much as possible, like if
    Client for MS Networks and MS File & Print Sharing are enabled on the
    Network Interface Card or dial-up connection and it's a computer that is
    connected to the modem, which is a direct connection to the Internet, then
    those services or features should be removed. The computer has no business
    or should have no possibility of being in any networking situation while
    connected to the Internet in this manner - none.

    http://labmice.techtarget.com/articl...ychecklist.htm

    The buck starts with you, the buck stops with you, and what you are or are
    not doing to protect your situation, with the knowledge you have to do it.

    I say it's based upon who is sitting be wheel and is doing the driving.




+ Reply to Thread