new to firewalls

I just installed comodo pro firewall. I have never really used a firewall before and I have a question. I keep getting inbound policy violation entries in the log every few minutes all from the same ip address. Can someone explain this?

Date/Time :2007-10-16 20:47:23Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP =

192.168.1.65, Port = nbname(137))Protocol: UDP IncomingSource: 192.168.1.65:nbname(137) Destination: 192.168.1.255:nbname(137) Reason: Network Control Rule ID = 5

Date/Time :2007-10-16 20:47:18Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP =

192.168.1.65, Port = nbdgram(138))Protocol: UDP IncomingSource: 192.168.1.65:nbdgram(138) Destination: 192.168.1.255:nbdgram(138) Reason: Network Control Rule ID = 5

thanks

tom

Reply to
Tom W.
Loading thread data ...

Something like Comodo is not FW technology. Comodo is a personal packet filter or machine level packet filter, and it's not FW technology.

You can start with the links.

formatting link

It was denied the personal packet filter is doing its job of stopping unsolicited inbound traffic. What you need to worry about is the inbound traffic that's is coming through the packet filter and is not being denied. A connection is made due to some program running on the computer behind the FW or packet filter that has made a solicitation for traffic to a remote/Internet IP, because the program sent outbound traffic to the site, and inbound traffic is coming back -- the solicitation.

There a two types of traffic a FW or a packet filter is going to deal with and is kind of a default. 1) Solicited inbound traffic. Traffic is coming inbound due to a program running behind the FW or packet filter has sent outbound traffic or the contract was initiated by the program behind the FW or packet filter. The FW or packet filter is going to let that type of inbound traffic pass. The traffic can or cannot be legit. It could be a legit program or a malware program that is doing the solicitation.

2) Unsolicited inbound traffic is just the opposite. No program running behind the FW or packet filter has made a solicitation for inbound traffic. That type for inbound traffic is blocked or denied.
Reply to
Mr. Arnold

Rebooting the computer seems to have cleared it up. Thanks for the response.

Tom

Reply to
Tom W.

I suspect that's not the case. Unsolicited inbound traffic which was what the packet filter was blocking is just everyday noise or traffic on the Internet. The booting of the computer is not going to clear it up, unless Comodo was doing false reporting, which can happen with any PFW/personal packet filter. But most likely, the unsolicited was stopped from whatever on the other end, because it couldn't get through, and it moved on.

Reply to
Mr. Arnold

I just turned on the computer this morning adn got this:

Date/Time :2007-10-17 09:39:48Severity :MediumReporter :Network MonitorDescription: Outbound Policy Violation (Access Denied, Protocol = IGMP)Protocol:IGMP OutgoingSource: 192.168.1.64 Destination:

224.0.0.22 Reason: Network Control Rule ID = 5

windows media player goes out on 192.168.1.64. I don't know what it is.

tom

Reply to
Tom W.

If you don't have sufficient knowledge about networks and protocols, why do you even run a host-based packet filter and even further believe that you could actually achieve any level of security through it?

The above is a simple multicast subscription initiated upon your very own request.

Reply to
Sebastian G.

I had picked up a few trojans and decided to install a firewall. Comodo was supposed to be good so I installed it. It was blocking repeated connections from somewhere and I wondered why. It was recommended so I installed it.

Tom

Reply to
Tom W.

iirc 224.x.x.x is a multicast adress it seems to me wmp is trying to become part of the multicast group which could be normal behaviour iirc wmp could try this to accept multicast packets for information like MSN today, wmp loads things from the internet like advertisement, new bbc clips, ...

i myself wouldn't allow this, but i myself will never use WMP.

Reply to
goarilla

Ok...Thanks. I didn't have problems until I let active x and scripting through on internet explorer. Almost every page wants to use active x and i gave in and let the browser use it. When I did I started to get loaded with adware and viruses.

Tom

Reply to
Tom W.

Firewalls can't protect against trojan horses, and in fact nothing but education can. Even further, if you picked up some trojan horses, then you installed them intentionally and it's solely your very own fault - how should dumb software prevent you from doing what you want, and why would you not enforce your own stupid ideas against such software?

If you had informed yourself properly, then you'd understand that Comodo is anything but good. It hooks into various kernel functions for no good, or better said: no serious reason, and thus adds a huge amount of complexity - and complexity is exactly the contrary of security.

Don't worry, we also wonder why it does what it does. Since it has no actual goal, it seems like it acts particularly random / non-deterministic.

Reply to
Sebastian G.

You don't need ActiveX or even the scripting stuff to get malware when visiting websites with MSIE.

Now the real question is: Why are you abusing MSIE as a webbrowser and why do you even wonder that this would lead to security problems?

And, as I see it now: As you're most likely not Michael Grossman, why are you abusing his domain here.com fro your mail address?

Reply to
Sebastian G.

Trojans and other malware is a result of downloading some file that installs the malware.

With HTTP, SMTP and FTP proxy services in firewalls, you can block attachments of types that commonly infect systems.

As an example, we don't allow non-admin users to download any file that could be "Run" or Zip files, as well as about 30 other types....

So, a firewall can protect against them, but it does it by keeping you from getting at them.

Reply to
Leythos

Normal Micro$oft NetBIOS over TCP/IP traffic from a private network. If you connect to a network with other computers (like a private wireless network) you will normally see this traffic because M$ turns on NetBIOS over TCP/IP by default on all network interfaces. I recommend that people turn off this setting unless they have a need to reference computers on their network by NetBIOS name.

Reply to
Sharky

I read your other post about picking up some Trojans. The machine has been compromised. You should consider what is in the link.

formatting link
It's up to you to practice safe hex, like not using IE, if it's a problem for you. Only use IE when a site calls for the use of IE and not using OE or Outlook find alternatives to these solutions that are less susceptible to attack, in your case.

formatting link
FireFox for the browser and Thunderbird for the email client are (free). FF has the touch and feel of IE but doesn't use ActiveX controls and is a little tighter in its vulnerabilities.

But you should know this. None of this stuff and I mean *NONE* of this stuff is bullet proof. I don't care what O/S, like MS, Linux, Apple, whatever or what applications are running on the platforms as all of it is venerable to attack.

On the MS platform such as XP or other NT classed MS O/S(s), you have to go look from time to time for yourself with other tools. You cannot think that any one solution is providing stop all protection and notification. They cannot do it.

formatting link

You should harden or tighten the O/S to attack as much as possible, like if Client for MS Networks and MS File & Print Sharing are enabled on the Network Interface Card or dial-up connection and it's a computer that is connected to the modem, which is a direct connection to the Internet, then those services or features should be removed. The computer has no business or should have no possibility of being in any networking situation while connected to the Internet in this manner - none.

formatting link
The buck starts with you, the buck stops with you, and what you are or are not doing to protect your situation, with the knowledge you have to do it.

I say it's based upon who is sitting be wheel and is doing the driving.

Reply to
Mr. Arnold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.