Firewall question - Firewalls

This is a discussion on Firewall question - Firewalls ; I just switched antivirus programs a few weeks ago from NAV to Bit Defender and in doing so lost the Norton Internet Worm Protection (i.e the builtin firewall). So I decided to enable the windows firewall and also turned on ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Firewall question

  1. Firewall question

    I just switched antivirus programs a few weeks ago from NAV to Bit
    Defender and in doing so lost the Norton Internet Worm Protection (i.e
    the builtin firewall). So I decided to enable the windows firewall and
    also turned on logging. I also have a FW built in to my netgear wgr614
    router which is supposed to be blocking everying except for 3 or 4 ports
    that I have forwarded. When I check the Windows FW log however I see
    thousands of entries where the action column is set to "DROP" for ports
    that shouldn't even be getting through the hardware firewall. For
    example TCP ports 2188 and 2273, and UDP port 8088 none of which are
    forwarded. How are they getting as far as the software firewall?

    My IP has not changed for several months and none of the IP's below are
    my WAN IP.

    Here's a couple of examples.

    #Fields: date time action protocol src-ip dst-ip src-port dst-port size
    tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

    2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
    - - - - - RECEIVE

    2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
    4075071033 456793686 27466 - - - RECEIVE

    2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
    2133527059 111240437 18356 - - - RECEIVE

    TIA

  2. Re: Firewall question


    "Chuck" wrote in message
    news:_Voni.12961$LH5.10424@trnddc02...
    >I just switched antivirus programs a few weeks ago from NAV to Bit
    > Defender and in doing so lost the Norton Internet Worm Protection (i.e
    > the builtin firewall). So I decided to enable the windows firewall and
    > also turned on logging. I also have a FW built in to my netgear wgr614
    > router which is supposed to be blocking everying except for 3 or 4 ports
    > that I have forwarded. When I check the Windows FW log however I see
    > thousands of entries where the action column is set to "DROP" for ports
    > that shouldn't even be getting through the hardware firewall. For
    > example TCP ports 2188 and 2273, and UDP port 8088 none of which are
    > forwarded. How are they getting as far as the software firewall?
    >
    > My IP has not changed for several months and none of the IP's below are
    > my WAN IP.
    >
    > Here's a couple of examples.
    >
    > #Fields: date time action protocol src-ip dst-ip src-port dst-port size
    > tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    >
    > 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
    > - - - - - RECEIVE
    >
    > 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
    > 4075071033 456793686 27466 - - - RECEIVE
    >
    > 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
    > 2133527059 111240437 18356 - - - RECEIVE
    >
    > TIA


    Close all the ports on the router, don't forward them. And if you don't have
    the same thing happening, then that should tell that you have ports open,
    and anything can come down the forwarded open port with unsolicited inbound
    traffic, that are looking for openings and something listening on the port.


  3. Re: Firewall question

    Mr. Arnold wrote:
    >
    > "Chuck" wrote in message
    > news:_Voni.12961$LH5.10424@trnddc02...
    >> I just switched antivirus programs a few weeks ago from NAV to Bit
    >> Defender and in doing so lost the Norton Internet Worm Protection (i.e
    >> the builtin firewall). So I decided to enable the windows firewall and
    >> also turned on logging. I also have a FW built in to my netgear wgr614
    >> router which is supposed to be blocking everying except for 3 or 4 ports
    >> that I have forwarded. When I check the Windows FW log however I see
    >> thousands of entries where the action column is set to "DROP" for ports
    >> that shouldn't even be getting through the hardware firewall. For
    >> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
    >> forwarded. How are they getting as far as the software firewall?
    >>
    >> My IP has not changed for several months and none of the IP's below are
    >> my WAN IP.
    >>
    >> Here's a couple of examples.
    >>
    >> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
    >> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    >>
    >> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
    >> - - - - - RECEIVE
    >>
    >> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
    >> 4075071033 456793686 27466 - - - RECEIVE
    >>
    >> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
    >> 2133527059 111240437 18356 - - - RECEIVE
    >>
    >> TIA

    >
    > Close all the ports on the router, don't forward them. And if you don't
    > have the same thing happening, then that should tell that you have ports
    > open, and anything can come down the forwarded open port with
    > unsolicited inbound traffic, that are looking for openings and something
    > listening on the port.


    I can't do that. I am not at home and that will cut off my remote access
    to the network. I just double checked the router and the only forwarded
    port is for ssh. And even that's secured as much as possible. It's
    running on a non-standard port, only allows pubkey authentication, and
    has a 5 second login grace time.

  4. Re: Firewall question

    Mr. Arnold wrote:
    >
    > "Chuck" wrote in message
    > news:_Voni.12961$LH5.10424@trnddc02...
    >> I just switched antivirus programs a few weeks ago from NAV to Bit
    >> Defender and in doing so lost the Norton Internet Worm Protection (i.e
    >> the builtin firewall). So I decided to enable the windows firewall and
    >> also turned on logging. I also have a FW built in to my netgear wgr614
    >> router which is supposed to be blocking everying except for 3 or 4 ports
    >> that I have forwarded. When I check the Windows FW log however I see
    >> thousands of entries where the action column is set to "DROP" for ports
    >> that shouldn't even be getting through the hardware firewall. For
    >> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
    >> forwarded. How are they getting as far as the software firewall?
    >>
    >> My IP has not changed for several months and none of the IP's below are
    >> my WAN IP.
    >>
    >> Here's a couple of examples.
    >>
    >> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
    >> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    >>
    >> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
    >> - - - - - RECEIVE
    >>
    >> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
    >> 4075071033 456793686 27466 - - - RECEIVE
    >>
    >> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
    >> 2133527059 111240437 18356 - - - RECEIVE
    >>
    >> TIA

    >
    > Close all the ports on the router, don't forward them. And if you don't
    > have the same thing happening, then that should tell that you have ports
    > open, and anything can come down the forwarded open port with
    > unsolicited inbound traffic, that are looking for openings and something
    > listening on the port.


    Could these inbound requests be passed through due to SPI? A lot of them
    have a source port on the remote machine of 80 or 443. Not all, but
    most. I'm thinking they may be something someone launched from a web
    browser on my home PC. Like audio streaming for example.

  5. Re: Firewall question


    "Chuck" wrote in message
    news:LGpni.12967$LH5.4187@trnddc02...
    > Mr. Arnold wrote:
    >>
    >> "Chuck" wrote in message
    >> news:_Voni.12961$LH5.10424@trnddc02...
    >>> I just switched antivirus programs a few weeks ago from NAV to Bit
    >>> Defender and in doing so lost the Norton Internet Worm Protection (i.e
    >>> the builtin firewall). So I decided to enable the windows firewall and
    >>> also turned on logging. I also have a FW built in to my netgear wgr614
    >>> router which is supposed to be blocking everying except for 3 or 4 ports
    >>> that I have forwarded. When I check the Windows FW log however I see
    >>> thousands of entries where the action column is set to "DROP" for ports
    >>> that shouldn't even be getting through the hardware firewall. For
    >>> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
    >>> forwarded. How are they getting as far as the software firewall?
    >>>
    >>> My IP has not changed for several months and none of the IP's below are
    >>> my WAN IP.
    >>>
    >>> Here's a couple of examples.
    >>>
    >>> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
    >>> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
    >>>
    >>> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
    >>> - - - - - RECEIVE
    >>>
    >>> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
    >>> 4075071033 456793686 27466 - - - RECEIVE
    >>>
    >>> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
    >>> 2133527059 111240437 18356 - - - RECEIVE
    >>>
    >>> TIA

    >>
    >> Close all the ports on the router, don't forward them. And if you don't
    >> have the same thing happening, then that should tell that you have ports
    >> open, and anything can come down the forwarded open port with unsolicited
    >> inbound traffic, that are looking for openings and something listening on
    >> the port.

    >
    > I can't do that. I am not at home and that will cut off my remote access
    > to the network. I just double checked the router and the only forwarded
    > port is for ssh. And even that's secured as much as possible. It's running
    > on a non-standard port, only allows pubkey authentication, and has a 5
    > second login grace time.


    SSH is only an encryption protocol, and I think it means in no way that the
    port is not attackable, if open.


  6. Re: Firewall question


    >> Close all the ports on the router, don't forward them. And if you don't
    >> have the same thing happening, then that should tell that you have ports
    >> open, and anything can come down the forwarded open port with unsolicited
    >> inbound traffic, that are looking for openings and something listening on
    >> the port.

    >
    > Could these inbound requests be passed through due to SPI? A lot of them
    > have a source port on the remote machine of 80 or 443. Not all, but most.
    > I'm thinking they may be something someone launched from a web browser on
    > my home PC. Like audio streaming for example.


    SPI blocks unsolicited traffic based on a stateful connection being made by
    a program on a port running on a machine behind the router, in this case
    using SPI.

    If XP's FW is blocking packets, then I think unsolicited inbound packets are
    being blocked, for whatever reason that may be.


  7. Re: Firewall question


    Chuck wrote:

    > It's running on a non-standard port, only allows pubkey authentication, and
    > has a 5 second login grace time.


    qwerty ?


  8. Re: Firewall question

    cattanack@yahoo.com wrote:
    > Chuck wrote:
    >
    >> It's running on a non-standard port, only allows pubkey authentication, and
    >> has a 5 second login grace time.

    >
    > qwerty ?
    >


    Are you asking if that's the password? Is so, no. Pubkey authentication
    is like using an SSL certificate in that it uses a public and private
    key pair. Only the holder of the private key (me) can log on.

+ Reply to Thread