Might be a good idea to open a commmand window first? Start, Programs, Accesoires, Command Prompt. How did you ever got along without the shell?
Might be a good idea to read the fine manual and running the install program (install.cmd) instead of the userland configuration tool with no parameters whatsoever?
Sure, you'd need head.exe and tail.exe from GnuWin32, Win32-Bintools or WSFU, as they're bintools and no ZShell commands.
Why? A NAT Router is no firewall.
Nonsense. A NAT Router won't be able to stop it either. And when a simple program can kill a system service you're running with Admin rights, and that's a much bigger problem. Anyway, ZA is easily bypassed.
Better take a look at
Sebastian wrote on Wed, 22 Mar 2006 11:23:24 +0100:
But it's better than nothing whatsoever to prevent incoming connections, or a software firewall panacea.
The router will stop inbound connections. Preventing outbound connections is the wrong way to look at things - if you need to do that, it's already too late.
And how many people who "count our breaths" while installing XP would even think to do that? You need to remember that in this case, and pretty much involving people who rely on software firewalls, that they are not technical users.
Dan
A so-called TCP/IP stack prevents incoming connections very well and even in a RFC-conformant manner.
Some, and only as a side effect.
About the same mass that has been convinced to use Personal Network Discos?
That's why they cannot rely on software firewalls because that requires technical understanding. Shutting down unneeded services once and forever is a one-time-action, reliable and with good documentation a pretty easy thing.
Sebastian wrote on Wed, 22 Mar 2006 11:29:41 +0100:
It also allows incoming connections to any listening ports - after all, that's what it's for. Until MS and OEM suppliers lock down the OS so that out of the box nothing is listening, there will be some configuration required. It's a shame that you seem unable to grasp that this is the case, as some of your advice is actually worth reading.
99% of NAT routers will stop all inbound connections. Some stupidly allow connections to admin ports on the WAN interface. Most NAT routers on the market also have enough SPI capability to keep track of outbound connections. Allowing packets in response to established outbound connections is not the same as blindly allowing incoming connections - if responses aren't allowed either, you might as well just take a pair of pliers to the internet connection and cut it. Are you know going to claim that my Cisco PIX 515-UR isn't a firewall (and I know it's more than just a NAT router - but it's an example of taking your response to the extreme) simply because out of the box it denies all inbound connections and allows all packets responding to established outgoing connections? Strange how it can be certified as a firewall if that's the case.And how do you suppose they get documentation? MS and OEM suppliers certainly don't supply it - so they get it from the web. And how do you think they connect to the web? They hook up their shiny new PC and ... oh, too late, they're hooked up to the internet and open to abuse. Do you ever stop to think about how to apply your suggestions in the real world?
Dan
Yes, this is why
Unfortenately, I fear that you're wrong here. Just test what your router is doing, if a packet seems to come from a (spoofed) internal address from the Internet.
Yours, VB.
You're a *clown* to no end -- begging all the way for help you can't understand. You should get on your big-wheel and go make some noise in street traffic, maybe the freeway. Maybe, you can control that traffic with ZA so that you won't get hit. Do make sure you boot the computer on the big-wheel first before you hit the road.
Duane :)
Volker wrote on 22 Mar 2006 12:52:46 +0100:
And as I said to Sebastian, for consumers to get to that info they already have be on the net - and by then it's too late in many cases. Do you really think those 2 sites have any influence over what MS or large OEMs like Dell do?
My Netgear DG834 at home ignores it. This is considered a simple NAT router by many. It's SPI is only basic. Yet out of the box with no configuration it ignores those packets.
Dan
I suppose you actually mean "Port Reporter" [1] here. Portqry is a (simple) port scanner.
[1]
Same goes for any personal firewall that isn't the Windows Firewall.
cu
59cobaltSpack wrote: [Script & Dingens]
No, I don't. Nearly 200.000 people are using
This is, why I'm calling Microsoft to implement this way.
Yours, VB.
Volker wrote on 22 Mar 2006 16:17:30 +0100:
Which is my point exactly. The people who build their own PC and install the OS can use this info. The people who are the ones who really need it are the non-techies who buy a PC without SP2 on it in a clearance sale, or get an older PC off a friend. Those are the ones who end up getting infected and cause trouble for the rest of us.
Good luck to you. I work for an MS partner - and we have trouble getting anything done just for our small relationship with Microsoft Press!
Dan
As I previously mentioned to V, back in '97 or '98 I wrote an article and placed it on the 'net on how to accomplish the task of 'hardening' Windows NT4 in preparation for installing a firewall product I was responsible for. I was happy to know the article was extremely popular and well received amongst the customer base not only for the implementation of the firewall product, but for general use of their systems.
Several years later I discovered a book entitled 'Securing Windows NT/2000 Servers' published by O'Reilly. Naturally I picked up a copy and read it with interest. I swear the section on building a bastion NT host was lifted from my article. Of course I know it wasn't, but everything it referred to I did as well, but three or four years earlier. One thing the book provided that I never touched upon in my article was hacking up certain registry keys.
In summary it's a great book and well worth the price, assuming you have Windows NT4 and 2000 systems still in use.
Don wrote on Wed, 22 Mar 2006 16:07:39 GMT:
I'm pretty sure I have that on my shelf, along with a bunch of other O'Reilly security and admin books. I work for, and run the IT systems for, a number of UK online bookstores, so I get access to free copies of any IT book I should happen to want to add to my shelf :)
Dan
Right. And for any listening port, you have a wanted service that has to be permitted by the firewall. Your point being?
Oh, I know exactly what's the case. At that configuration is rather easy and a way better approach than a host-based packet filter.
The same way you're getting all documentation: request it!
As they don't supply extensive firewall and firewall configuration manuals.
Right. Get a friend or pay someone who has a clue before connecting to the web.
Yes. Once done, you can keep the documentation and spread it to anyone else who need it, including having it for yourself.
Strike. :-)
Sebastian wrote on Wed, 22 Mar 2006 17:53:01 +0100:
Saying that the TCP/IP stack prevents incoming connections is like saying that a car can be stopped with it's brakes - they're not on by default, and you have to know how to use them. The fact is that out of the box pre-SP2 XP and earlier MS OS's have a number of services running by default that can be connected to if nothing is there to prevent it - and the majority of PC owners are clueless people who have no idea that these are running.
I know they don't - I spend many days fielding phone calls for Microsoft Press UK trying to explain to people that MS don't supply *any* manuals. You get some crappy online help, and that's it.
Try telling the PC stores to put a sticker saying that on their boxes - they'll just laugh at you. Not everybody who buys a PC knows someone who can help them out - there's plenty of proof of that already.
So you have the addresses of every PC owner on the planet and you're sending that documentation out? I'll keep my eyes on the post.
Dan
And that's why the Windows Firewall is at least a pretty good idea. Anyway, the real point is that
should be forbidden lawfully.
I wonder why I got some after harshly demanding some.
They don't need to. It's the users responsibility, and they should reasonably assume that such a thing exists.
Then they have to pay someone who's profession is to do so.
I don't keep addresses unnecessarily.
Sebastian wrote on Wed, 22 Mar 2006 18:22:45 +0100:
You got original printed manuals? For Windows XP?
Those are not XP online help. Press F1 when everything is minimised to the desktop.
PC stores tout computers as being as simple as a DVD player of Hi-Fi. They are in business to make money, not molly coddle idiots.
Figures. You go on about how everyone should be informed, and then are unable to follow through.
Dan
Script kiddies.
cu
59cobaltCabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.