Firewall question

Firewall question
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Firewall question Chuck 07-18-2007
Posted by Chuck on July 18, 2007, 9:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I just switched antivirus programs a few weeks ago from NAV to Bit
Defender and in doing so lost the Norton Internet Worm Protection (i.e
the builtin firewall). So I decided to enable the windows firewall and
also turned on logging. I also have a FW built in to my netgear wgr614
router which is supposed to be blocking everying except for 3 or 4 ports
that I have forwarded. When I check the Windows FW log however I see
thousands of entries where the action column is set to "DROP" for ports
that shouldn't even be getting through the hardware firewall. For
example TCP ports 2188 and 2273, and UDP port 8088 none of which are
forwarded. How are they getting as far as the software firewall?

My IP has not changed for several months and none of the IP's below are
my WAN IP.

Here's a couple of examples.

#Fields: date time action protocol src-ip dst-ip src-port dst-port size
tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
- - - - - RECEIVE

2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
4075071033 456793686 27466 - - - RECEIVE

2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
2133527059 111240437 18356 - - - RECEIVE

TIA

Posted by Mr. Arnold on July 18, 2007, 10:19 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>I just switched antivirus programs a few weeks ago from NAV to Bit
> Defender and in doing so lost the Norton Internet Worm Protection (i.e
> the builtin firewall). So I decided to enable the windows firewall and
> also turned on logging. I also have a FW built in to my netgear wgr614
> router which is supposed to be blocking everying except for 3 or 4 ports
> that I have forwarded. When I check the Windows FW log however I see
> thousands of entries where the action column is set to "DROP" for ports
> that shouldn't even be getting through the hardware firewall. For
> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
> forwarded. How are they getting as far as the software firewall?
>
> My IP has not changed for several months and none of the IP's below are
> my WAN IP.
>
> Here's a couple of examples.
>
> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>
> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
> - - - - - RECEIVE
>
> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
> 4075071033 456793686 27466 - - - RECEIVE
>
> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
> 2133527059 111240437 18356 - - - RECEIVE
>
> TIA

Close all the ports on the router, don't forward them. And if you don't have
the same thing happening, then that should tell that you have ports open,
and anything can come down the forwarded open port with unsolicited inbound
traffic, that are looking for openings and something listening on the port.


Posted by Chuck on July 18, 2007, 10:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Mr. Arnold wrote:
>
>> I just switched antivirus programs a few weeks ago from NAV to Bit
>> Defender and in doing so lost the Norton Internet Worm Protection (i.e
>> the builtin firewall). So I decided to enable the windows firewall and
>> also turned on logging. I also have a FW built in to my netgear wgr614
>> router which is supposed to be blocking everying except for 3 or 4 ports
>> that I have forwarded. When I check the Windows FW log however I see
>> thousands of entries where the action column is set to "DROP" for ports
>> that shouldn't even be getting through the hardware firewall. For
>> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
>> forwarded. How are they getting as far as the software firewall?
>>
>> My IP has not changed for several months and none of the IP's below are
>> my WAN IP.
>>
>> Here's a couple of examples.
>>
>> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
>> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>>
>> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
>> - - - - - RECEIVE
>>
>> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
>> 4075071033 456793686 27466 - - - RECEIVE
>>
>> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
>> 2133527059 111240437 18356 - - - RECEIVE
>>
>> TIA
>
> Close all the ports on the router, don't forward them. And if you don't
> have the same thing happening, then that should tell that you have ports
> open, and anything can come down the forwarded open port with
> unsolicited inbound traffic, that are looking for openings and something
> listening on the port.

I can't do that. I am not at home and that will cut off my remote access
to the network. I just double checked the router and the only forwarded
port is for ssh. And even that's secured as much as possible. It's
running on a non-standard port, only allows pubkey authentication, and
has a 5 second login grace time.

Posted by Mr. Arnold on July 18, 2007, 11:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Mr. Arnold wrote:
>>
>>> I just switched antivirus programs a few weeks ago from NAV to Bit
>>> Defender and in doing so lost the Norton Internet Worm Protection (i.e
>>> the builtin firewall). So I decided to enable the windows firewall and
>>> also turned on logging. I also have a FW built in to my netgear wgr614
>>> router which is supposed to be blocking everying except for 3 or 4 ports
>>> that I have forwarded. When I check the Windows FW log however I see
>>> thousands of entries where the action column is set to "DROP" for ports
>>> that shouldn't even be getting through the hardware firewall. For
>>> example TCP ports 2188 and 2273, and UDP port 8088 none of which are
>>> forwarded. How are they getting as far as the software firewall?
>>>
>>> My IP has not changed for several months and none of the IP's below are
>>> my WAN IP.
>>>
>>> Here's a couple of examples.
>>>
>>> #Fields: date time action protocol src-ip dst-ip src-port dst-port size
>>> tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
>>>
>>> 2007-07-01 22:32:05 DROP UDP 74.100.189.35 192.168.1.2 45685 8088 42 - -
>>> - - - - - RECEIVE
>>>
>>> 2007-07-01 20:30:38 DROP TCP 204.2.179.48 192.168.1.2 80 2188 1452 A
>>> 4075071033 456793686 27466 - - - RECEIVE
>>>
>>> 2007-07-01 21:01:54 DROP TCP 69.2.120.39 192.168.1.2 443 2273 1169 AP
>>> 2133527059 111240437 18356 - - - RECEIVE
>>>
>>> TIA
>>
>> Close all the ports on the router, don't forward them. And if you don't
>> have the same thing happening, then that should tell that you have ports
>> open, and anything can come down the forwarded open port with unsolicited
>> inbound traffic, that are looking for openings and something listening on
>> the port.
>
> I can't do that. I am not at home and that will cut off my remote access
> to the network. I just double checked the router and the only forwarded
> port is for ssh. And even that's secured as much as possible. It's running
> on a non-standard port, only allows pubkey authentication, and has a 5
> second login grace time.

SSH is only an encryption protocol, and I think it means in no way that the
port is not attackable, if open.


Posted by on July 20, 2007, 1:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Chuck wrote:

> It's running on a non-standard port, only allows pubkey authentication, and
> has a 5 second login grace time.

qwerty ?


Similar ThreadsPosted
Firewall question June 15, 2005, 5:25 pm
Yet another which firewall? question September 15, 2005, 8:54 am
Solaris and Firewall question March 14, 2005, 8:59 am
Question about Netscreen 5 GT firewall / VPN March 14, 2005, 3:36 pm
Do I really need firewall? A newbie's question May 1, 2005, 2:29 pm
Free Firewall question May 7, 2005, 10:07 am
1-1 NAT? - Hardware Firewall Question July 13, 2005, 12:45 am
Firewall and wireless question August 12, 2005, 5:14 pm
BlackIce Firewall Question August 13, 2005, 2:33 am
Firewall novice question December 2, 2005, 1:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy